THANK YOU FOR SUBSCRIBING
Joseph Dalessandro, Head of Security, Technology Audit & Audit Data Analytics, Australian Unity
The ongoing problem that boards of directors in most organisations are facing today is how to judge cybersecurity governance and compliance. At a simplistic level, judgement implies prediction. To boards, the balancing act between spending on risk and controls effectiveness, and assurance seem elusive for cybersecurity as compared to other disciplines such as finance, where evidence-based decision-making is more traditional. Is it possible for the organisation to get their arms around the domains of security in a meaningful way to ease both board discomfort and provide assurance (or reassurance) of cybersecurity compliance? The answer is ‘yes’.Boards of Directors, particularly those of regulated entities and banks, are habituated to receiving compliance reporting as a part of their organisational reporting and decision-making data. Interestingly, in the area of IT, compliance and effectiveness of controls testing undertaken for financial audits were the first point of contact for many boards, with the potential impact of IT failures on financial reporting obligations. With the rise in cybercrime and the success of many criminal enterprises to mainstream their focus on areas such as phishing, ransomware and mass-market fraud, boards and executives have almost daily reminders of the financial, organisational and reputational risk presented by cybersecurity. Yet, as cybersecurity is different from IT, boards are now calling for cybersecurity to be reported differently from IT. Now boards and board sub-committees routinely have meetings dedicated to reporting on cybersecurity risk, controls, events, and governance. An Osterman Research survey commissioned by Bay Dynamics notes that “the majority(85 percent) of board members believe that IT and security executives need to improve the way they report to the board.” The Osterman report goes on to note the most important reporting points from their research which indicate what boards and executives want: • Reports with understandable language that does not require boardmembers to be cyber experts. • Quantitative information about cyber risks. • Progress that has been and is being made to address the company’s cyber risk. Why is cybersecurity struggling with reporting these points and representing a holistic picture of compliance? While there are several reasons for this, I would like to explore two main point—regulations and tools.
Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas