Yip said often boards are briefed about risk exposures but it is vital to make sure it’s done in plain language.
“That’s what a lot of security teams have issues with – translation,” he said. “Particularly the technical teams on the ground… telling people who aren’t necessarily technical… what it does for the risk profile and the things that can happen if a breach occurs.”
Yip said appropriate corporate spend on cybersecurity varied depending on sectors.
“It can be anywhere from 3 per cent of the IT budget up to about 10, 15, 20 per cent,” he said. “There are arguments for what’s appropriate and what isn’t.”
“I think it comes down to the risk profile.”
Yip also touched on the questions boards should be asking their technologists about cybersecurity and what they should be being briefed on. Listen to the podcast above to find out more.
Paul Burrow is Security Capability Uplift Manager at ANZ