Best Practices for CIOs and CISOs to Provide Informed Insights and Mitigate Risks
As an experienced board director and governance expert with over 25 years of experience in ICT and information security, I understand the significance of strong leadership in managing cybersecurity risks. It is imperative that senior executives and the board work together to manage the organisation’s risk exposure. The board must take ownership of this responsibility, and in plain English, must be able to explain the organisation’s cybersecurity risk and the measures taken to address it. 
“While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.” 
In the past year, Australia has experienced several large cyber-attacks and incidents. Personal data for millions of Australians was compromised at MyGov, Medibank, Optus, and Latitude for example. Companies and government agencies must notify authorities such as the Australian Cyber Security Centre (ACSC), the Australian Federal Police (AFP), and the Office of the Australian Information Commissioner (OAIC) following a cyber-attack. They may also engage external cybersecurity specialists to manage the incident. Building relationships at this level early on is crucial for effective use of the cybersecurity strategy, business recovery, and public relations and crisis management following a cyber-attack. The business must take the lead in being the face of any public cyber incidents.
While public and board awareness of cybersecurity has increased, CIOs can face challenges when reporting risks to the board. The ACSC Essential Eight is the gold standard for reporting in Australia. An effective report prepared by CIOs or CISOs should include key elements that provide a comprehensive understanding of the organisation’s cybersecurity posture.
The report should begin with an executive summary that provides an overview of the current cybersecurity posture, any identified risks and threats, and the likelihood and potential impact of these risks. It should assess the threat landscape facing the organisation and the cybersecurity program in place to protect its assets and data. The report should also include an overview of risk mitigation and response strategies and the incident response plan.
Compliance with relevant cybersecurity regulations and standards, such as ISO 27001  or NIST CSF, should be addressed. The report should also evaluate the budget and resources allocated to cybersecurity and assess the performance of the cybersecurity team. The NIST Cybersecurity Framework provides guidance to organisations to better understand their cybersecurity risks. 
The report should also include KPIs to provide a comprehensive understanding of the organisation’s cybersecurity posture. These KPIs may include metrics around incident response, vulnerability management, compliance, risk, employee training, security controls, business continuity, budget and resource allocation, and third-party risk.
Regular cybersecurity reports to the board by CIOs or CISOs are crucial for protecting the organisation from cyber threats and ensuring business continuity. The CEO should also report regularly on the organisation’s data holdings, why the data is collected and retained, if it is necessary to collect and retain, for how long, and the disposal strategy of corporate and customer data. Together these reports also help board directors understand their legal and regulatory obligations.  With the increasing frequency and sophistication of cyber-attacks, it’s more important than ever for boards to have a clear understanding of the organisation’s cybersecurity posture and to be informed of any significant risks or incidents.
“…the board must set clear expectations around the information it receives from management including the format, frequency and level of detail around cyber security the board receives.” 
By providing a comprehensive cybersecurity report, CIOs or CISOs can help the board make informed decisions about cybersecurity investments and risk management strategies. Building a cyber roadmap and linking it to cybersecurity risks should be part of organisational planning, and budgeted appropriately for implementation and ongoing management, including the cyber liability insurance policy and cover limits. This demonstrates a commitment to cybersecurity governance and helps build trust and confidence between the board and the organisation. It also supports a culture of cybersecurity awareness and resilience.
In summary, cybersecurity is everyone’s responsibility. Boards, CEOs, CIOs, and CISOs must work together to ensure that the organisation is prepared to handle cyber threats and incidents effectively. With the increasing frequency and sophistication of cyber-attacks, it’s more important than ever to have a clear understanding of the organisation’s cybersecurity posture and to be informed of any significant risks or incidents. By following best practices and creating effective cybersecurity reports, organisations can mitigate risks and protect their assets and data.
1. Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/acsc/view-all-content/publications/questions-boards-ask-about-cyber-security
2. Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
3. International Organisation for Standardisation (ISO) https://www.iso.org/isoiec-27001-information-security.html
4. National Institute of Standards and Technology (NIST) https://www.nist.gov/cyberframework
About: Gary Morgan is an experienced board director, chief executive, consultant, and corporate advisor with deep expertise in strategy, innovation, and growth in the health tech, aged care, agtech, information security, and research sectors. He is a Fellow of the Governance Institute of Australia and a Member of the Griffith University Industry Advisory Board for the ICT School. Gary has co-authored papers and reports published in leading entrepreneurship and medical journals and presented at international conferences.
Acknowledgment: I would like to thank Prof Paulo de Souza, Prof Alan Liew and Antony Stinziani for their valuable input and feedback. This article was composed in part with the assistance of AI technology.