Cyber security for non-executive directors
This article was first published in SC Magazine
Non-executive directors (NEDs), even those without responsibility for cyber security, are increasingly required to have a high level of awareness of the potential threats in order to manage risks within their organisations. The challenge they face is that many of them have backgrounds in finance, operations or leadership rather than cyber security but have not received external training in cyber. That makes it harder for them to carry out these new responsibilities effectively.
However, there are three straightforward steps NEDs can take to increase their cyber security awareness without having to acquire a detailed knowledge of the company’s IT systems.
Find out your organisation’s external cyber obligations
The first is to make sure they understand the evolving regulatory, insurance and legal obligations as they relate to cyber risks. Most of these require leaders to treat cyber security with the same level of importance as they would more traditional risks such as financial or capital. For example, the recent General Data Protection Regulation requires institutions to deploy appropriate organisational and technical controls to keep personal data secure and face substantial fines if they fail to do this effectively.
Many regulators are also increasing the breadth and depth of their cyber security requirements. The Council for Registered Ethical Security Testers (CREST) has said that up to 350 financial services firms will have to show their resilience to a cyber stress test, an increase from 34 in 2019. NEDs with a strong, strategic understanding of cyber security will be at an advantage as this becomes a duty of care under the Companies Act (2006). They should be supported in this work by regular briefings from their in-house legal teams to ensure they understand their obligations. This knowledge can then be used to contextualise, challenge or accept assurances about future cyber security progress when the issues are raised at Board meetings.
Clear reporting from your team is key
It is particularly important that the reports NEDs receive provide clear, strategic and straightforward information. Some directors say they are not receiving any reports at all but even those that do often find that they are overwhelmed by cyber security jargon in the papers. If information is too technical or poorly presented it makes it harder to challenge and this creates risks for the organisation and NEDs should challenge reports that are unclear or unhelpful.
The most useful reports are short summaries covering the three highest security risks facing the organisation. These should be set in context with a view of how any organisation and technology changes may affect those risks. They should also set out progress towards cyber security maturity, including any work to align the organisation to a recognised framework or standard such as the NIST Cybersecurity Framework, ISO 27001 or Cyber Essentials Plus. In addition, details of any competitors which have been affected by incidents or near misses will help NEDs understand the risks.
Observe a simulation
The final action a NED can take to improve their awareness is to observe a simulated cyber incident. These simulations provide one of the most powerful ways of understanding how well an organisation is prepared for a cyber security breach. Usually, an external team carry out a desktop exercise using a reasonably likely scenario, such as an external attacker successfully penetrating the organisation’s defences.
These exercises often reveal failures in strategic decision making or leadership awareness that can lead to a slower containment of an incident or to the incident becoming larger. They also highlight where there are gaps between an organisation’s cyber security strategy and its operational processes and which are being exploited. Simulations can then reveal where incorrect assumptions have been made, either in detection and prevention. This will give NEDs an awareness of the context of how incidents occur and develop, and an understanding of some of the time and knowledge pressures that organisations face when under attack which will inform any Board discussion of the organisation’s cyber response.
This will then help them play their part in meeting the growing expectation from regulators for firms to treat cyber security in the same way as any other key business risk. NEDs who have a strong understanding of the key risks to their organisation in managing cyber security will be better placed to provide the right advice, challenge and support.
Luke Vile is a cyber security expert at PA Consulting