Technical dashboards are failing Australian boards. They present data without context, creating a dangerous illusion of security while exposing directors to personal liability.
This is not a technical problem; it is a governance failure. For Australian directors in 2026, the challenge is to move beyond the metrics that comfort IT teams and establish the defensible oversight that satisfies regulators and protects the organisation. The Cyber Security Act 2024, which received Royal Assent in November 2024, with mandatory ransomware reporting obligations now in force and full enforcement from 1 January 2026, combined with existing duties under the Corporations Act 2001, solidifies this responsibility. The focus has shifted permanently from technical prevention to demonstrable, board-level governance of a critical business risk.
Table of Contents
-
The Visibility Gap: Why Technical Dashboards Fail Boardroom Scrutiny
-
Establishing a Defensible Position: Governance Reviews and Incident Simulations
Redefining Cyber Risk as a Fiduciary Duty
For too long, boards have delegated cyber risk to the IT department. This approach is no longer tenable. Digital resilience is now a core pillar of corporate governance, equal in importance to financial and operational oversight. It is the board’s mechanism for ensuring the organisation can withstand and recover from digital disruption while protecting shareholder value. Your fiduciary duty demands you understand and govern this risk directly.
Defensible oversight is the paper trail of your diligence. It is the documented evidence that the board actively engaged with cyber risk, challenged assumptions, and made informed decisions based on business impact, not just technical data. It moves you away from passive compliance and towards active risk management. This is the standard to which regulators like ASIC and APRA will hold you. They do not expect you to be a technical expert. They expect you to be an expert in governance.
The core of this responsibility lies in asking the right questions. It requires a fundamental shift in perspective. The board's role is not to manage security but to ensure that security is being managed effectively and that the residual risk is understood, quantified, and formally accepted.
Aligning with AICD and ACS Governance Standards
Your duty of care and diligence is not abstract. It is benchmarked against established professional standards. The Australian Institute of Company Directors (AICD) provides principles that frame director responsibilities, and these now implicitly cover digital and cyber governance. Demonstrating that your board’s oversight processes align with these principles is a critical element of a defensible position.
Furthermore, the Australian Computer Society (ACS) offers professional standards for technology governance. While directors are not expected to hold these technical qualifications, being aware of these standards helps the board set expectations for its executive team. It provides a framework for assessing whether the information you receive is robust, complete, and fit for purpose.
This is where independent advisory becomes essential. An internal CISO or IT team, no matter how competent, has an inherent conflict of interest. They are reporting on their own performance. To truly fulfil your oversight duty, you need an external, unbiased view that can validate internal reporting and speak the language of the board. This protects directors from potential conflicts and ensures the advice you receive is free from internal operational pressures.
The Visibility Gap: Why Technical Dashboards Fail Boardroom Scrutiny
The most common failure I see in board reporting is the visibility gap. It is the chasm between what IT teams report and what the board actually needs to know. Your CISO presents a dashboard showing thousands of blocked attacks, a 98% patch rate, and 100% system uptime. These metrics are operationally useful but strategically meaningless. They do not tell you anything about the potential impact on the business or the extent of your liability.
This failure stems from a lack of translation. Technical metrics are not business risks. The board needs to understand the residual risk to core business objectives, not the volume of malicious traffic blocked at the firewall. Without this translation, you are making decisions in the dark.
To bridge this gap, I advise directors to apply a simple diagnostic lens to every report they receive:
-
The Metric Presented: What data is being shown? (e.g., "9,000 phishing emails blocked.")
-
The Unanswered Question: What does this data not tell me? (e.g., "How many emails got through? What was their potential impact?")
-
The Governance Reality: What is the actual business risk this metric hides? (e.g., "A single successful phishing attack on a finance executive could lead to a catastrophic financial loss and regulatory breach.")
-
The Director's Question: What must I ask to expose this reality? (e.g., "Show me the results of our last phishing simulation on the executive team. What is our plan if the CFO’s credentials are compromised?")
-
The Defensible Action: What decision or action item needs to be recorded in the minutes? (e.g., "The board has requested a review of executive access controls and will oversee a new simulation within 90 days.")
Using this five-step framework transforms a passive reporting session into an active governance exercise. It forces the conversation to pivot from technical activity to business accountability and creates the documented diligence you need. For more on this, I have written previously about how to structure cyber risk reporting to the board.
From the Boardroom
I once sat on a board where the CISO presented a flawless report. Every metric was green. System availability was perfect, patch compliance was near 100%, and the security budget was underspent. The audit committee chair was pleased. It looked like a textbook example of a well-managed function.
