January 02, 2024

Is corporate governance an underrated cyber security success factor?

Bruce Irwin
Bruce Irwin
Principal Consultant, Cyber Security and Risk, Business Aspect

In an era where digital connectivity is interwoven into the operations of almost every organisation, cyber security is a paramount concern. As data breaches, hacking, and digital threats increasingly make headlines, organisations seek to safeguard their digital frontiers. However, amidst the rush to deploy the latest cyber security tools and technology, there still lies a question about the role and criticality of corporate governance in cyber security. Are organisations taking it seriously or just pulling together a document in a “tick-the-box” exercise without thinking it will really help?

A reactive approach: The problem with quick fixes

With the constant pressure that organisations feel to be seen as “doing something about security”, it’s easy to surrender to the allure of the ‘quick fix’ syndrome. A swift purchase of state-of-the-art or best-of-breed cyber security solutions can present an ostensibly solid solution to bolster cyber defences and signal to the organisation that we’re on top of our security game. However, this approach has led to increasing complexity of the overall security environment with overlapping solutions that aren’t integrated. High-tech tools and software might fend off attacks, but are they potent enough to curb issues stemming from governance laxity?

Given this context, it’s prudent to question whether corporate governance is an underrated cyber security success factor. Is it time organisations revisited their governance processes before they channel resources into yet another solution?

In the complex risk management landscape, McKinsey pointed out that “A reactive approach to risks remains too common, with action taken only after things go wrong.” So, instead of devoting time and energy towards a strategic analysis of risks and how to mitigate them, they find it easier, quicker, and more appealing to address risks as and when they surface.

Cyber security, unfortunately, has fallen prey to this short-term outlook. The boom in technology solutions over the past few years has fed into the perception that cyber security equals action – and the more immediate, the better. Anecdotally, what takes precedence is procuring the latest cyber security solution to prevent malicious activity and loss, often at the expense of crafting a robust cyber governance framework.

Playing off the insights from an article by the Australian Institute of Company Directors (AICD), it seems that organisations may overlook a critical component in their rush to find immediate solutions to issues. Is it more judicious that companies consider reviewing and strengthening their corporate governance before purchasing yet another cyber security panacea?

Unmasking the pillar of cyber security: Corporate governance

If asked to visualise the ultimate defence against cyber security threats, most might portray a sophisticated tech-powered environment with state-of-the-art solutions. However, according to the AICD and the Cyber Security Cooperative Research Centre, the most useful tool might be much simpler and already within the organisation’s reach – good governance.

That’s because, in reality, cyber attacks aren’t merely a tech problem; they’re an enterprise-wide risk issue. An organisation’s risk profile is a complex web, extending far beyond its technological frameworks and into its people, processes, and culture. Sure, external data attacks are a significant threat, but internal threats – whether purposeful or accidental – can be equally damaging.

Embedding cyber security into corporate governance necessitates a clear definition of responsibility and accountability within an organisation. It reinforces transparency, enforces accountability, and sets the stage for effective collaboration during crisis situations.

Building on this note, the AICD champions the use of comprehensive corporate governance as a defence against cyber threats, emphasising:

Ultimately, the benefits of good governance aren’t merely about defence – they’re about building an organisation where everyone continuously evolves to meet – and even anticipate – potential threats.

Why shelve the governance handbook for the latest cyber solution?

With an unending barrage of cyber security threats evolving at warp speed, it is understandable why organisations might feel the pressure to match pace with equally advanced cyber security solutions. However, the unchecked pursuit of tech-powered solutions often leads to the ‘solutionism’ bias, where organisations may forget the power of a robust governance framework in reinforcing their cyber security standing.

In addressing the complexity of burgeoning threats, there’s a growing consensus that cyber security should no longer be viewed as the sole responsibility of the IT department. Instead, it should be an organisation-wide concern – a shared responsibility.

A broader perspective is essential, pivoting cyber security from an IT-exclusive bastion to a shared concern that involves every member of the organisation. Corporate governance is the linchpin in this transformation, ensuring that everyone, from the C-suite to the frontline employees, understands their roles in both preventing and dealing with cyber threats.

Case study: Cyber security governance in action

While integrating corporate governance into cyber security strategies sounds logical, its effectiveness is best understood through real-world applications. Take the case of a leading automotive retailer who partnered with Business Aspect, a Data#3 company, to elevate their cyber security framework in alignment with their wider business goals.

To gain a thorough understanding of their security stance, vulnerabilities and key areas for improvement, Business Aspect conducted a thorough assessment against standards like ISO 27001 and NIST. The findings informed a strategic, multi-year security roadmap containing a step-by-step plan to address key security areas including data protection, network security and incident response – all aligned to business goals.

The strategy’s success hinged on optimised resource allocation, suggesting the investment of resources in high-impact areas that directly correlated with business growth and risk mitigation. This focused approach reinforced crucial security aspects and enhanced the program’s efficiency and adaptability to new threats.

Methodical approaches like these, can help organisations shape governance strategies that go beyond traditional IT, aligning initiatives with broader business goals and supporting a culture of proactive risk management. In short, when executed well, corporate governance can transform cyber security from a peripheral IT concern into a central, organisation-wide commitment.

Final thoughts: Giving corporate governance its due

We have long advocated for organisations to reconsider their approach to cyber security, and this includes acknowledging the essential role of corporate governance and the persuasive argument for its power as a cyber security bolstering agent.

Therefore, organisations must consider involving their board members and senior management more actively in cyber security matters, rather than restricting it as an IT exclusive concern. Robust governance can empower an organisation to adapt and respond more effectively to evolving cyber threats, imbuing it with capabilities that go beyond technical safeguards.

Revisiting corporate governance processes before investing in yet another cyber security hurdle might be the astute move companies need. The constraint of corporate governance is necessary not just for the immediate defence against cyber threats, but also for fostering a resilient cyber security culture that evolves with the advancing digital landscape. Perhaps, then, corporate governance rightfully deserves recognition as a key cybersecurity success factor, one that’s been largely underrated thus far.

Technology, experience, and education are all essential in protecting your organisation against cyber attacks. Benefit from the collective wisdom of Business Aspect’s dedicated strategic consulting team, combined with the hands-on expertise of Data#3’s cyber security specialists. Our highly accredited Australian-based security teams leverage a diverse range of expertise, security solutions, and a strong vendor portfolio to design, implement and maintain superior security measures that are tailored to protect your business. Contact us today to learn more.