Who is responsible for cyber security in a business?
Understanding the roles and responsibilities of cyber security in a business.
In light of recent cyber events, there’s been a lot of talk about the responsibility of Australian companies to protect customer data and privacy.
ASIC chair Joe Longo at the end of 2023 warned directors to act with ‘reasonable care and diligence’ on cyber security matters, or they could face enforcement action by the regulator.
It’s not just large organisations in the spotlight now either. SMEs and not-for-profits have much they can do to ensure that their data is stored securely and protected. With so much at stake, there’s no room for ignorance.
Implementing a set of cyber security principles and strategies is not an easy task for any organisation, nor is it the sole responsibility of the IT team. Every member of an organisation plays a part in ensuring that steps are taken to mitigate cyber risks. In other words, cyber security is a ‘whole of organisation’ effort.
The role of the board
Outlined in the 2022 ‘Cyber Security Governance Principles’ by the AICD and Cyber Security Cooperative Research Centre, the first Governance Principle is to ‘Set clear roles and responsibilities’.
While it is not the board's role to manage cyber risk directly, it is the board that has ultimate accountability for how risks are governed and addressed.
In large organisations, the board may assign a closer oversight of risk and technology to a sub-committee, typically made up of board members who have more experience in IT, risk or cyber security.
The AICD recommends that the delegation of cyber risk management or strategy to board committees. This should be detailed in the charter or governing documents as well as the organisation’s overarching cyber strategy.
Directors should also be equipped with training and upskilling to build their capability to understand cyber risk.
“Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed.”
— Hon Clare O’Neil MP
Minister for Home Affairs and Minister for Cyber Security
CEOs and management
As we’ve seen recently in Australia, major cyber incidents (such as data breaches) often result in the CEO being removed. While it’s true that the CEO is ultimately responsible for ensuring cyber security is embedded into the culture of a company, it’s the role of the CISO (Chief Information Security Officer) to work with leadership to determine the acceptable risk. The CISO is also accountable to the board for creating and maintaining a cyber security strategy.
While there is no strict rule on where responsibility for cyber security sits at a management level, ideally, every manager should take shared responsibility to understand the threat landscape around them.
Individual cyber responsibilities should be documented in position descriptions or role statements.
Roles and responsibilities for SMEs and NFPs
In Small and Medium-sized Enterprises (SMEs) and Non for Profits, the CEO often plays a more hands-on role.
Many SMEs do not have CISO or CTO role, and therefore rely on external Managed Service Providers (i.e. ShadowSafe) to leverage their experience and solutions. MSP’s have proven solutions that can help build a company’s cyber security capabilities and mitigate risk.
To improve clarity around cyber roles and responsibilities, here are a few simple steps SMEs can take
Document who has responsibility for cyber security matters
Provide cyber security awareness training to all levels of the business
Appoint a ‘cyber champion’ to promote cyber resilience and respond to questions
Consider whether a director, or group of directors, should have a more active role in oversight of cyber security
Create policies that outline safe cyber practices. e.g. transferring of funds
Collect data internally on the effectiveness of cyber risk practices
Principle 4 of the Cyber Security Governance Principles recommends that all leadership (from the board to management) should make every effort to ‘Promote a culture of cyber resilience’.
A truly cyber resilient culture begins at the top and flows down through an organisation. From behaviour and language, to governance and incentives. Regular, engaging cyber training can help promote a cyber resilient culture. At ShadowSafe we provide this training as part of our PeopleSafe solution.
Another way to promote strong cyber security resilience is to conduct regular simulated email phishing and penetration testing in a way that builds awareness and incentivises team members to keep good security practices.
Cyber threats are part of every organisation’s risk landscape
More than 67,500 cybercrime incidents are reported every year (one every 8 minutes). Losses from cybercrime exceeded $33 billion in 2020/21, and have been growing since. As Warren Buffet says “It takes 20 years to build a reputation and five minutes to ruin it.” Good cyber security principles can help protect that from happening to your organisation.
Whether you’re a small business or a large company, cyber security should be front of mind for leaders at all levels. Board members, executives and managers all play an important role in shaping a company’s cyber security resilience and readiness to cyber attacks.
At ShadowSafe, we’re on a mission to make IT and cyber security simple. Our packaged solutions protect businesses from cyber risks and IT failures, so that they can grow online with confidence.
Speak to our Brisbane team today and receive a free IT Risk Assessment.
Related Reading:
Federal government’s 2023-2030 Australian Cyber Security Strategy
Cyber Security Governance Principles
Download the SME Director Checklist: