Making Cyber Security a Board Level Conversation

As I sit down and write this article, I am having a hard time trying to think of any businesses or industries that have not been disrupted by technology or do not rely on digital technology to function.

We’re in the midst of a digital revolution with new entrants and existing organisations exploiting the opportunities that technology brings. They are disrupting their marketplaces and delivering better/faster/easier through innovation. Clearly, this has taken a considerable investment in money, time and resource, in some cases it would have been critical for survival. Big decisions, board level/stakeholder decisions and long-term investments into visions for the future.

We understand digital transformation and business. However, we don’t always consider what we need to do to protect that vision and investment. From my perspective, this is why cyber security is fundamental to an organisation’s ongoing ability to trade and be competitive. Cyber security enables an organisation to protect that vision and competitive advantage, it enables us to protect the ability to function and ensures organisations can continue to exploit the opportunities that technology brings.

If you follow that logic, then I’ll push the point home that cyber security is fundamental to an organisation’s ongoing ability to trade and be competitive. Or simply, it is in the best interests of the Board of Directors to understand cyber security. We’re not talking about deep, dark technical, latest vendor buzz word knowledge, we’re talking about understanding risks their business faces, accepting or prioritising those risks and finally managing those risks. At this level we’re talking risk management, financial impact, mitigation and what if scenarios…. Bread and butter to most board of directors.

I’m not a big fan of FUD (fear, uncertainty and doubt) or scaremongering. However, if that’s not enough to start a conversation, perhaps discussing what risks exist that may impact business stability and resilience, for example:

  • The impact of not meeting industry specific regulations, or GDPR
  • The risk and subsequent impact of becoming the latest high-profile business to attract media coverage due to breaches.
  • The risk of a slowdown in sales due to customers not feeling comfortable that you’re doing enough to demonstrate your security posture

It’s not unreasonable for the expectations of partners, shareholders, customers and the wider public to be raised when it comes to cyber security. I’ll say it again, it is in the best interests of the Board of Directors to understand cyber security.

Good cyber security is all about managing risks. The process for improving and governing cyber security is similar to processes already in place for other organisational risks. It is a continuous, iterative process and even the smallest change can have a positive impact on the business.

What should the board be doing?

Accepting that cyber security is the responsibility of the board is a great achievement. In my experience, there are many businesses in the UK that still delegate security down many layers, often to the IT department, where business led and certainly board level type conversations are difficult to start. So if you have the Board talking about cyber security, the next step is to fully integrate security into your organisation’s objectives and risks.

Cyber security impacts across all departments in your business. To have the right level of governance and management, it should be part of ongoing operational risk management and decision making. Think about how your business is structured and you may start to identify risks similar to the ones below:

  • If you look at operational risk, you’ll likely reach the conclusion that you rely on a number of different digital services to run your business, including email, bespoke systems, software etc. All of these systems require cyber security.
  • It would be unusual if you did not have some legal risk, indeed with the GDPR, we all have regulatory responsibility. In addition, what about your supplier contracts, partnership commitments or other agreements that dictate how you handle your information security or protect data.
  • Financial risk is a big one, cyber-attacks or internal fraud can lead to a loss. We’ve seen a number of these lately, they are very distracting for the business, take time to resolve and require active communications with customers, which can impact trust and relationship.
  • What about people, who are your targets, have they been trained, do they know how to deal with phishing/whaling attempts?

In addition to working through your business layer by layer, you need an integrated approach for it to be successful. You have an understanding of the risks, however, it is not about throwing technology at the problem, it’s about having the right processes in place across the organisation to manage it.

For example, in order to protect against phishing campaigns:

  • a good technical solution to limit phishing or spam emails
  • appropriate training for staff so that they know how to spot phishing emails
  • a process for reporting phishing campaigns and reviewing impacts

Reflect this in your structure

Don’t leave it to one person; Cyber security is the responsibility of the entire Board.

A cyber security incident will affect the whole organisation – not just the IT department. For example, it may impact on online sales, impact on contractual relationships or result in legal or regulatory action. There should be sufficient expertise within the Board in order to provide direction on cyber security strategy and hold decisions to account. However, every member of the Board needs enough expertise to understand how it impacts specifically upon their area of focus, and to understand the broad implications for the organisation as a whole.

Engage with your experts

Consider whether your reporting structure enables the Board to have the engagement with cyber security that it needs. If the CISO reports to an intermediary to the Board who has a focus on only one aspect – be that finance or legal or technology – this can potentially hinder the ability for the Board to see cyber security’s wider implications. In the majority of FTSE350 organisations the CISO now reports directly to the Board.

A good place to start on improving cyber security in your organisation is to consider the communication between experts and members of the Board. Getting the structure right can help, but we also often see a reluctance from both parties to engage, because:

  • technical staff think that the Board won’t understand them
  • the Board think that the technical staff are unable to explain the issues in the context of the

strategic aims of the organisation
Improving the communication between these two groups requires effort from both sides:

  • Boards need a good enough understanding of cyber security that they can understand how cyber security supports their overall organisational objectives
  • technical staff need to appreciate that communication of cyber risk is a core component of their job and ensure they understand their role in contributing to the organisation’s objectives