Building a Culture of Cyber Resilience
Embedding a cyber resilience framework and a unified decision-making framework that facilitates critical thinking can build cyber resilience.
The Chairman of Optus described their cyber-attack as a “classic perfect storm”, and:
“The alignment of a number of events, which has led to the breach getting through” and that ”no matter how much you invest in cyber defence and no matter how good you think you are, you’re always vulnerable”.[i]
That vulnerability and those events set the organisation on a trajectory towards an executive-level crisis, estimated to have impacted nearly 10 million customers, compromising strategy, operations and involving significant legal, financial, and reputational impacts.
Although cyber security investments have grown significantly and the focus of protecting data has been a priority for most organisations, cyber specialists say human error is still the cause of 99% of cyber breaches.[ii]
Increased transparency and accountability from regulators
The Australian government’s response to the recent cyber-attacks demonstrates a growing lack of confidence in Australian business leaders. The Attorney-General introduced the Privacy Legislation Amendment Bill 2022.[iii] These changes to the Privacy Act, increased fines for repeated or serious data breaches rise from $2.2 million up to $50 million or 30 per cent of adjusted turnover.
In addition, the Financial Accountability Regime (FAR) Bill 2022 increases transparency and accountability across the financial services industry.[iv] The FAR replaces the existing Banking Executive Accountability Regime (BEAR) and imposes obligations on authorised deposit-taking institutions, insurance companies, and superannuation funds.
A key element of FAR is increased personal accountability and FAR regulated entities are required to identify Accountable Persons (AP) who “must take reasonable steps to prevent matters from arising that would result in a material contravention of any of the specified, relevant laws set out”.
The expectation is that nominated APs have the authority and skills to make or oversee critical decisions and will do so by including the lens of risk and compliance obligations. Key decisions made by nominated AP’s need to be discoverable to meet the FAR requirements.
Currently the cost to businesses to meet compliance obligations and potential fines and penalties is substantial. In 2023, Medibank Private expects to log up to $45 million in one-off cybercrime expenses following its cyberattack;[v] software start-up GetSwift was penalised $15 million fine in the largest ever fine in Australia for a breach of market disclosure rules;[vi] while personal lender Latitude expects short-term costs between $10 million and $15 million as it moves to protect customer identities and hire expert advisers.[vii]
The criticality of high-quality decision-making
The importance of decision-making was recently highlighted when the Medibank Board faced the ultimate reckoning as they worked through a “critical decision“ on whether to pay a ransom or not.[viii] With AUD$1.7 billion wiped off the value of their business following a trading halt, and concerns that the cyber criminals may still be within their system, this decision became a public discussion.
In the AFR article, “Medibank hack: Health insurer’s customers in limbo as cyberattack ransom dilemma plays out”, the Technology Editor wrote:
“It is a good thing that the negotiations have now been revealed, as a public conversation needs to take place about the ethics and practicalities of paying cyber criminals.”[ix]
The CEO of Colonial Pipeline (an American oil pipeline organisation) paid hackers USD$4.4 million in 2021 and told the US Senate that the decision to pay was made quickly. He also said:
“I know that’s a highly controversial decision. I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country”.[x]
Ideally, Colonial Pipeline’s and Medibank’s decision-making was transparent, robust, fact-based, defendable, and aligned to their purpose, values, and risk appetite.
For other organisations seeking to prepare for a similar “day of reckoning”, the process of arriving at the decision is as important as the decision itself, particularly as each situation is unique and the decision may be controversial, time sensitive and involve significant consequences.
In the AFR article, “Five steps to handle a ransomware attack”, Step 2 after protecting the data, is to “practise decision dilemmas” noting in Step 3 that there is a ”complex decision-making process around making any ransom payment” and that it is “probably one of the most difficult decisions that a board needs to consider”.[xi]
Individuals and teams make complex decisions every day, and many have an intuitive capability. The challenge with cyber security-related decisions after an attack, comes from high levels of scrutiny, evolving technical complexity, conflicting or incomplete information, and many competing stakeholders’ needs and expectations to consider; and decisions need to be transparent and defendable.
