I was recently asked to review the National Cyber Security Centre (NCSC) Board Toolkit. If you’ve not read it yet, it is well worth doing so – but I’ve pulled out some key themes below.
There is growing evidence that cyber security is now a prominent Board issue. In the past six years, the percentage of directors and equivalent that consider cyber security a business risk has risen from 69% to 82% [1]. According to recent surveys [2] [3], cyber security is the most challenging issue to oversee, as directors need to be able to ask second-order questions of the CISO. But such expertise is unlikely to exist through formal training – only 2% of Board members rank cyber expertise as the highest recruitment priority[4]. Of Directors who joined the S&P 500 in 2021, less than 4 percent have experience leading a function such as cyber or IT.
OK, enough statistics.
Addressing the expertise challenge
NCSC’s Toolkit aims to help develop relevant expertise and enable the right conversations within organisations, offering a brief introduction to cyber, then signposting where more information can be found. But the Toolkit demonstrates that discussing cyber issues at a high level does not require deep technical expertise. Boards are typically already competent at managing complex risks based on legal, financial or geo-political issues, with not everyone a trained lawyer, accountant or diplomat.
Work out what you care about the most
Cyber teams cannot prioritise security controls without direction from the top. As not all cyber risks can be mitigated, the Board needs to set priorities by considering what is most valuable to the organisation. What are the ‘crown jewels’? What are high impact disruptions? This needs to be an ongoing discussion as Boards will have business insight that technical teams may not, and only by combining this with techie’s insights can you get a full picture of what is important to protect.
Integrate cyber security into your organisation’s objectives and risks
As organisational dependencies on digital are complex and varied, cyber risk overlaps with operational, legal and financial risk. Cyber security therefore needs to be integrated with organisational business processes to be successful. Ultimately, the role of cyber security is to enable the organisation’s objectives and competitive advantage – adding value, rather than hindering progress. This requires a positive cyber security culture and appropriate investment and management of cyber security.
To integrate cyber means learning to adequately answer:
- As a Board, do we understand how cyber security impacts upon our individual and collective responsibilities?
- As an organisation, who currently has responsibility for cyber security?
- As a Board, how do we assure ourselves that our organisation’s cyber security measures are effective?
- As an organisation, do we have an effective and appropriate approach to manage cyber risks?
In summary
The questions, and the Toolkit in general, are designed to drive engagement at Board that is relevant to individual Board members, and drive engagement between Board and the individuals or committees that are created to drive business improvements. The questions demand that a high-level picture of relevant controls and processes is painted, facilitating an ongoing engagement to judge their continued effectiveness and relevance in the wider business context.
References
[4] PWC, 2021
