A University of Queensland study has identified a need to prioritize cyber security training for board directors, to better protect Australian organizations from cyber attacks.
Dr Ivano Bongiovanni from the UQ Business School said his research found that board directors were not always sure about their duties and liability for cyber security, and often did not fully understand its importance.
“We interviewed non-executive directors of 43 organizations about cyber security; a lot of uncertainty emerged in terms of current best practices or industry guidelines for cybersecurity strategies,” said Dr Bongiovanni. “There is a misleading perception of cyber security being a purely technical topic and directors weren’t engaged or confident talking about it. Considering the responsibility to oversee cyber risk management in modern organizations lies with their board of directors, an uplift of cyber-skills at the board level is necessary.”
The study calls for clearer regulations and reporting practices and for cyber security training to be made a priority for all board directors.
Director of Cybersecurity at UQ and the Australian cyber emergency response team AusCERT, Dr David Stockdale, said the study showed Australia has some work to do for boards to include cyber security in their enterprise risk management activities.
Overall, the responsibility to oversee cyber-risk management in modern organisations lies with Boards of Directors. However, evidence suggests that boards are not nearly as engaged in cybersecurity as they are in other areas of oversight. Through the lens of neo-institutional theory, we investigated key drivers and major impediments to directors’ engagement with cybersecurity. We conducted 18 interviews with non-executive directors from 43 organisations to cast light on current cybersecurity practices and on the factors that drive directors’ engagement. Our findings emphasise that regulations are the most influential driver (coercive pressures). However, directors are not always completely aware of their duties and liability concerning cybersecurity oversight. Further, our study highlights that personal experience and background shape a director's engagement with cybersecurity (normative forces). Our analysis also shows a frequent over-reliance on a single board member with cyber-experience. Lastly, the secrecy that characterises cybersecurity reduces the opportunity for directors to replicate best practices across organisations (mimetic forces). Directors’ engagement with cybersecurity is marginally driven by holding multiple board roles and by the influence of external consultants. A stronger role is played by the mediatic nature of some cyber-breaches and by a prominent “push reporting” approach in cybersecurity (organisational factors). We offer a series of evidence-based practical recommendations to enhance directors’ engagement in this crucial area, ranging from strengthening existing regulations, to codifying best practices in cyber-reporting.