Skip to content

How non-executive directors can enhance cybersecurity risk governance?

Anthony Stevens |

November 15, 2022

How non-executive directors can enhance cybersecurity risk governance?


Global cybercrime damages are expected to reach USD 7 trillion in 2022. If left unchecked the costs in cyber damages can go up to USD 10.5 trillion by 2025. There is an urgent need for cybersecurity risk management. But is the board of directors aligned with this thought process?

Where’s the gap?

While the responsibility to oversee cybersecurity very much lies with the board of directors, it often falls back on their list of priorities. As the board deals with cost pressures, profit margins, mergers & acquisitions, and the fiercely competitive market, cybersecurity takes a backseat, unfortunately. Until now perhaps?

There is some evidence that directors over 55 years are more complacent when it comes to cybersecurity. They might believe that the Board’s involvement in cybersecurity is sufficient even when it’s not. It is quite possible that the directors’ complacency in the past has stemmed from their lack of experience in cybersecurity.

The other challenge is that cybersecurity has often been presented as a technology risk rather than a business risk. This has often pushed the Board to prioritise other challenges, leaving the technology team to deal with cybersecurity risk management.

The board of directors needs to be involved in cybersecurity risk governance

Even if in the past the Board of Directors has taken a lax approach to cybersecurity, this approach is no longer practical. Gartner’s 2021 Board of Directors survey reveals promising statistics. According to the survey, 88% of directors view cybersecurity as a business risk. But before we all rejoice in this transformation, the reality is that only 12% of boards of directors have a dedicated board-level cybersecurity committee.

The staggering influx of cyber attacks should be a wake-up call to directors to not just identify cybersecurity as a business risk but also take concrete measures towards effective cybersecurity risk management. And this begins with two-way communication between the Board and the technology team handling the nuts and bolts.

The Board needs to ask the right questions about how customer information is being stored, how the security budget is being utilised, the risk analysis performed, the cybersecurity risk management initiatives, etc. At the same time, the right information and insights related to cybersecurity must reach the Board.

Creating more awareness of the need for cybersecurity risk management

The Australian Institute of Company Directors (AICD) and Cyber Security Co-operative Research Centre (CSCRC) have jointly published five cyber security governance principles for all Australian organisations. These five principles can act as a roadmap for directors of SMEs on how to approach cybersecurity risk management in the organisation. Here are the principles.

1. Set clear roles and responsibilities

When roles and responsibilities are clearly defined, the board of directors can have effective oversight of cyber security risk. We need to remember that the fast-evolving threat landscape will always cast a shadow of uncertainty over the operations of an organisation, no matter how well-resourced the operations are. Setting clear roles and responsibilities for everyone involved from top to bottom hierarchy in the organisation helps in building better cyber resilience.

2. Develop, implement, and evaluate a comprehensive cyber strategy

When the board is proactively involved in overseeing the cyber strategy, it can help identify opportunities to improve cybersecurity maturity. Identifying the key security areas and understanding the business implications of the threat to these areas form the foundation of enhanced cybersecurity capabilities.

3. Embed cybersecurity in existing risk management practices

As mentioned above, cybersecurity needs to be viewed as a business risk rather than a technology risk. It is an operational risk that should be included in the existing risk management practices at the organisation. However, the board also needs to regularly assess the effectiveness of the controls being employed to manage cyber risks. They also need to take into account the changing environments and how to pivot cybersecurity risk management accordingly.

4. Promote a culture of cyber resilience

A top-down approach to cyber resilience needs the involvement of the board. They need to promote and encourage a mindset within the organisation that is aligned with cybersecurity and cyber resilience. Creating and sustaining awareness through regular training is key to promoting a culture of cyber resilience.

5. Plan for a significant cybersecurity incident

In spite of a robust cybersecurity strategy, every organisation is still vulnerable to cyber attacks. The board should be actively involved in preparing for a cybersecurity incident. A cybersecurity incident can be damaging to an organisation’s brand image. Hence, the board of directors should be involved in planning for such an incident and also in ensuring that the incident is duly responded to and the damage is contained and eradicated on time.

Final thoughts

While organisations need to build more rigour for cybersecurity risk management with support from the Board, this trend seems to be catching up. According to a Cybersecurity Ventures report, by 2025, 35% of Fortune 500 companies will have board members with experience in cybersecurity. This number is likely to rise to 50% by 2031. The prediction goes to show that cybersecurity is on the track to becoming a mainstream priority, which is the need of the hour.