The latest enterprise risk management news from around the world

A University of Queensland study has identified a need to prioritize cyber security training for board directors, to better protect Australian organizations from cyber attacks.

Dr Ivano Bongiovanni from the UQ Business School said his research found that board directors were not always sure about their duties and liability for cyber security, and often did not fully understand its importance.

“We interviewed non-executive directors of 43 organizations about cyber security; a lot of uncertainty emerged in terms of current best practices or industry guidelines for cybersecurity strategies,” said Dr Bongiovanni. “There is a misleading perception of cyber security being a purely technical topic and directors weren’t engaged or confident talking about it. Considering the responsibility to oversee cyber risk management in modern organizations lies with their board of directors, an uplift of cyber-skills at the board level is necessary.”

The study calls for clearer regulations and reporting practices and for cyber security training to be made a priority for all board directors.

Director of Cybersecurity at UQ and the Australian cyber emergency response team AusCERT, Dr David Stockdale, said the study showed Australia has some work to do for boards to include cyber security in their enterprise risk management activities.

Read the paper, ‘Governing cybersecurity from the boardroom: Challenges, drivers, and ways ahead’.

Abstract (verbatim)

Overall, the responsibility to oversee cyber-risk management in modern organisations lies with Boards of Directors. However, evidence suggests that boards are not nearly as engaged in cybersecurity as they are in other areas of oversight. Through the lens of neo-institutional theory, we investigated key drivers and major impediments to directors’ engagement with cybersecurity. We conducted 18 interviews with non-executive directors from 43 organisations to cast light on current cybersecurity practices and on the factors that drive directors’ engagement. Our findings emphasise that regulations are the most influential driver (coercive pressures). However, directors are not always completely aware of their duties and liability concerning cybersecurity oversight. Further, our study highlights that personal experience and background shape a director's engagement with cybersecurity (normative forces). Our analysis also shows a frequent over-reliance on a single board member with cyber-experience. Lastly, the secrecy that characterises cybersecurity reduces the opportunity for directors to replicate best practices across organisations (mimetic forces). Directors’ engagement with cybersecurity is marginally driven by holding multiple board roles and by the influence of external consultants. A stronger role is played by the mediatic nature of some cyber-breaches and by a prominent “push reporting” approach in cybersecurity (organisational factors). We offer a series of evidence-based practical recommendations to enhance directors’ engagement in this crucial area, ranging from strengthening existing regulations, to codifying best practices in cyber-reporting.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.