Data 61's CEO Adrian Turner spoke at the Cyber Security: the Leadership Imperative, hosted by InnovationAus, on the need for boards and senior business executives to become more au fait with the changing risk profile of businesses in the internet age. One of the key issues, he argued was a lack of diversity on Australian boards and a need for IT practitioners to change how they communicate the risks that emerge with new technologies.
Turner said we are in digital transition where new skills and technologies are creating new industries.
"In the past, when Australia was a domestic modifier of global ideas, we cannot do that. We have to back ourselves in taking a leadership role in creating new industries. We don't have a choice," said Turner.
After spending many years working overseas, Turner has noted that boards in Australia play a fundamentally different role here than other countries. While governance, risk management and compliance are important, in other parts of the world boards are much more active in seeking growth opportunities and how their industries are being reshaped.
"I think we've got a problem with our boards. Not that our boards don't have great people. But if you have a look at the average age of a board director in Australia, it's about 60. If you look at the age of a non-executive director, it's about 63. It's not about age - it should be about meritocracy and ability," said Turner.
That lack of diversity is even more obvious when you look at board composition in our largest companies. About 104 directors represent 35% of the ASX100.
"It's a tight knit group".
In contrast, Turner said while that Silicon Valley has lots of faults it is great at diffusing knowledge. The average age of board members at Facebook is 49, - removing the three oldest board members from that group drops the age by seven years. One of those older board members is Reed Hastings, the CEO of Netflix, highlighting the cross-fertilisation of ideas across companies. Board structures in Silicon Valley, as an example, facilitate the sharing of ideas and information.
Turner says those boards also have many "digital natives", even on the boards of multi-billion dollar businesses but there is a reticence to do that here. This leads to a lack of diversity on Australian boards, not just in terms of gender but also in different ways of thinking and, seeing and solving problems and meeting new challenges.
"Digital natives just think differently," said Turner. "There needs to be more diversity, more of a mix. The companies that step up to that new opportunity will thrive. The ones that don't - I think they're going to get smashed
When it comes to cybersecurity, Turner says the challenges many businesses are facing are symptomatic of the structure of boards and their experience with the new world. Citing research by Australian email security company MailGuard, Turner said 91% of cybercrime initiated by zero-day attacks over email and 97% of people can't tell difference between criminal intent and real email. The threat landscape is evolving exponentially with cyber crime expected to be worth $6T by 2021.
With the damage of a major attack extending beyond financial to reputational, the currency we are moving to is trust. Businesses are looking for a "social license" to handle operate and hold valuable data sets that companies need to be thinking about.
To start, Turner said security must be escalated to being a board level discussion.
"It's not technical issue. It's as much a cultural issue and a people issue about organisational process and structure. It's all about communications, making sure there are clearly understood methodologies. Reporting metrics so that awareness is elevated and the role of CISO is changing, even to the point where security is no longer being reported through the CIO.
Businesses need to move on from thinking abut cybersecurtity response as being all about technology but also a behavioural issue. Cyber-hygiene needs to move on to thinking residence and having a repose ready for when something goes wrong. That means having scenario planning, business continuity plans and running drills to ensure the business is ready.
While past efforts at security took more of an all or nothing approach, Turner said businesses are moving to a risk tolerance approach where business context is understood.
"Different sectors and different business will have different tolerances. its all situational. It's about aving a discussion at board level to agree an that appetite for risk," he said. "Related to that, really understanding what are the valuable data assets that an organisation holds and carrying out an inventory of those assets and understanding where those assets are is a fundamental step to protecting assets".
That focus has to extend beyond traditional IT into operational technology. Turner said that while securing medical devices, mining equipment and other mission critical systems is important, there will be a need to think about equipment that is "life critical" as more systems are automated and connected to existing networks.
When it comes to monitoring a reporting, Turner said it is important to not under-invest in response systems. He also added that everyone from operational teams to boards need to participate in broader programs, such as those offered by government, as well peer business and other forums in order to broaden their exposure and understanding of the threat landscape and how they can prepare and respond to incidents.
While security and privacy are often played of against each other in some forums, Turner described them as "two sides of the same coin", noting that security was typically about systems while privacy was more a function of policy.
Turner made some interesting comments regarding the rapidly growing cyber-insurance. He worked with the World Economic Forum on risk quantifying for cybersecurity instance. He worked with a number of large issuers and other businesses on this.
"What was interesting was that we concluded we couldn't build a risk quantification model to properly price risk. If we look at cyber-insurance today, it's not actually pricing the risk of a cyber event. It's really like an ISO certification where it's ensuring you follow a particular set of precesses. As a board, you need to understand that the percentage of payouts on full payouts is very, very low".
When risk is managed well it can be a massive business enabler said Turner. He likened it to the importance of a braking system in a race car. While the brakes might be designed to slow or stop the business, the benefits of brakes is that they enable you to go faster, more safely.
"That's the opportunity here if we get it right".