10 steps to effective board leadership on cyber security
How Boards can clear the path for effective cyber risk management.
You don’t have to be an expert to ask the right questions.
In just a few years, cyber has transformed from the nerd in the corner into the Kim Kardashian of risk. Everyone, it seems, has an opinion on the issue. That’s because it’s serious — businesses can be built on, and destroyed by, cyber risk.
The World Economic Forum’s Global Risks Report has consistently ranked cyber attacks among the top seven risks facing the planet in terms of likelihood and impact, while high-profile CEOs including Warren Buffett of Berkshire Hathaway and Jamie Dimon of JPMorgan Chase see them as the number-one threat to business.
Despite this, a 2019 poll of 1,300 large international organisations by insurance broker wtw found that only 11 per cent of boards have taken direct responsibility for their firms’ cyber security.
Although the private sector’s investment in protective tech and compliance has increased, few business leaders have a clear understanding of cyber risk and confidence that the necessary safeguards are in place at their firms.
By definition the Board of Directors is not hands-on, yet directors have a huge role to play - and boards can take practical steps to improve their cyber leadership and impact their organisation’s cyber security risk.
Here are my top 10 actions boards and non-executive directors can take today, to find a path forward for board leadership on cybersecurity.
1. Lead from the front
Effective cyber security requires strong leadership, starting from the board and extending to the executive overseeing this critical business function.
In many organizations, this sequence is oddly reversed, with boards relying on their security leaders for direction and goals instead of setting them under the executive leader’s advice, as they would for other areas such as marketing or finance.
Engage with your cyber executive to outline the organizational threats comprehensively.
Subsequently, offer clear precise directives on the urgency for addressing these concerns and the acceptable risk threshold. If you are not sure what’s best, ask your CISO for options, then pick the one that aligns best with your risk appetite.
2. Talk to your CISO
Few chief information security officers (CISOs) have a close relationship with the board in their organisations as many do not report to it directly.
Meanwhile, the chief information officer, with a distinct mandate, commonly oversees cybersecurity at the highest level, leading to potential clashes between IT operations and security goals.
Boards stand to gain valuable insights from observing the collaboration between security and technology leaders, making it essential to engage both leaders for comprehensive perspectives and challenge.
3. Ask all the right questions
When assessing your firm's resilience, it is crucial to engage with your security leader for a comprehensive understanding. Tap into their expertise by inquiring about the specifics: identify the data systems and assets, pinpoint their locations, and determine their criticality.
Investigate the potential risk scenarios that pose significant concerns, understand the efficacy of existing controls in mitigating those risks, and establish protocols for promptly detecting and responding to security breaches.
Prepare contingency plans for worst-case scenarios and evaluate the organization's recovery capabilities.
Additionally, consider forming a dedicated committee or involving existing audit and risk committees to provide oversight and insights to the main board. Use the insights from these discussions to inform your strategic analysis and decision-making processes.
4. Demand clarity in reporting
Recent research has identified a significant interest in increasing investments in cyber security among 96 per cent of board members. However, there are barriers preventing this intention from being realized. One issue lies in the qualitative nature of security reporting, where seemingly simple terms like "high," "medium," and "low" risk can lead to varied interpretations and outcomes that may not align with business objectives.
To address this, it is essential to prioritize risk assessments that provide quantifiable insights into the probability and consequences of potential cyber security breaches. By understanding the potential costs associated with an incident, boards can make informed decisions regarding their security investments and ensure that the reported information is accurately understood and acted upon.
5. Skill up your non executive team
Not every company needs a dedicated “cyber NED” director, but it is crucial to have someone on the board who has enough experience and knowledge to ask the right questions of the specialists, and enough knowledge in the rest of the board to have an informed conversation about business risk.
It helps to have someone with relevant experience - person could have led an executive-level response in the past or observed how other firms’ boards approached a cyber incident.
The challenge here is to get the appropriate skills on your board. Don’t assume that your most technically literate board member, such as a former chief information officer, will automatically fulfil this role. Instead, assess the capabilities of the board and form a plan to address any gaps in knowledge.
6. Play your part in simulations
Our research indicates that only 13 per cent of board members feel they have learnt from the security mistakes their firms have made. A key contributor to this is a lack of understanding about how to handle a crisis. All companies should regularly test their readiness.
This can be done as a desktop exercise, but it’s better if you make it as real as possible. For instance, the IBM X-Force Command Cyber Tactical Operation Center offers a training platform that can run full-scale simulations of cyber incidents. A board member should get actively involved in such exercises to practise how to respond.
7. Have a clear cyber incident communications plan
Serious cyber incidents will hit the headlines, so you need to have a media management strategy ready to limit any reputational damage.
Baroness Dido Harding, TalkTalk’s CEO in 2010–17, sought to do the right thing by making a prompt public announcement when a cyber attack in 2015 compromised the details of millions of customers, yet she still had to handle intense criticism.
Bring in a public relations specialist or crisis management adviser, choose scenarios that most concern you and then stand in front of a camera and, with their help, practise how to handle a grilling from the media.
8. Focus on the human aspects
Cyber risk is seen as an IT issue, but our research shows that 90 per cent of incidents leading to cyber insurance claims resulted from human behaviour.
Your HR, IT and security teams should work together on this — discuss how your company’s culture supports cyber security and risk management.
Boards often ask if their company does cyber training, but how do you know it is not just an annual tick-box exercise, and it actually works?
9. Challenge risk transfer strategies
Cyber insurance is not a get our of jail free card, but many simply accept it at face value. Insurance can help reduce the immediate costs when incident occur, but really only smooths these costs out over several years.
You need to look at the reasonable worst case scenario rather than the ‘average’ year to make sure you have sufficient cover, and you need to have the right controls or insurers may not pay out. With more cyber incidents relating to geopolitical conflict, war exclusions are a growing issue.
And your insurer may have different ideas to you on how to respond or which support providers to use. Finally, if you do take out insurance and criminals find out, that can make you a more attractive target — so the best cyber policy is a carefully designed and confidential one.
10. Plan for ransomware
Cyber insurance is not a get our of jail free card, but Ransomware is a particular evil because it renders data unavailable or harms it’s integrity. This can be much more operationally disruptive than data loss.
Unfortunately, every time a ransom is paid we encourage the criminals to come back for more. Yet when an incidents happens we can feel under pressure from shareholders or insurers to pay.
Instead, define and communicate to stakeholders in advance what you would do. Explain why you would not pay, or when you might, and be clear that you understand the implications either way. Inform your insurance company of your policy to make sure you will be covered if you refuse to pay.
With advance stakeholder support, you can make strong and rapid decisions that customers and shareholders will respect and understand as in the best long term interest of the company.
At the same time, reduce the operational risk by making sure you have segregated backups that can be quickly restored. Ask your CIO and CISO for a plan for ‘recovery from zero’ — no data, no equipment — and make sure the company would survive it.
As a NED myself, I understand this challenge. The above steps can all be taken relatively quickly, and will put your board in a strong position to lead on cybersecurity, as well as providing confidence to your stakeholders and support to your cyber security leaders.
This article is an updated version of an article that first appeared in the UK Institute of Directors’ Director Magazine, and includes further recommendations led by reader feedback that were not included in the original article. Please share your thoughts in the comments below, and I will answer all questions asked.
