Does your Board paper have a section on cyber risk?

David Kennedy


No single threat event has the ability to paralyse and force a business into administration or become a takeover target more than a cyber event.

These threat events are well planned, sophisticated, complex, smart and most of the time only detected when it is too late. Customers and investors are quick to turn from any company that is frivolous with their information. Regulators are usually behind in their approach and more often than not they stifle innovation when we need to increase our speed of innovation.

Never before has speed of change been more important to ensure competitive advantage and increased revenue. We need to begin working together as a country. A collaborative group of companies working together to address the threats to New Zealand infrastructure and commercial interests to become more transparent in the way we address cyber risk.

So many times I hear that cybersecurity is a business enabler but too many times I do not see how people are enabling New Zealand to achieve that. We all need to review our approach and ensure it is aligned to the most economic way to protect our assets and use effective and robust risk management to enable business decisions.

So why, historically, has it appeared in the "too hard basket" for many NZ companies? The usual suspects are cost, resources and lack of awareness of the real threats versus the Fear Uncertainty and Doubt (FUD) approach that many professionals perpetuate.

We need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other.

In order to address these issues, we need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other. Working with peers and providers alike is the only way for New Zealand companies to remain competitive on the global stage.

It is also imperative to link a formal cyber risk process to any transformational strategies the company has planned. This will ensure that we start to reduce wasteful, ill focused and ineffective spend on cyber immediately. After all, we all know that retrospective application of controls is vastly more expensive than from the design phase.

Mission: Demystify cybersecurity
We must enable transparency and empowerment within an organisation and demystify cybersecurity! Working to introduce processes and educating people across an organisation is imperative. All processes should be clearly documented and available to enable successful training and so that we can visually identify where to insert cyber controls.

Every single employee has a responsibility to help reduce spend on cybersecurity.

Effective, understandable, relevant and useable policies, and best practices should be made available to customers to show transparency and to gain trust that we will protect their information! I would also advocate no more than a two-page per security policy to really make them readable and empower groups of people to push the boundaries, increasing innovation, taking more informed risks.

1  2  Next Page