I asked a single question: "Can you walk us through the assumptions in your risk model for our primary revenue-generating platform?"
The CISO, a brilliant technical expert, was unprepared. The conversation quickly revealed that the risk model was based entirely on system uptime. It assumed that as long as the platform was online, no material financial damage could occur. It completely ignored the risk of data integrity failure, where a malicious actor could subtly alter transaction data over months, causing irreparable reputational damage and customer lawsuits. The green dashboard told us the lights were on, but it told us nothing about what was happening inside the room.
That moment was a stark lesson. The executive team was focused on preventing a system outage, a visible and immediate crisis. The board’s duty was to govern the silent, more catastrophic risk of data corruption. We immediately commissioned an independent review of the risk model. The outcome fundamentally changed how we funded and governed cyber security, moving from a focus on availability to a focus on integrity and resilience. It proved that the most important risk is often the one your dashboards are not designed to see.
Establishing a Defensible Position: Governance Reviews and Incident Simulations
A paper trail of diligence is your best defence. Proactive governance reviews and realistic incident simulations are the two most powerful tools a board has to build this defence. They provide irrefutable evidence that the board took its oversight responsibilities seriously before an incident occurred.
An independent governance review assesses the effectiveness of your oversight framework. It is not a technical audit of your firewalls. It is an examination of your board papers, committee charters, risk appetite statements, and decision-making processes. It answers the question: "If we suffered a major breach today, could we defend our past actions and decisions to a regulator?" This is different from a compliance audit, which only confirms if a control exists. A governance review tests if that control is actually effective and understood at the board level.
Board-level incident simulations are equally critical. Most organisations rehearse technical and operational responses, but they rarely test the board’s decision-making under pressure. A proper board simulation forces directors to confront the difficult questions that arise in the first 48 hours of a crisis:
-
Do we pay the ransom?
-
When do we notify the Australian Cyber Security Centre?
-
What is our disclosure obligation to the ASX?
-
How do we manage communication with customers and the media?
Making these decisions in a simulated environment, guided by expert facilitators, is invaluable. It exposes gaps in authority, communication, and understanding before a real crisis forces your hand. The lessons from these simulations often lead to crucial improvements in governance and response planning, forming a key part of your defensible position, particularly when facing the prospect of regulatory settlement agreements.
The Strategic Audit for Boards
A focused, high-impact governance audit provides the clarity boards need without creating unnecessary operational drag. It is designed to be a strategic tool, not a bureaucratic exercise. By concentrating on the key artefacts of governance, meeting minutes, risk registers, and board reports, it quickly identifies the critical gaps between management reporting and the board's legal obligations.
This process is particularly important as boards grapple with emerging digital risks beyond cyber security, such as the governance of artificial intelligence. Establishing a robust framework for one provides a strong foundation for the other. Independent advisory is key to this, bridging the knowledge gap between the technical teams implementing controls and the directors who are ultimately accountable for their effectiveness. This ensures the board is equipped not just for today's threats, but for the evolving digital landscape.
Frequently Asked Questions
What is the difference between cyber security and cyber governance? Cyber security is the technical and operational practice of protecting systems and data. It is the responsibility of management and IT teams. Cyber governance is the board-level framework of oversight, accountability, and decision-making used to ensure that security efforts are aligned with the organisation's risk appetite and strategic objectives. It is the non-delegable responsibility of the board.
Can Australian directors be held personally liable for a cyber breach? Yes. While liability stems from a breach of director duties under the Corporations Act 2001 rather than from the breach itself, regulators are increasingly focused on board oversight. If a board is found to have acted without due care and diligence in governing cyber risk, ASIC can seek penalties including disqualification and fines. A defensible governance framework is the primary protection against such actions.
How often should a board conduct a cyber incident simulation? I recommend boards conduct a director-level simulation annually. The threat landscape and regulatory environment change rapidly, and key personnel can turn over. An annual exercise ensures that the board’s decision-making processes remain sharp, relevant, and aligned with the current risk profile of the organisation. It should be treated with the same seriousness as a financial audit.
What are the key cyber security reporting requirements for Australian boards in 2026? From the Cyber Security Act 2024, which received Royal Assent in November 2024, with mandatory ransomware reporting obligations now in force and full enforcement from 1 January 2026, businesses with an annual turnover exceeding $3 million face mandatory no-fault reporting obligations for ransomware incidents.
If this is a conversation you believe your board should be having, I am available to discuss it.
I offer a Cyber Governance Deep Review.
aradvice.com.au/contact.html
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.