“Cyber Security Governance Principles 2nd Editiion ,” is a guide for Australian directors on best practices for cybersecurity oversight.
It outlines five key principles:
1) establishing clear roles and responsibilities,
2) developing a comprehensive cyber strategy,
3) embedding cybersecurity into existing risk management,
4) fostering a culture of cyber resilience, and
5) planning for significant cyber incidents.
Each principle includes key points, governance red flags, and director reflections from prominent Australian leaders, illustrating practical applications.
The guide also addresses relevant legal obligations, regulatory requirements, and the evolving threat landscape, particularly concerning SMEs and NFPs. Its ultimate purpose is to help directors meet their cybersecurity obligations and build organisational resilience.
The document stresses the importance of practical actions and the need for ongoing evaluation and adaptation to meet evolving threats.
Key Themes
Heightened Threat Environment
The document highlights a rapidly evolving threat landscape in Australia. Cybercrime reports are increasing, and sophisticated state-based actors’ methods are becoming more accessible to criminal syndicates. Ransomware and data theft pose significant threats to organizations of all sizes.
Stronger Regulatory Landscape
Recent Australian government initiatives, such as the 2023-2030 Australian Cyber Security Strategy, the Cyber Security Act, and the enhanced Security of Critical Infrastructure (SOCI) regime, are setting higher standards for cyber security governance.
Proactive Cyber Strategy as Business Enabler
The principles emphasise the need for a comprehensive and evolving cyber strategy proactively overseen by the board. This strategy should focus on identifying key digital assets, understanding vulnerabilities, and enhancing cyber capabilities.
Embedding Cyber Security into Existing Risk Management
The document advocates for integrating cyber security considerations into existing risk management frameworks. This includes defining a clear cyber risk appetite, establishing robust controls, and proactively managing cyber supply chain risks.
Promoting a Culture of Cyber Resilience:
It is crucial to create a cyber security mindset from the top down. This involves fostering awareness, providing training, and emphasising individual responsibility for cyber resilience throughout the organisation, including suppliers.
Planning for Significant Cyber Incidents
Organisations must have comprehensive incident response plans in place, including clear roles and responsibilities, communication protocols, and recovery procedures.
The “Cyber Security Governance Principles 2nd Edition” provides a comprehensive framework for Australian organisations to enhance their cyber resilience in the face of a dynamic and increasingly dangerous threat landscape.
It emphasises the board’s crucial role in setting a strong cyber security culture, developing a proactive strategy, embedding security into existing risk management practices, and planning for potential cyber incidents.
Key Principles:
Principle 1: Set Clear Roles and Responsibilities:
Board Oversight: The board is responsible for overseeing cyber security, even without specialist knowledge.
Management Accountability: A designated management team member should have primary responsibility for cyber security.
External Providers: Due diligence and ongoing monitoring of third-party suppliers are essential, as organisations are ultimately responsible for their failings.
Red Flag: “Lack of clear lines of management responsibility for cyber security.”
Principle 2: Develop, Implement, and Evolve a Comprehensive Cyber Strategy:
Key Components: Identify key digital assets and data governance framework, assess and enhance internal capabilities, and manage third-party supplier risk.
Data Lifecycle Management: Securely collect, store, use, share, and destroy sensitive data. Encrypt sensitive data at rest and in transit.
Practical Enhancements for SMEs: ASD guidance emphasises practical and accessible enhancements like multi-factor authentication, patching, and staff training.
Red Flag: “Limited understanding of the location of key digital assets and data, who has access and how they are protected.”
Principle 3: Embed Cyber Security in Existing Risk Management Practices:
Define Cyber Risk Appetite: The board must determine the level of cyber risk the organisation is willing to accept in achieving its objectives.
Implement Robust Controls: Utilise key cyber security approaches like Zero Trust, Least Privilege, and Secure-by-Design principles.
Manage Supply Chain Risk: Identify key suppliers, conduct due diligence, and establish clear contractual obligations regarding cyber security.
Red Flag: “The cyber strategy and risk controls are not subject to internal and external evaluation and periodic refinement relative to evolving threats.”
Principle 4: Promote a Culture of Cyber Resilience:
Leadership and Culture: The board and senior management must set the tone for a cyber-aware and resilient culture.
Training and Awareness: Regular training programs and awareness campaigns tailored to different roles are crucial.
Focus on Key Staff and Contractors: Individuals with access to sensitive data require extra scrutiny and training.
Red Flag: “Cyber risk and cyber strategy not featuring regularly on board agendas.”
Principle 5: Plan for a Significant Cyber Security Incident:
Develop a Comprehensive Response Plan: Clearly define roles, responsibilities, communication protocols, recovery procedures, and considerations for employee wellbeing.
Remediation: Go beyond legal minimums to rebuild customer trust through proactive communication and compensation.
Toll Group Case Study: Highlights the potential for cyber incidents to threaten solvency and the importance of independent cyber assurance.
Red Flag: “Board not annually reviewing skills to ensure that directors have an appropriate understanding of cyber security risk.”
By: Fouzan Shaikh
Founder & Delivery Head , CyberProof
fouzan.saikh@cyberproof.au