Friday, 12 July 2024 It’s a given that effective Boards govern by consensus – most of the time anyway. One common exception, though, is in relation to cybersecurity. It’s a problem unlike most others in the business world. For one thing, it occurs in the context of fear. You would think this would prompt businesses to take decisive action, fearing a cyberattack might be imminent. Unfortunately, it doesn’t. Perhaps it’s because the threat is ill-defined and could be carried out by anyone, anywhere, any time. The threat lacks immediacy. Perhaps it’s because cyber attacks are perceived to be rare events. As such, many still believe ‘it can’t happen to me’. Perhaps it’s the intangible nature of the threat. Unlike physical security, the threat from cyber criminals is largely invisible and for many, not well understood. Whatever the reason, boards often don’t appreciate the value that cybersecurity offers. And in the constant competition for the resources in their hands – time, attention, and investment – operational issues often win out. For all these reasons cybersecurity is often described as a ‘wicked problem’– a problem with so many variable and interdependent factors that it seems impossible to solve. Operational issues are urgent, present, visible, and easily understood. Cyber issues are the opposite - often seen as theoretical and hypothetical. It follows then, that cyber professionals are often regarded as preparing for an event that some consider may never happen. So, on this subject, how do we find consensus? As technical and process-driven as the problem is, the answer may lie in establishing ways for the two groups – boards and cybersecurity risk managers – to communicate with each other. An example could be through a dedicated risk management committee and/or a clearly defined decision-making process that includes board visibility. And when you consider the board’s statutory duty to take responsibility for risk management, our answer surely lies in the development of a cybersecurity strategy focused on risk. But before we can find agreement on a cybersecurity strategy, we need to agree on what harm looks like for the organisation. What threats do we face in terms of likelihood and impact? Also, what are the benefits of true risk management over preparing for a risk often perceived as a ‘just in case’ scenario? This is where the experts make the intangible tangible, with objective assessment, identified vulnerabilities, quantified risks and manageable solutions. Our experience tell us that effective risk management solutions need to consider people, process and technology elements, with people and process being the most important. In the realm of cybersecurity, the adage ‘She’ll be right, mate’ will leave organisations prone both to a cyber breach and most worryingly, regulatory and legal action with respect to director duties under the Corporations Act, notifiable data breaches under the Privacy Act and increasingly, class actions from shareholders and individuals who are impacted by data breaches.