On 28th November 2022, APRA’s Deputy Chair said in her opening remarks:
“A Chair who wants to create a high performing board will set agendas that scan the environment for new threats and new possibilities, will set an effective board renewal strategy to bring in fresh thinking and skills and will build a culture in which directors are actively encouraged to question and challenge management and each other to drive good decision-making”.[xii]
Although many organisations have pre-agreed frameworks for some types of decisions, few have a unified, robust, and transparent decision-making framework for this level of complexity. Even fewer have a decision-making framework that enables critical thinking across the enterprise to help prevent a cyber-attack from occurring.
Arguably, these are the blind spots and vulnerabilities cyber criminals are seeking to exploit.
Research on decision-making
A McKinsey survey of more than 1,200 managers across a range of global companies revealed there were growing levels of frustration with:
- Broken decision-making processes.
- The slow pace of decision-making deliberations, and;
- The uneven quality of decision-making outcomes.[xiii]
Fewer than half of the survey respondents said that decisions are timely, and 61 percent said that at least half the time spent making them is ineffective.
And yet, a Bain & Company survey of executives worldwide from 760 companies revealed:
- A company’s past decision effectiveness is 95 percent correlated with financial performance one year in the future.
- Companies that were most effective at decision-making and execution generated average total shareholder returns nearly six percentage points higher than those of other firms.
- Many companies have enormous scope to improve their performance. Top-quintile companies score an average of 71 out of 100 in decision effectiveness. Companies in the other four quintiles score, on average, 30 and below.[xiv]
Critical thinking skills underpin good decision-making
High quality decision-making is underpinned by critical thinking skills and whilst many people have honed this skill, it needs to be developed more broadly; particularly where cyber resilience is a strategic objective for an organisation.
Developing a strong cyber resilience culture is especially important now as officials have observed cyber criminals are finding weaknesses[xvii] within the organisations they are targeting, and expect they will become more skilled, and attacks more sophisticated over time.[xviii]
To reduce their vulnerability, organisations need to have at least the same, or better, levels of critical thinking occurring within the business as is occurring outside the business.
In our view, the optimal way to create a strong risk culture is to ignite intellectual rigor across the organisation by embedding a unified, decision-making framework. A framework that drives critical thinking behaviours and the discipline to consider risk and opportunity simultaneously will create a strong risk culture.
Responding to previous significant risks
Critical infrastructure organisations operating in high-risk industries have been working with the Federal Government to build their resilience capability to withstand threats of this magnitude.
Organisations in these industries have used an Organisational Resilience Framework that fuses the disciplines of risk management, with readiness planning, response capability and assurance.[xix]
Some organisations with a mature capability have identified three key elements that have provided enduring value:
- Taking an “all-risks” approach to building resilience.
- Embedding a decision-making framework to enable critical thinking to occur.
- Conducting robust scenario-based activities for all types of risks, to uncover vulnerabilities and uplift capability.[xx]
Whilst meeting the regulator’s expectations was a key factor for designing the resilience capability, the overarching focus was to genuinely build the capability to withstand any threat an organisation may face, and this in turn has also satisfied their regulators.
In the AFR article, “Seven steps to dealing with the COVID-19 crisis”, the Chairman of Qantas said, “Speed of decision-making has also been crucial”.[xxi]
The Head of Resilience, who had a pivotal role in maintaining Organisational Resilience at Qantas has said:
“An organisation may have a clear strategy, exhaustive risk management processes, detailed plans and highly skilled individuals but if teams come together and are unable to demonstrate ‘critical thinking’, they may not be effective in managing the situation or seeing the opportunities.”
The need for new thinking
Many organisations have invested hundreds of millions of dollars into cyber security, meeting regulatory requirements, but few have invested in a single framework that ensures consistent high-quality decision-making throughout their organisation.
