Effective cyber security relies on support and investment from your board. However, board engagement varies across firms, with the latest Cyber Security Breaches Survey highlighting that cyber security governance tends to be more advanced in larger organisations: 53% of large businesses have board members or trustees holding cyber security responsibilities as part of their role, compared with 30% of all businesses.
Fulfilling cyber security obligations depends on having an accurate understanding of your risks and security posture – and the background knowledge to make sense of it. Your Chief Information Security Officer has an integral role to play to support your board and help boost governance processes.
The NCSC Cyber Security Toolkit for Boards was published in 2020 to help board members make sense of cyber security data, give them greater context to interpret it and provide more scope to offer effective challenge. According to the Cyber Security Breaches Survey, however, the board members of just 21% of medium businesses and 30% of large businesses are aware of it.
Making sense of cyber security data is only part of the problem. You need to present the board with the right information and in a meaningful way. Cyber teams often present data that is too broad and quantitative in nature, making it difficult for boards to understand how cyber risks can crystallise and the real-world impact they can have. Painting a realistic picture of your cyber security threats and risk management will strengthen your firm’s cyber security profile.
Chief information security officers (CISOs) tend to lead board presentations, but there's a potential conflict here. Governance structures often inadvertently incentivise CISOs to positively portray cyber risk management and downplay the negatives. Boards don’t need assurances that everything’s rosy. What they need is an accurate picture of current cyber threats, associated risks and mitigating controls so they can make informed strategic decisions.
If the board doesn’t know there’s a problem, they won’t be able to help the cyber team address it.
Next, there’s the issue of what information you’re sharing. Effective governance relies on effective challenge, so it’s crucial to deliver the information in an accessible and meaningful way. When presenting to the board, CISOs often focus on the number of vulnerabilities identified and exploits they've prevented. While this information can help the board understand the scale of the issue, it isn’t necessarily the most valuable data for decision making.
What the board really needs is an overview of critical risks to the business, with a breakdown of what’s been remediated and what hasn’t. They need information on the kind of cyber threats facing the organisation, emerging risks, and what happens if those risks crystallise. They also need a view on whether residual risks fall within the firm’s risk appetite. This is crucial as it helps board members understand cyber security within the context of the firm’s wider risk profile, risk appetite and strategic goals.
For example, a list of prevented exploits doesn’t help a financial services firm understand the risks around operational resilience or data protection. But a detailed breakdown over the rise of ransomware, and how many steps it could take an attacker to access personal data or take a critical service offline, does. Moving the discussion away from statistics and on to the key risks, can help focus your board’s attention and investment in the right place, improving the maturity of the cyber security function.
The cyber team is one of many departments across the organisation, and it’s the board’s job to take information from each one to develop a strategy. To support this, your CISO's role is two-fold: to deliver accurate information to inform the strategy, and to take the necessary action to deliver it. It’s important to keep both roles in mind when working with the board, and when allocating responsibilities across the cyber team. Clear accountabilities are essential to track critical remedial actions, and to ask the difficult questions if cyber performance doesn’t hit the quality benchmark.
Achieving the strategy also relies on co-ordination with other departments. Cyber teams can sometime be siloed and other teams often have limited understanding of their work, beyond mandatory training courses. Setting up interdepartmental groups to share knowledge and build trust can help align activities toward the same end goal.
While mandatory training courses can add significant value to individuals’ understanding of cyber risk, they may not be enough on their own. It’s essential to provide regular training opportunities and open forums to share cyber knowledge in a way that is relevant, targeted and accessible to each specialist team. This needs to be supported by the right culture, set at the top and cascaded down to help your cyber team engage others across the organisation. The right culture can empower employees to raise incidents without fear of reprisals.
Training isn’t a one-way street, however. While it’s important to build cyber security knowledge across the organisation, the cyber team also needs to understand what the rest of the business does and how they fit into that. For example, some cyber teams may not know much about the regulatory landscape or why they need to. A basic understanding of key regulations, such as operational resilience or a move towards digital regulatory reporting, is invaluable. It can give your cyber team context over why some activities have been prioritised by the board and help effectively manage workloads. It can also help your cyber team future-proof their processes, outsourcing arrangements and current technology. Ultimately, it will also inform your CISO’s reporting to the board by helping to identify the information that genuinely represents the current threat level and adds value for governance purposes.
Your cyber team has a critical role in supporting good organisational governance. To achieve this, you need to think about how you work with the board and support their work.
What to consider:
Focusing on the above can boost the maturity of your cyber function, improve board level oversight and support firm-wide strategic goals.
For more insight and guidance, contact Ankur Aeran.
