This post is a guest-authored commentary piece discussing the findings from the  Diligent Institute and NightDragon report titled State of Cyber Awareness in the Boardroom.  This is the first blog in a series of global commentary pieces analyzing how the results on boardroom cyber awareness compare to other regions of the world.

With contributions from Richard Pisak.

The recent report, State of Cyber Awareness in the Boardroom by the Diligent Institute and NightDragon highlights the pressing need for S&P 500 boards to enhance their cybersecurity expertise in response to the growing digital landscape. The report’s findings indicate that, despite cybersecurity being the most significant oversight challenge for companies, a mere 1.4% of S&P 500 boards have individuals with current or former roles as Chief Information and Security Officers (CISOs), and only 31% possess technology-related expertise.  

The research team at Diligent has created an analysis to review whether the ASX 300 and Nikkei 225 Index have any technology executives sitting on their boards. The technology executive can be either a Chief Information Officer, Chief Information and Security Officer or a Chief Technology Officer.

ASX 300 boards lack technology executives

Only three companies, or 1% of ASX 300 boards, have either a Chief Information Officer or a Chief Technology Officer sitting on the board, resulting in an even lower presence than that of SP500 boards.  

Positions: 

• President and Chief Technology Officer 
• Executive Director and Technology Director 
• Executive Director and Chief Information Officer 

According to the research, no company in the ASX 100/300 has either a current CISO or former CISO on their board.

In a report by AustCyber in 2019, the findings suggested that the  lack of highly skilled cybersecurity professionals might also stem from a shortage of skilled workers in the IT industry in Australia and unfilled positions are expected to increase by more than 16,000 by 2026.  

Nikkei 225 Index in a similar boat   

15 companies, or 6.7% of Nikkei 225 boards have either a Chief Information Officer or Chief Technology Officer sitting on the board, higher compared to that of both the SP500 and ASX 300.  

Diligent has also created an analysis on technology expertise in ASX 300 and Nikkei 225 boards. The technology expertise is assigned to directors who have extensive experience in technology roles as well as directors with technological education. This does not specify whether the technology expertise includes specialization in cybersecurity.  

Technology is the lowest expertise type among ASX 300 boards 

45% of ASX 300 boards have directors with technology expertise, much higher than that of the S&P 500 boards, but significantly fewer than that of the other expertise present on the boards within the index.  

A survey conducted by Proofpoint which polled more than 1,400 CISOs from organisations across industries and countries, including US, Australia, Canada, UK, France, Germany, Italy, Spain, Sweden, Netherlands, United Arab Emirates, Saudi Arabia, Japan and Singapore suggested that CISOs from Australia are less prepared for cyber-attacks.  Approximately eight out of ten Australian-based Chief Information Security Officers (CISOs) find that their business at this stage is unable to identify, prevent and recuperate from a cyber-attack.  

Technology expertise ranks at the lowest level among Nikkei 225 boards

Despite the Nikkei 225 boards having the highest percentage of technology expertise compared to S&P 500 and the ASX 300, it still stands to be the lowest discipline among all other expertise in the index.  

Future trends 

Australia 

The current government has proposed legislation that could impose a maximum fine of up to AU50 million, 30 per cent of the company’s adjusted turnover, or three times the value of illegally acquired information through data and security breaches to companies, whichever is of higher value. Previously, the privacy act violation only enforced a maximum penalty of up to AU 2.2 million. 

This was recommended by the federal government following the large scale cyberattacks. The government states that personal data and customer privacy should be safeguarded properly, and that the previous penalty value could easily be ignored by bigger companies. 

Japan 

Japan’s Corporate Governance Code focused on financial risk management and climate change-related issues, which are not to be discounted. However, we find that Japan is currently trailing the US and Australia when it comes to dedicated regulations to enhance board’s oversight of cyber and mitigate Technology related risks.   Data currently suggests that there is an average of  1,018 cyberattacks per company occurring each week between January and March 2023.  

The International Comparative Legal Guide report recommended companies to develop cybersecurity frameworks to safeguard against cybercrimes. These frameworks include appointing CISOs on boards, regularly reviewing of incident reports and carrying out vulnerability tests.