Being 70 years old is no excuse for board members not to understand their company’s cyber security risk, argues Jennifer Westacott, chief executive of Business Council Australia.
Speaking at Sinet 61 event in Sydney yesterday, Westacott said the responsibility for cyber security ultimately sits at the top of the organisation.
- Which-50 and ADMA are introducing a one day classroom-based digital transformation education program for senior executives lead by visiting US subject matter expert Courtney Hunt PhD. Places are strictly limited.
“Boards have one job, it is to be the custodian of good culture and I don’t think it’s good enough for people to say ‘I don’t understand technology’,” Westacott said. “Well sorry, even if you’re 70 get on top of it.”
Westacott said the Business Council and the Australian Institute of Company Directors need to collaborate to lift the security capabilities of individuals at board level. To take cyber security seriously, boards need to understand their systems and data, putting it high on the list for the audit committee.
Consumers will be the drivers of cyber security innovation, Westacott argued. While this customer focus will give businesses an advantage it also raises challenges security challenges.
“The trust equation is going to become the comparative advantage for a company. We have this conundrum, where consumers want rapid online services, they want open data sources but they want trust. They want to know their data is secure and they will punish failure and reputation very quickly,” she said.
Consolidating customer data in one place “creates a magnet for an attacker,” Westacott said.
“You can’t give up on that [consolidating customer data], because it’s going to be a comparative advantage for you, but boy you’ve got to get the security of that right,” Westacott said.
Turning her attention to threats, Westacott urged businesses to ask themselves ‘who is likely to be my attacker and why?’
“I think they’ve got to understand their attackers. Not all attackers are created equal, not all of them are similarly motivated. You can’t predict this and you can’t be naive about it, but you can understand capabilities, opportunities and motivation, and understand where your threats might come from,” Westacott said.
For example, an insider may pose a greater risk than an external attacker.