Cyber Security
The ASX 100 Cyber health check report What’s next for your board?
T By Michael Trovato GAICD, CISM, CISA
he Australian Stock Exchange (ASX) and Australian Securities and Investment Commission (ASIC) along with the “Big 4” accounting firms have released the ASX 100 Cyber Health Check Report ASX Report PDF to establish a baseline in cyber security via a high-level “health check”. I commend the ASX and ASIC and the other participating companies for the leadership they have shown. Efforts like these are real accomplishments of cooperation and collaboration towards a common goal of a resilient ecosystem. Although the arc of progress described in the ASX Report might be tilted towards goodness, it is also clear - much more needs to be done. After reviewing it and reflecting, I would recommend: 1. Make sure the board has sufficient cyber security expertise or advisors; 2. Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance; 3. Use the results of the ASX Report for discussion at your next board meeting; 4. Commence or update your organisation’s detailed
16 | Australian Cyber Security Magazine
cyber security strategy and report on the security transformation program regularly; 5. Include cyber security as a quarterly agenda item, or more often as needed; 6. Measure your board’s performance in this critical area; and 7. Learn from peers on other boards. Today, I want to focus on the first item. Most importantly, expertise at a board level comes from knowing the that, how, and why of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or, as an advisor. In the ASX Report, they made a clear effort to survey persons like this – but in some cases companies struggled to find a person to answer the questions, or they feared sharing details, since 24% of companies did not respond.
The ASX 100 Cyber Health Check Report, as a baseline