Cyber risk management: What leaders can learn from Australia

Cyber risk management: woman looking at a map at a train station

A series of high-profile attacks across nearly every sector in Australia in 2023 has made cybersecurity a hot topic of conversation. Despite the public fallout, most companies remain reactive rather than proactive in managing their cybersecurity.

The Australian Securities and Investments Commission (ASIC) is set to turn up the heat on directors and executives, noting, “For all boards, cyber resilience has got to be a top priority.”

It's a view that aligns with a “seismic shift” in the technology and risk culture at Downer, one of the country’s largest integrated infrastructure services companies. According to James Polson, general manager for technology and cyber risk management, when organizations approach cyber risk as an innate business risk, it’s easier for leaders to prioritize what’s important and make the right decisions.

Over the past two years, Polson and his team have sought to reframe conversations about risk and issues, focusing instead on controls and ownership. The upshot is a more mature risk culture, built on a common language.

Don’t get lost in translation

Cyber risk may be complex, but the role of the technology risk manager is simple, according to Polson: Give senior managers and their teams the clearest, most straightforward information possible to make good decisions.

“As a society, we’re still lacking a solid basis for understanding cyber—it’s too often a case of ‘let’s bring in the expert to deal with this,’” he explains. “It’s important for boards to recognize that cyber is both a business risk and a technology risk. Technology risks don’t exist independent of other risks.”

As a subject matter expert, Polson believes technology teams must play a role in helping their boards find common ground for complex risk conversations. Making sure everyone speaks the same technology and cyber risk language has been a game changer for Downer.

When you’ve simplified your risk framework with ServiceNow, it’s easy to know where to put the observational components. Then it’s about communicating that information to the right people. -James Polson, FM, Technology & Cyber Risk Mgmt, Downer

“We approach technology and cyber risk management as simply as we can,” Polson says. “It’s very easy for technologists to communicate in terms that nobody understands. What you’re asking is for your senior executives and your board to make the right call at any given time. If they don’t understand you or the decisions you’re asking them to make, they’re either going to ignore you or reach the wrong outcome.”

As decision-making progresses up the lines of leadership, we use ServiceNow Integrated Risk Management to narrow the focus of conversations. Polson underscores the importance of getting granular.

“As risk leaders, our job isn’t about making things basic,” he says, “but specific for the business context. You need to link relevant control objectives to risk statements. The taxonomy you use is critical. That’s the first step to breaking through risk disorganization.”

Keep it simple

Having spent more than a year shrinking a spreadsheet of hundreds of specific problems down to a simplified framework of just six risks and 150 controls, Polson believes when technologists make things real for people, they’re more likely to get the best outcomes. He advocates finding the “what’s in it for me?” factor.

“The key is about injecting a little bit of emotional intelligence into technology problems,” he continues. “Not everyone thinks the way that I do or like my team does. It’s our job to make technology risk decisions engaging.”

Because ServiceNow Integrated Risk Management has ISO20071 embedded, Downer’s risk team was able to combine risks with the Essential Eight and then use the tool to identify the specific controls that aligned with the business requirements.

“ServiceNow Integrated Risk Management helps us organize our risk world using standardized authority documents to structure our obligations,” Polson explains. “We use these to develop control objectives and policies that everyone understands. Next, we link these to our risks. Not only does this avoid arguments over unnecessary risks, but it also simplifies our compliance and audit processes,” he says.

“We’re constantly iterating on the six risks so that they work for everyone, at all times. I’m always asking, ‘How can we make this a little bit clearer or relevant? What extra information do we need to attach to these risks to make them more meaningful for our nontech audiences?’”

Ultimately, any cyber-related decision will impact profitability. Therefore, your cyber investment must be aligned to your business strategy and risk appetite. -James Polson, GM, Technology & Cyber Risk Mgmt, Downer

Have digital eyes in the right places

As cloud-based systems become more complex, it’s harder to track how well they work. Observability—gauging the health of digital systems and diagnosing when problems are brewing, in real time—is an increasingly important capability for organizations. Without good observability, leaders can't make changes quickly or respond to shifting conditions.

In order to raise observability, you need a clear flow of information that makes sense at every level: from frontline employees to the technology team and from senior leaders to the board.

“When you’ve simplified your risk framework with ServiceNow, it’s easy to know where to put the observational components,” Polson says. “Then it’s about communicating that information to the right people. Governance needs to be embedded for the employees who are accountable to the outcomes. As that information moves up the organizational ladder, it becomes less granular and more strategic.”

Risk is everyone’s responsibility

“Ultimately, any cyber-related decision will impact profitability,” Polson says. “Therefore, your cyber investment must be aligned to your business strategy and risk appetite. The threat environment is only getting more sophisticated, so if you cut the cyber budget, all you’re doing is racking up cyber tech debt.”

Polson suggests that technology and risk leaders can do much more to boost organizational—and national—cyber resilience by being more forthcoming with learnings and experiences.

“We don’t need to keep the way we approach risk under our belts. There’s a huge opportunity for sharing what we do, particularly when it comes to cyber risk. We’re dealing with a collective issue that organizations need to address in lockstep so nobody is left behind,” he says.

“The government’s aim is to create ‘Fortress Australia,’ which relies on sharing what we’re learning, contributing to the national cybersecurity strategy, working with our industry partners and thought leaders to make sure we’re all progressing together. The better protected the country is, the better off we all are.”

Find out more about how ServiceNow helps organizations manage risk and resilience in real time.