Rethinking how to engage Australian directors in security budget discussions
Posted: Tuesday, May 16

i 3 Table of Contents

Rethinking how to engage Australian directors in security budget discussions

Boards globally are concerning themselves with issues of cybersecurity: 93% of organisations, boards and directors are asking questions about protection levels and capabilities, according to a recent survey, but what they agree to invest in may not necessarily align with needs.

There are signs that Australia may also be an outlier in this respect; separate research by PwC found that in Australian organisations, the CEO is the top stakeholder for cybersecurity teams to engage with, whereas globally it’s the Board. “This may indicate… that [security] teams do not understand the importance of Board reporting,” PwC wrote.

In Australian organisations where cybersecurity has made it to Board level, attitudes vary. A survey of directors found cybersecurity is a “high priority” issue for 72%, but only 39% had made cybersecurity “a specific focus of a Board committee”.

Engagement dwindled further once directors were asked to characterise their oversight and understanding of cybersecurity issues. A shade over one in three “receive regular reporting on internal training and testing” from their security teams; only 23% of directors have specific cyber skills; and less than half get any training in cyber risk once they’re sitting on a Board.

These trends are even more pronounced when it comes to some of Australia’s largest companies: a review of directors of ASX100 companies found “less than 1% have cyber experience and 16% have general technology experience.” 80% of directors on Boards “have neither cyber nor technology backgrounds.” 

 

Talking the talk

What this succinctly explains is the challenge facing CISOs when approaching Boards for budget, both for sustainment and cybersecurity enhancement programs.

In the current economic climate, few organisations and teams are escaping scrutiny of their spend, hiring practices, and their strategic impact on business objectives. 

While investing in an expansive cybersecurity program may seem a prerequisite for modern enterprises that participate in a digital-, cloud- and internet-first world, this comes at a cost, and the return on investment may not be straightforward or easy to measure. 

But C-Suite leaders and directors need to clearly understand the risks and projected outcomes from investments in cybersecurity initiatives, for them to continue to approve funding. 

CISOs fronting boards need to take into account the varying levels of technical knowledge and understanding, and make an effort to communicate clearly, with accessibility and explainability driving the discussion. They need to be able to take the intimidation factor out of the equation and get everyone speaking the same language. 

In addition, CISOs need to be able to describe the magnitude of the response required to address risk – a proposed cybersecurity program, for example: what needs protecting, and which workers need the tools to deliver operational excellence in the safest way possible.

 

Tied to trust

One way of explaining cybersecurity in an investable way is to elevate the discussion to a common interest of all parties: the paying customer.

Security leaders wear many hats, but one that’s overlooked (often until it’s too late) is that they are essentially the custodians of customer trust. The impact of a cybersecurity program on customer trust and brand loyalty has become more important than ever. Even a relatively small data breach can cause an exodus of customers to occur.

Customers (rightly) expect that their security and privacy is prioritised when interacting or transacting with a company. Over 80% stop engaging with brands that get breached. Organisations are more customer-focused than ever before, and are generally very keen to prioritise customer lifetime value in their decision-making. Marketers, for example, fiercely keep unsubscribe rates low because they know that having a disengaged customer has a direct revenue impact.

It pays for CISOs to be able to make the same linkage between cybersecurity investments, maintenance of customer trust, and the direct revenue impact that any negative shift in that space would have. 

By aligning a company’s stringent security practices with core brand values around customer focus, CISOs can send a clear message that customers can rely on them for data privacy and protection, and budget is, in turn, required to maintain that.

 

Training the next uplift

Another area of common ground is likely to be cybersecurity education. Security leaders know first-hand the challenge of addressing deep cybersecurity issues when personnel are inadequately upskilled.

A good time for directors to engage in cyber risk training is a good time to upskill other business units and teams as well. 

With vulnerability management among the top three concerns for many CISOs, it makes sense that developers are an integral part of any training budget. They need hands-on education to tackle common security bugs head-on, helping them eliminate these issues at the source and ensure others never make it to production in the first place. We’re now at the point where we cannot keep excusing low-quality, insecure code, and upskilling the development cohort is by far the most cost-effective, potent remedy for code-level vulnerabilities.

It’s vital that CISOs fight to retain existing budgets and detail the benefits of role-based security upskilling. Especially for developers, it’s a quicker win than adding the next “silver bullet” to an unwieldy security tech stack.

Matias Madou
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realised that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Share This