A UNSW Institute for Cyber study has demonstrated a significant skills gap around cyber security awareness and resilience among ASX 100 company directors.
According to the study, led by Nigel Phair, Director (Enterprise) for the Institute at UNSW Canberra, fewer than one per cent of ASX 100 directors have cyber experience and just 16 per cent have technology experience.
Working with research associate Dr Hooman Alavizadeh, Mr Phair analysed 798 director positions (including managing directors and non-executive directors) across all ASX 100 companies. This analysis was based on information provided on the company websites, as well as LinkedIn profiles of individual directors.
Mr Phair said cyber security awareness was an increasingly important responsibility for company directors, with cybercrime costing the Australian economy more than $42 billion a year.
He said company directors need to assess cyber security, just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders.
“There are many expectations and requirements to being a modern company director,” Mr Phair said.
“The cyber resilience of the organisation they govern is just one part of the role. To achieve this, company directors need to be asking management the tough questions – and be competent enough to know what answers to expect – surrounding their organisations’ understanding of cyber risk, the investment in creating and monitoring controls, and rehearsed scenarios, to be better equipped should a cyber security controls will impact customers and stakeholders.”
Mr Phair explained the best way to address the cyber security deficiencies of ASX 100 companies is through a boards skill matrix.
The ASX recommends that organisations disclose on their websites or annual reports “a boards skills matrix setting out the mix of skills that the board currently has or is looking to achieve in its membership”.
In 2020, 38% of all boards said they were introducing specialist technology and/or innovation roles to their board skills matrix, however Mr Phair said this has not yet been actioned.
“The adoption of technology by organisations will continue to grow at a rapid pace,” Mr Phair said.
“In concert with this, is the dynamic role cyber security needs to play to protect the organisation, the data it creates and the people who access it. Since the ‘tone starts at the top’, having appropriately skilled company directors is a fundamental requirement.”