PODCAST: the gap between boards and cyber risk

Speaking to bluenotes on podcast, Yip said while visibility on the issue had improved at board level, the deeper challenge was technical comprehension.  

" Awareness doesn’t mean they actually understand it." - Ian Yip

“Board visibility and awareness around cybersecurity and cyber risk is a lot better today than it used to be,” he said. “Now, that awareness doesn’t mean they actually understand it.”  

“So there’s a bit of work to be done in telling them what it actually means.”

{CF_AUDIO}

Yip said often boards are briefed about risk exposures but it is vital to make sure it’s done in plain language.

“That’s what a lot of security teams have issues with – translation,” he said.  “Particularly the technical teams on the ground… telling people who aren’t necessarily technical… what it does for the risk profile and the things that can happen if a breach occurs.”

Yip said appropriate corporate spend on cybersecurity varied depending on sectors.

“It can be anywhere from 3 per cent of the IT budget up to about 10, 15, 20 per cent,” he said. “There are arguments for what’s appropriate and what isn’t.”

“I think it comes down to the risk profile.”

Yip also touched on the questions boards should be asking their technologists about cybersecurity and what they should be being briefed on. Listen to the podcast above to find out more.

Paul Burrow is Security Capability Uplift Manager at ANZ