Cybersecurity is no longer a purely technical issue; it is a boardroom priority. In late 2024, the Australian Institute of Company Directors (AICD), in partnership with the Cyber Security Cooperative Research Centre (CSCRC), released an updated version of its Cyber Security Governance Principles (Version 2).
As highlighted in the AICD’s article, Renewed focus on cyber security and data resilience, these updates reflect the intensifying threat environment and the heightened expectations on directors to demonstrate leadership in resilience and risk oversight.
The Governance Shift
The refreshed guidance urges boards to broaden their approach:
Digital supply chain risks — ensuring visibility of, and resilience within, third-party providers.
Data governance — knowing what data is collected, stored, shared, and how it is protected.
Incident readiness — not just preparing technical responses, but building organisational cultures capable of transparent communication and recovery after a breach.
Tools for Directors
One of the strengths of the AICD’s latest work is its practicality. As the article notes, the revised principles include:
Checklists for boards and executives.
“Red flags” to watch for in governance and reporting.
Tailored guidance for SMEs and NFPs.
Case studies from experienced leaders to highlight what good looks like in practice.
These resources make it easier for directors to translate complex cyber risks into manageable governance actions.
Talent and Leadership Implications
From our vantage point in executive recruitment, these changes are more than compliance updates. They are reshaping the expectations of senior leaders.
Boards and organisations are now actively seeking executives who bring cyber literacy — even outside of traditional CIO or CISO roles. CFOs, COOs, General Counsel, and Directors are expected to understand cyber resilience and ask the right questions.
The reality is that there is a shortage of talent with deep cyber and governance expertise. Many organisations are responding by:
Upskilling existing executives through board education programs.
Recruiting from adjacent industries where cyber maturity is stronger.
Ensuring that at least one board director has credible cyber risk oversight skills.
For candidates, this means that demonstrating awareness and capability in cyber governance is becoming a differentiator at the executive level.
Questions Boards Should Be Asking Right Now
A useful starting point for directors is to ask:
Do we know our critical suppliers and how they manage cyber risk?
Have we tested our incident response plan in the past 12 months?
Who in our leadership team has clear accountability for cyber resilience?
How confident are we in our data governance framework (retention, disposal, classification)?
Do we have the right skills at the board and executive level to oversee cyber resilience?
Beyond Technology: Risk Culture
Cyber resilience is not only about technology. It is about people, culture, and communication. A strong cyber response plan fails if leaders are not prepared to communicate clearly with stakeholders, manage reputational risk, and support employees through disruption.
Boards should see cyber security as part of their broader risk culture — alongside workplace safety, financial resilience, and stakeholder trust.
Next Steps for Executives and Boards
For those looking to act on the updated AICD guidance, a practical roadmap includes:
Educate the board — schedule a session on the updated Cyber Security Principles.
Audit your supply chain — map vulnerabilities and dependencies across vendors.
Review board composition — identify gaps in cyber literacy and address them.
Embed resilience training — run tabletop exercises to test crisis responses.
Align with regulatory reform — ensure compliance with changes to the Privacy Act, critical infrastructure obligations, and cyber incident reporting.
As the AICD article makes clear, cyber resilience is now central to good governance. Boards can no longer afford to treat cyber risk as an IT issue — it is a leadership challenge.
At Be Executive, we see firsthand how cyber literacy is becoming a differentiator in senior appointments. Boards and organisations that invest now in the right people, culture, and governance practices will be better placed to weather the next wave of cyber challenges.
At Be Executive, we work with boards and executive teams to identify, attract, and retain leaders who bring the skills needed for today’s challenges, including cyber resilience and governance. If you’re reviewing your board composition, succession planning, or executive capability in light of the updated AICD Cyber Security Principles, we’d welcome a conversation.
