In the next few months, many information security professionals and CIO’s will be preparing to attend Board meetings across our land in relation to CPS 234. If you haven’t heard of CPS234, it’s a new standard (from the Australian Prudential Regulatory Authority) which governs information security for financial services institutions (You can read more about it here).
APRA has been kind enough to create some urgency around this standard and therefore Information security must become an agenda item for impacted Boards before 1 July in order to be prepared. This is your opportunity to grab their attention and make sure you’re on the Board’s agenda for a proper discussion. This cannot be a 5-minute item where you inform the Board they have new responsibilities and then leave them to read the standard. This has to be ‘day one’ of many catch ups.
While some might say that APRA have no teeth and won’t be coming down hard on ‘regulated entities’, I say – thanks for starting the information security conversation and forcing many departments to work together towards complaince. Whether APRA leverage this standard or not, many organisations who don’t have the basics in place will still assess (and hopefuly address) risk simply by discussing what the new standard requires and measuring themselves against it.
If you have the role of presenting this new standard to the Board, you may find the details of their new responsibility raises concerns or, is met with apathy. Either way, here are a few things to consider when you’re meeting with the Board in relation to CPS234.
The Board are human. While they are senior, seasoned, respected members of your organisation, the new standard still needs to be broken down into detail they can understand. Your role in explaining this is just as important as theirs in understanding it.
Know your audience. Make sure you are pitching your message at the right level to ensure they understand the role they play. (and see item 1)
Brief them early. Provide details for the Board to read/listen/consume before the Board meeting. This way, the meeting will only be for questions and clarity rather than trying to dissect the standard when you meet.
Be available. Offer to meet 1:1 or make your team available. There will be areas that cant be covered in your short agenda item and the Board may have more questions.
Be Positive. This is not a life sentence. It’s a responsibility for the business that needs the most senior leaders to establish, embrace and endorse. Be up beat about what your organisation has achieved and how it’s going to continue to meet (read exceed) expectations.
Not only is this an opportunity to put the board at ease in relation to CPS234, it is an opportunity to arm the Board with the information they need to feel confident about their new responsibilities and to renew information security as a Board priority and organisational priority.
How are you preparing to update the Board and ensure they fully understand their new responsibilities under CPS234?
Keen to chat more about briefing the Board on CPS234? Contact me here
Read more blogs here
Buy my book here
Sign up for my newsletter here