“Techies often hate to be questioned, they’ll tell you they’ve got it covered,” Tilley says. “But at the board level you are responsible for the entire business, so you have a responsibility to educate yourself so you can dig deeper.
“Being told that they’ve blocked so many thousand attacks doesn’t really mean much; you need to know how well the business is prepared to repel that one attack that could actually take you down.”
The Australian Signals Directorate’s “essential eight” list of baseline strategies to mitigate cyber security incidents is a solid starting point when looking for useful metrics to evaluate an organisation’s cyber security posture. They include implementing application control to prevent execution of unapproved/malicious programs, undertaking security patching, restricting administrative privileges, enabling multi-factor authentication and running daily back-ups.
“As a board member you don’t necessarily have to understand the technical detail behind all of them, but asking how you’re tracking against this government advice when speaking to your people can offer some useful insight,” Tilley says.
Educating senior management and executives across Victoria University was one the key initiatives of the Cyber Safe VU Program, which Nitin Singh led and commissioned when he took on the job as Victoria University’s director for IT security (chief information security officer) three years ago.
Formerly an Ernst & Young senior manager specialising in IT risk and assurance, Singh has worked with many senior executives to raise both their awareness and knowledge of cyber security risks and opportunities.
“Awareness has definitely increased, but the knowledge of what it means to their business and potential impact can still be lacking,” Singh says. “Some boards still have the view that if they’ve hired someone like a chief information security officer then they’ve fulfilled their security obligations and everything is taken care of.
“As an executive you obviously need to have confidence that these people are going to provide you with solid advice and guidance, but the responsibility lies with you as a business executive to ensure that it is being implemented within the business.”
Singh has formed a critical incident response team made up of Victoria University executives, and part of his cyber security education program involves running tabletop cyber security exercises to educate executives across the university – from marketing to student administration – on what to do when a cyber incident happens.
Splitting the group into a team of cyber attackers and defenders, Singh took them through two scenarios that simulated a ransomware attack and an intruder compromising the university’s systems.
Such exercises can help executives overcome the common misconception that their organisation is not worth attacking or has nothing of value, says SecureWorks’ Tilley.
Executives can fail to appreciate the breadth of interest that nation states have in different sectors, the blurring of the line between political and industrial espionage, and the fact that a cyber incident may be a stepping stone in an attack against another organisation.
“My background is in dealing with crime,” Tilley says. “We like to say that everything has value to someone somewhere, you just don’t necessarily know what it is.”