The Australian Securities Exchange’s head of technology governance says enterprise cyber security teams must have a voice in the boardroom.
“We’re all competing for funds, we’re all competing for scarce resources,” Daryn Wedd told a cyber security event in Sydney on Thursday. “It’s a case of having a voice at that table. And being able to articulate that voice.”
“There is no point having an IT or tech team that is sitting buried in a room with technology, with all of the equipment and all of the gadgets and all of the kit you could possibly imagine, if that [security] information does not get used to inform the organisation as to what the threats are, and potentially what you need to do to combat them,” he told the event staged by the Australian British Chamber of Commerce, BAE Systems and King & Wood Mallesons.
The ASX board’s audit and risk committee signs off annually on the organisation’s cyber security strategy, and Wedd reports to them every quarter, he said.
An organisation’s security function should be run “like any other business department” he added, which required the ability to make a case to the executive.
“The board has got to be involved,” he added.
Cyber security is a priority for the ASX, to ensure “market confidence in the robustness and reliability of ASX’s systems” the company said during its half-year results presentation last month.
The exchange’s cyber resilience is also a focus of the Australian Securities and Investments Commission (ASIC), which scrutinised ASX’s security practices as part of an assessment last year. Good governance around cyber security contributed to the ASX receiving ASIC approval to operate.
“The good practices we observed…were characterised by board ownership, and responsive and agile governance models,” the ASIC report read.
“It starts with governance. Do you have a plan and a strategy, and is that plan and strategy informed?” Wedd said. “And you’ve got to test that plan.”
Wedd said testing of security systems goes beyond traditional penetration testing. The ASX also employs ethical hackers to run advanced persistent threats over extended periods of time.
“It’s not just about preventative and detective controls. It’s a case of testing to make sure your team can actually respond appropriately.”
In November, the ASX and ASIC invited the 100 largest listed companies listed to participate in an assessment of their cyber security posture.
The health check involves a survey to be completed by a company’s chairperson, audit committee chair or risk committee chair. The work aims to help boards share best practices and identify areas where improvement is required.
A public report into the general findings of the ASX 100 Cyber Health Check is expected to be released next month.
The ASX is currently seeking a chief information officer following the departure of Tim Thurman earlier this year.