Most cybersecurity investments and strategies are currently focused on technology solutions, but a more complex risk landscape requires an expanded perspective, to invest in the skills of people at all levels of organisations.
According to a McKinsey global survey,[xxii] critical thinking and decision-making is currently the No 1 skill desired by executives and this research is consistent with the World Economic Forum’s “Future of Jobs Report”.[xxiii] Whilst there is no disputing the value and need for critical thinking skills, the challenge is ‘how do we build them?’ Our best leaders possess these skills and their value to business is unquestionable.
Uplifting Critical Thinking skills across the organisation requires a unified framework that can be applied in all teams, in all industries and all regions and for all types of decision-making.
A holistic approach to Cyber Resilience
A holistic approach to organisational resilience utilises a framework to identify and manage all risks including strategic, operational and financial. Cyber risk is an operational risk that should sit within an organisation’s existing approach to risk management.
The evolving nature and potential severity and velocity of cyber risks require some organisations to take a more targeted approach to assess, build and maintain cyber resilience capability. If the entire crisis management team and their alternates are unable to lead a crisis, the strategic decisions will lie with the board, and they will need to assemble and direct a new crisis management team.
To test your organisation’s cyber resilience capability, take our Online Self-Assessment:
How can organisations build cyber resilience cultures?
Janellis works with senior leadership teams to uplift overall cyber resilience capabilities to enable their teams to respond effectively to any stress, threat, emergency or crisis and continue business operations.
A Capability Uplift scope of work begins with a Scorecard Assessment of Cyber Resilience. The Janellis Cyber Resilience Scorecard Assessment measures organisations’ Cyber Resilience and help teams build a roadmap to uplift, embed and maintain capability.
The Janellis Cyber Resilience Scorecard is used alongside the 4-Step Assessment process to draw upon existing expertise within teams and provide an efficient and targeted assessment of capability. The 4-Step Process enables teams to produce a Cyber Resilience Scorecard and report which identifies:
- Areas that require immediate action.
- Validation of existing investments.
- Areas of excellence.
- Key recommendations.
- A roadmap to uplift capability and provide assurance to key stakeholders.
The four steps to uplifting cyber resilience capability are:
- Initiate: Review capability
- Identify and agree on an assessment framework and scorecard.
- Confirm scoring metrics and the desired outcomes of the review.
- Identify key stakeholders and the areas ‘in scope’ and ‘out of scope’.
- Conduct a review, interviews, assessment and complete the report.
- Collate: Initiate the program
- Devise a CEO Resilience vision and policy endorsed by the ELT and Board.
- Design/confirm the cyber resilience framework and tools.
- Develop a cyber resilience governance structure including key roles.
- Confirm areas of immediate focus and stakeholders to include.
- Review: Deliver the program of work
- Establish a ‘transition’ program structure to accelerate capability uplift across the organisation.
- Identify business owners and SMEs for key streams of work.
- Allocate tasks for areas that require immediate attention.
- Review and report on progress.
- Embed within BAU
- Appoint BAU Resilience Leader.
- Ensure all elements of Risk, Readiness, Response and Assurance are aligned and embedded within BAU processes.
- Transition program management and reporting of organisational resilience capability within BAU.
Organisations today are tackling multiple, major cyber security breaches using technology solutions alone, which continue to comprise their customers’ privacy and personal safety, all the while incurring millions of dollars in fines along with data, reputation and financial losses.
Enterprise-wide preparation is key in preventing and mitigating the business and customer impacts of cyber security breaches.
Building a cyber resilience culture requires a multi-faceted response, which involves embedding: a single corporate-wide definition of cyber resilience; a cyber resilience framework; and a standardised critical thinking framework.
Uplifting the critical thinking and cyber resilience capabilities of individuals, executive leadership teams and boards within organisations is the most robust method of preventing privacy breaches and building cyber resilience.
To learn more, visit: