How Australian CISOs and CIOs should frame cybersecurity conversations with the board

Australian companies are embracing cloud but many don’t seem to fully understand what they need to do to ensure all their data and workloads in the cloud are secure. Anecdotally, it seems companies are either trusting their cloud provider to manage security for them or else they’re avoiding the cloud altogether due to security fears. 

Neither approach is ideal. The cloud works on a shared responsibility model. That means your cloud provider is responsible for securing the infrastructure, while your business is responsible for securing your data. However, you shouldn’t let security fears scare your organisation away from leveraging the significant benefits that cloud can offer. 

Businesses that get security right generally do so because security is prioritised in the business, rather than treated as an afterthought. Educating business leaders about the importance of strong cybersecurity falls to the CIO or CISO in most cases. This responsibility shouldn’t be overlooked because a strong security posture starts at the top of the organisation. Business leaders can’t expect their staff to prioritise security if they haven’t set the agenda at the highest levels. 

See also:

• Australia is building GlobalGuard, the world’s first blockchain and AI cybersecurity network

• Nationwide rollout of cybersecurity courses to meet demand for 11,000 jobs

• Cyber security: C-suite and IT teams disconnect making it easier for cyber criminals

This makes it imperative for CISOs to insert themselves into the security conversation at the board level. 

There are four key things that CISOs should communicate to the board:

1. The cloud is just another risk

Many board members, especially those who aren’t necessarily technology-savvy, will switch off during conversations about cybersecurity. It’s therefore important to frame the conversation in the context of business risk. Helping board members visualise the reality and potential severity of security risks can go a long way towards getting their attention. Board members should treat cloud and cyber risk the same way they’d treat any other risk; by identifying the gaps and mitigating them to the extent that’s possible.

2. Native public cloud security isn’t enough

Just because cloud providers have some security natively built in doesn’t mean businesses can ignore their responsibility to secure their own data. The shared security model means data in the cloud is only as secure as data stored anywhere else in the organisation. It’s therefore essential to put additional, specific security measures in place to protect data in the cloud. Furthermore, for best results it’s important to thoroughly integrate your cloud security measures with the rest of your security architecture, and automate security processes wherever possible. 

3. Cloud security is no different from other cybersecurity

Far from requiring a different type of security, cloud deployments become more secure when you apply a consistent approach to managing security across the entire enterprise, regardless of where information or applications reside. Managing and orchestrating multiple security approaches and products only adds complexity to the security environment, which creates space for errors and risks. You should therefore highlight the importance of a consistent, strategic approach to cybersecurity as a whole. 

4. Preventing breaches includes securing the cloud

Preventing breaches from happening is the ideal scenario when it comes to cybersecurity. While it is possible to mitigate the effects of an attack, a successful attack will inevitably cause some damage to the organisation. That damage can be financial, reputational, and even legal now that the government has enacted the mandatory notifiable data breaches (NDB) legislation. To prevent attacks from being successful, you need consistent visibility and protections across the entire business network, regardless of what this includes. Any security investment should be considered on the basis of its ability to stop attackers in their tracks; that’s how it will provide return on investment. 

CIOs and CISOs who can articulate these premises clearly and compellingly to the board will find it easier to get executive buy-in for security projects, gain high-level support for a strong security culture, and, ultimately, be able to protect the organisation more effectively. 

Armando Dacal, Vice President of Strategic Alliances and Global Accounts, Palo Alto Networks