Mitigating cyber-risk – risky business?

By Krist Davood - August 24, 2017

As a board member, owner or executive of a company, how much cyber-risk are you prepared to incur and, more importantly, how much risk are you taking that you don’t know about and therefore haven’t measured or tried to mitigate?

Read the full edition of Contact Magazine here

Dealing with risk can be fairly straightforward. But, recent international IT events, such as the Petya virus, evidence that it’s the cyber-risks that can pose the greatest threat.

Any number of directors will tell you, since the focus on regulatory compliance and best practice standards, the demands on board members, owners and executives have increased significantly.

A recent survey backs these claims, especially from a cyber-risk perspective. According to results of the GSIS survey, they rank the assessment of security risks, inadequate policies and insufficient standards of third-parties among their highest priorities, translating to 75% of directors who need to spend more time on board-duties related to cybersecurity risks and 27% attending more meetings regarding cyber-breaches.

Most executives will tell you they have a rigorous methodology in place to handle cyber-risk management and internal control issues. An example of such a methodology/roadmap is as follows:

These seven basic components of the methodology are typically used to produce a cyber-risk mitigation plan for the board and/or owners to consider.

In spite of this vigilance, few CEOs, CIOs or CFOs serve their terms in office without being confronted with unwanted surprises arising from the failure of internal, technical, environmental, physical or administrative cyber-controls.

Typical surprises include:

  • Unauthorised monies exchanging hands on the dark web
  • Selling of private data on the cyber ‘black market’
  • Staff, clients and service providers finding ways of defrauding significant sums of money, and
  • IT staff not being aware of how weaknesses in the computer systems expose the organisation to risk

Such surprises can bog an organisation down in an endless cycle of firefighting and litigation activities, leaving decision makers with very little time to be innovative.

Frequently, the ensuing state of disrepair is so extensive that the organisation is competing in the marketplace with one hand tied behind its back. Then, as the organisation begins uncovering a frightening number of intrusions or transactions that are processed without the proper controls, its strategic projects take a back seat.

From an executive’s perspective, it is easier and cheaper to maintain the status quo by assuming cybersecurity is limited to their technology department. This logic is no longer true as Australia awaits the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2016 coming into effect 22 February 2018.

Australian companies must adopt and embrace the attitude that mitigating cyber-risk is part of the road to business success. In part, that success is shaped by an organisation’s willingness to review and minimise its cybersecurity issues so those risks won’t get in the way of innovation.

Such a review of an organisation would occur between a Cybersecurity Governance Professional, specialised IT Security staff and internal audit. This team can enhance and dynamically change a company’s IT, cybersecurity and internal audit functions to being a proactive force in true risk management activities. Cybersecurity controls can represent up to 65% of an organisation’s internal and technical controls It is ironic however, that the very people most suited to drive the mitigation of cyber-risk are the most difficult to find.

From a compliance perspective, it is not realistic for an internal auditor or an IT security professional with no cybersecurity background to unilaterally sign off on a systems control review that he/she is not qualified to judge. Cybersecurity Governance Professionals are difficult to come by because most of the technical people who have the technical skills lack the risk management and governance background. The Cybersecurity Governance Professional would use his or her business/IT expertise to identify all risks to the appropriate processes, data and systems.

Integrating risk management and Cybersecurity Governance is a vital evolution for most organisations, especially as they seek to comply with the relevant standards.

Before CEOs and/or CFOs can sign off on the integrity of their privacy obligations, they need to see and understand the complete picture. It is a paradox that the very digital engine of today’s e-commerce driven market is the least available skill set in the IT departments of most organisations. How much cyber risk are you prepared to take?

Read the full edition of Contact Magazine here

Contact our experts

Other articles


Top of Page


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Tom Verco

Tom Verco's picture


Managing Principal - Private Business and Family Advisory

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner EXCELLENCE IN ENGINEERING | Our Newcastle & Hunter firm is proud to have sponsored the 2019 Hunter Business Chamber…