Cybersecurity top of board risk list
Tony Featherstone | Excerpt from Australian Institute of Company Directors update | February 2017
Many boards and CEOs are insufficiently involved in managing cyber risk according to a new Accenture report: The Cyber-committed CEO and board. This is despite cyber risk being considered by most company boards to be a high priority.
The study polled executives across 12 industries and 15 countries. It found that 70 per cent of respondents agreed that “cyber security at our organization is a board-level concern and supported by our highest-level executives”.
The level of preparedness, however, appears to be low. The study found that only 32 per cent of the companies surveyed had competent cyber-attack scenarios and only 27 per cent had prepared for risks related to high value assets and business processes. Only 32 per cent competently monitored business-relevant threats.
The level of preparedness and co-ordination is also poor. According to the Accenture study, only 34 per cent of companies have cyber incident ‘escalation paths’ (ability to involve appropriate stakeholders) and only 32 per cent have the ability to ensure stakeholder involvement.
The solution, says the report, is a high level of engagement by both the board and the CEO.
“That means not shying away from or fearing cyber risk because it is new or they do not understand security,” the report says.
“The CEO needs to understand security, and manage it like any other business risk.”
The Accenture report says a precondition of sound strategic engagement by boards and the CEO is to measure and communicate security risk in non-technical business terms. It is important to identify threats to the most important lines of business, consider the strategic options when looking to manage risks and identify what decisions or actions are required from the board.