I had a great week at the AICD’s Company Directors Course learning about governance, risk, strategy, legal environment, financial literacy, performance and achieving board effectiveness.
I particularly liked the interactive discussions and case studies to practice ethical decision making, applying concepts in practice and adopting the director mindset.
Overall, I thought the course was very thorough – there was a serious amount of pre-reading and three tough assessments to get the Graduate status and GIACD post-nominal. The learning outcomes varied from interpreting financial statements to building effective Board culture.
It was reassuring to see an increased focus on cyber security and data privacy – essential areas for every director to get a foundational level of understanding of.
When it comes to data protection in Australia, the Privacy Act 1988 is key legislation that operates two applicable regimes:
1. Australian Privacy Principle 11 mandates active measures to safeguard personal data of members
2. Notifiable Data Breach scheme requires to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of material data breach involving personal data of members.
As a Board member, it’s important to ask better questions and have robust discussions. For example, in the event of a data breach, some of the potential questions you can ask your management team are:
1. What flaws in our systems were taken advantage of in this incident and how are these being addressed to prevent similar incidents going forward?
2. Was personal or financial information of our members accessed and what steps have been taken to investigate this and reduce potential harms to people?
3. What steps have been taken to safeguard the compromised system and data?
4. What communication has been done with affected members and how potential disclosure of their data being handled?
There’s also difference in focus of Board and Executives in the cyber event scenario.
Key actions for management may include:
1. Engage regulatory bodies. Take steps to fulfil compliance obligations related to breach materiality assessment and notification requirements (to regulators and affected members).
2. Seek external advice and perform forensic investigation to understand the extent of compromise and type of data accessed.
3. Establish root cause and implement countermeasures to prevent similar incidents going forward.
4. Review and update incident response plans. Document lessons learned and suggest enhancements for better cyber resilience.
5. Implement ongoing cyber security training for employees. Regular cybersecurity training will enhance the understanding of possible risks – like phishing attacks and social engineering – so that all staff can be ready to identify and respond to suspicious activities.
Key actions for Board may include:
1. Instil a culture of cyber security and ongoing reporting. Request regular reporting on key cybersecurity metrics, incidents and progress. All this ensures that cybersecurity is integrated into the fabric of organisational culture whereby every staff member appreciates their role in keeping data safe.
2. Authorise the allocation of sufficient resources, both financial and human, for the strengthening of the organisation’s cyber security posture.
3. The board should undertake ongoing cybersecurity education. A sufficiently cyber aware board is more likely to ask better questions, oversee cyber security risk management practices and make informed decisions
As you can see, actions for Board and Management are different. This is one of the key insights from the course: Directors are responsible for overall direction, risk, policy and oversight, while Executives are primarily concerned with achieving goals and KPIs set by the Board. As a director with extensive executive experience, this requires an adjustment from an action orientation, to one of influencing, guiding, and mentoring.
Cyber Security Leadership 
2 Comments