How Wesfarmers Industrial & Safety Report Cybersecurity to the BoardCybersecurity, once relegated to the back office, is now a front and center priority for boards and executive leadership teams.
As businesses become more digitally empowered with increasingly remote workforces, cyber threats find new ways to breach defenses, increasing the risk to business operations and the bottom line.
We spoke to Head of Cyber Security and Risk, Daminda Kumara and Head of Technology, Strategic Sourcing, Carmen Rusman from Wesfarmers Industrial & Safety, to uncover three practical tips that have helped elevate cybersecurity to a boardroom conversation.
1. It’s not about how well programs are working; it’s how well risk is being managed.
Boards oversee risk, not operations. Daminda, who reports up to the Wesfarmers board quarterly, shared, “Rather than tell them how your cybersecurity program works, show them how (or how well) the risk is being managed.”
From loss of revenue and intellectual property to legal liability and reputational damage, including the cost to resolve, boards of directors bear the ultimate responsibility for the risks associated with a breach. To execute their due diligence, they rely on their organization’s cybersecurity leader to help them understand two things: What are the risks to the business, and how well is the company managing those risks?
To help convey risk management up to the board, Wesfarmers uses a NIST framework to showcase progress and performance. “We aim to simplify our message in two forms: visually, with a traffic light assessment and numerically, with a percentage measurement, against each KPI. This way we can showcase how effectively risk is being managed and quickly highlight how we will get from red to green.”
2. Connect the dots between Cyber Risk and Commercial Risk.
"At the end of the day, cyber risk is business risk.” For Daminda, a key strategy for highlighting business risk is through storytelling. “If you talk to the board about a specific program, bring in an example that showcases commercial impact. When speaking about vulnerability management, share the story behind a major breach – benchmark impact and story-tell to relate business context and commercial risk".
"With a focus on reporting and board visibility over the past 2 years, the increased investment in cybersecurity has been significant,” shared Carmen. For board members, investment is prioritized by business value and in Carmen’s experience, “investment discussions are easy once the board realize the requirements and understand business value."
3. Rely on your partners to help you win.
Daminda believes there should be no barriers between staff and partners. “Strategic partners like Secureworks have become an addendum of our team and I truly believe a strong partnership delivers the right outcome for our business. For all our partners, there is clear visibility and alignment on expectations to ensure we are collectively focused on what is needed for the board. In this way we act as one team, delivering a single set of objectives.” As a business, Wesfarmers presents 23 key metrics to the board each quarter that showcase the ongoing status of risk management and cybersecurity measures.
For cybersecurity leaders across Australia, there’s never been a more important time to showcase risk management to the board. At Wesfarmers Industrial & Safety that means always addressing business impact, leveraging partners to assist in reporting, and ensuring cybersecurity and business risk are seen as one in the same.
Daminda Kumara, Head of Cyber Security, Wesfarmers Industrial & Safety
Carmen Rusman, Head of Cyber Technology, Wesfarmers Industrial & Safety