Pragmatic cyber governance advice from the author of all AICD cyber courses. Helping boards govern cyber risk using the skills they already have.
The Challenge
Cyber attacks can cause devastating societal and organisational disruption, leading to potentially catastrophic financial, operational and reputational damage. The media is littered with organisations that have not governed their cyber risks appropriately and have not responded well when those risks materialised.
Yet many boards still treat cyber as a technology problem to be delegated to the IT department. This misses the fundamental point: data is the lifeblood of every organisation, and cyber risk is the risk of that lifeblood being compromised. That makes it a board-level governance issue.
The good news is that directors already have the risk oversight skills they need. Cyber governance does not require boards to become technical experts. It requires them to apply their existing governance capabilities to a domain that is often made to feel more complex than it needs to be.
"Cyber is one of many IT risks our organisations face. As a director you already have risk oversight skills; we need to fine-tune them for cyber." Jason Wilk, AICD Cyber for Directors Course, 2017
This has been my guiding principle since I authored the very first AICD cyber course in 2017. Directors do not need to learn a new discipline. They need to apply what they already know to a domain that matters more every year.
Track Record
Developed my first cyber governance framework for a large financial institution, establishing a practical approach to governing technology risk at the board and executive level.
Joined the AICD Faculty as a facilitator, beginning a long-term partnership delivering governance, strategy and risk education to directors across Australia.
Authored the first AICD cyber course, The Board's Role in Cyber, built in response to a review of Australia's Cyber Security Strategy 2016 which identified that key decision-makers had been left behind.
Facilitated cyber governance education for thousands of directors and officers through public AICD sessions, tailored in-board programmes and online delivery. Updated course content annually as the cyber landscape and directors' needs have evolved.
Key learnings from facilitating these courses informed the strategy and structures of the AICD and CSCRC Cyber Security Governance Principles, a framework for better practice, enhanced resilience and proactive board oversight of cyber.
How I Help
Tailored board workshops and education sessions that build directors' confidence in governing cyber risk. Based on the same content I deliver for the AICD, adapted to your organisation's specific context.
Practical frameworks that define how the board, management and technical teams work together on cyber. Clear roles, reporting lines, escalation paths and oversight mechanisms.
An assessment of how well the board is positioned to govern cyber risk today: what is working, what is missing, and what needs to change. Pragmatic, not theoretical.
Integrating cyber risk into your broader risk governance framework so it is managed consistently alongside other organisational risks, not as a separate silo.
Ensuring the board knows its role before, during and after a cyber incident. Tabletop exercises and governance structures that prepare the board to respond, not just react.
Designing reporting that gives directors the information they actually need to exercise oversight, not technical dashboards that obscure more than they reveal.
Governance Principles
Key learnings from years of facilitating cyber governance education formed the foundation of the AICD and CSCRC Cyber Security Governance Principles. This document offers boards and councils a practical framework for better practice, enhanced resilience and proactive oversight.
My Approach
I have led cyber and IT security functions inside major financial institutions. I have co-founded and run businesses that had to balance performance with conformance. And I have spent over a decade helping directors understand and govern cyber risk through the AICD.
That combination means my advice is never theoretical. I think about cyber governance the same way I would as an owner and director of a business: what is the right balance between protecting the organisation and enabling it to perform?
I work with organisations across every sector and size, from state government departments and local councils to peak bodies, utilities, financial institutions and privately owned corporations. The cyber threat landscape varies, but the governance fundamentals are consistent.
I focus on governance, not technical testing. My role is to help the board govern cyber risk effectively, not to assess the technical security posture (you have specialists for that).
Directors already understand risk oversight. My job is to bridge the gap between those existing governance skills and the specific characteristics of cyber as a risk domain.
"It was like looking at the same issue through a different lens that just made the uncertainty much clearer." Chairperson, Medium-Sized Association
Whether your board needs education, a governance framework, or practical guidance on its cyber oversight role, reach out for an obligation-free conversation.
Start a conversation