Cyber Security Governance

Cyber Security is a business problem. It is an important part of any appropriate, let alone good, organisational governance. The Board of Directors along with the Senior Executive with direct responsibilities own cyber security risk. It is a risk that cannot be outsourced.

There is no 100% solution to cyber security, however, therefore it is important for an organisation’s Board of Directors or for smaller organisations – the business owner – to govern the management of that risk by:

  • understanding the organisation’s contextual risks and consequences of cyber incidents

  • prioritising those risks

  • showing reasonable care in managing the risk of a cyber incident

    • reasonably prevent cyber incidents

    • detect when a cyber incident is occurring

    • operate through a cyber incident

    • recover from a cyber incident

The objectives of the Board Governance Framework for Cyber Security are to:

  • Strategically govern the organisation’s Cyber Security Program

  • Plan

  • Evidence actions on plans

  • Demonstrate reasonable care


To achieve its objectives, the organisation’s Board or Business Owner Governance Framework for Cyber Security needs to be:

  • Prioritised in line with the organisation’s mission and strategic goals

  • Part of the normal Board Reporting, Retreat, Meeting and Flying Minute process

    • Reported on

    • Routinely reviewed

    • Include sign-off procedures for executive plans meeting strategic governance requirements (just like a budget, approach to regulatory compliance, or significant HR changes such as redundancies would be)

  • Articulated in terms of outcomes to the organisation, particularly to the Cyber Security Steering Group for aligned execution and embedding cross-functionally within the organisation

  • Engaged with a Cyber Security Peer

  • Shared appropriately with any involved interconnected party such suppliers and customers.


Leave a Reply

Your email address will not be published. Required fields are marked *