Cyber security is a priority for board members and non-executive directors. Especially as COVID-19 has shifted and broadened traditional risks. But without specialist knowledge, it can be hard to offer the best governance. To overcome this and create good cyber security governance, board members and non-executive directors can take three actions:
To be able to robustly challenge the decisions, investments and activities of security teams, you need a good understanding of the information they give you. But it isn’t practical to undertake specialist security certifications and it’s not advisable to rely solely on training from the internal teams you’ll be governing. Instead, look for an external training partner and bring in an independent security advisor to review the information presented to the board.
Many security organisations now provide training for board members and non-executive directors that focuses on the key concepts and risks governance leaders need to understand, enhancing personal or collective capabilities in short sprints. This is also useful for understanding what good cyber governance looks like across other organisations. For example, we upgraded the cyber security decision-making abilities of the board of an insurance management agency through a series of informal training sessions structured around three key knowledge gaps – demystifying basic cyber security terminology, their top five cyber risks and the cyber security regulatory landscape in financial services.
Meanwhile, an independent security advisory panel can observe cyber security presentations to the board, providing key lines of questioning, challenging on your behalf and debriefing you afterwards. Over time, you’ll be better able to identify important questions and scrutinise the answers, with internal teams adjusting quickly to deliver the right information. An external panel can also help promote the success of the company by ensuring you have a complete view of how the cyber security risks under discussion affect the entire organisation.
Key to good governance is a strong level of leadership. To ensure security teams are effective and communicate their activity easily and accurately to board members and non-executive directors, the Chief Information Security Officer (CISO) needs to be a strategic leader, not a technical manager. That means having the CISO report directly to the board (in the same way the Data Protection Officer does as part of GDPR requirements in most organisations) and empowering them to build their own teams.
Many CISOs still report to the board indirectly, often through the COO, CRO, CIO or CTO. But this carries an inherent risk of conflicted reporting. An independent CISO presentation would ensure no information about key risks is missed or misunderstood. Many organisations provide specialist CISO-board training to help develop this reporting line.
At the other end of your CISO’s responsibilities, you need to ensure they can build the teams they need to deliver. Many organisations are struggling to reduce headcount, but security teams are often smaller than other risk management and compliance functions. CISOs need competitive resourcing budgets to build teams that include security technology experts and business risk specialists. The CISO should be free to focus most of their time on addressing the security agenda of the board rather than minor technical issues.
This approach proved successful for a financial services company whose CISO hadn’t been able to deliver a cyber security presentation to the board, which was slowing decision-making. Using a shift in security and operational resilience regulation, we created a report on behalf of the CISO for the board, which resulted in permanent CISO representation at board meetings. The key benefit to the board is that the CISO can provide direct explanation of security risk management progress and there is faster decision-making following board meetings.
The nature of cyber security attacks and data breaches is that they can often be slow to crystallise, if not completely unseen, which leads to a light-touch governance model. To ensure cyber security is a clearly defined risk with effective strategic oversight, it’s important to align it to equivalent forms of risk management across the organisation. So, don’t rely solely on internal assurance and encourage stress testing to uncover hidden problems.
The most effective cyber security governance and oversight models for board members and non-executive directors rely on clear and accurate internal reporting that independent security experts regularly challenge. For example, we recently worked with a financial services firm to independently assess the resilience of their critical business functions. We validated an internal report submitted by the CISO team and, while we found it mostly accurate, our experts highlighted a critical vulnerability in systems the internal team had assumed weren’t dependant in the event of disruption. This increase the trust the board had in their internal team and avoided potential problems in future.
Large organisations have a plethora of systems that don’t always interact well together. But the only way to find such problems is through stress testing, which simulates a range of critical scenarios. Stress testing is also a useful way for board members and non-executive directors to get key risk information that’s otherwise hidden in compartmentalised technology structures. Outside experts can also validate the wider security management programme and assure the board that it satisfies external obligations and their own requirements.
Many board members and non-executive directors have reported feeling exposed by a lack of personal cyber security understanding or available information. In response, some boards have asked for ‘everything’ from their CISO, only to feel overwhelmed by the huge volume of technical information.
A better approach to improving the cyber security governance capabilities of board members and non-executive directors is to embark on training, consult external advisors, empower the CISO and ensure cyber security has the same consideration as other risks.
Doing so will show strategic leaders what information they need to see, and which questions they should ask. It will let CISOs build an effective cyber security team while focussing on the board’s priorities. And it will set robust cyber security governance.