Driving cyber-security from the front

Jessica Figueras at CxB explains how your board can be a cyber-security driver, not a passenger

When corporate catastrophe strikes, sooner or later the cry will go up: “Why didn’t the board stop this happening?” Safety failings at Boeing, the collapse of outsourcer Carillion, an expose of shocking working conditions at Sports Direct, fraud at Enron – their respective boards had to shoulder responsibility for these governance failures. That’s where the buck stops; we all understand that. 

So why does this not happen after a major cyber-attack occurs? Worse still, why are some organisations blaming their cyber-security teams for failures without asking the most fundamental question: what was the board doing? 

Something needs to change. After all, boards can and do effectively oversee highly complex, challenging issues outside of cyber-security. Non-executives scrutinise, set priorities and make confident decisions across all issues of strategic importance, whether or not they are specialists in those areas. Boards frequently practice excellent, unsung governance and oversight in the face of extreme uncertainty and adverse conditions.

So why is cyber-security so different?

A lack of curiosity

Boards can be unusually passive when it comes to cyber-security. There are many ways to be a passenger, even for boards which are supportive and encouraging:

• “I can’t see why anyone would be interested in hacking us.” (We can.)
• “Our CEO thinks we’re doing fine.” (How would they know?)
• “Our CTO thinks we’re doing fine and she’s the expert.” (How would you know?)
• “We automatically say yes to all cyber-related budget requests.” (How can you be certain that those particular investments were the most effective ways to mitigate priority risks?)
• “We’ve set our risk tolerance for cyber-security breaches at zero.” (In that case, better switch off the computers and stop doing business!)

An effective board needs to be engaged with the topic, which means recognising uncertainty and asking questions. Lots of them. So our next question might be: why aren’t non-executive directors asking more questions about cyber-security?

Drama and intrigue

To my mind, our deeply unhelpful national conversation about cyber-security is partly responsible. It triggers fear about asking the ‘wrong’ questions and looking foolish.

Most non-executives don’t have a technical background. But just like everyone else, we read the news. Cyber-security provides a constant source of click-generating drama and intrigue. 

One recent headline reads: “Cyber-terrorists weaponise AI to bring down UK networks in seconds.” Is it possible to be any more frightening? We hear of “shadowy hacker groups”, illustrated with hooded figures in darkened rooms. The counter-response stories feature plucky cyber-heroes who “plot honeypots to catch hackers”. 

Most coverage is uninformative. We are invited to look on passively while the cyber-security insiders – goodies and baddies - slug it out in cyber-space. 

A preoccupation with technology solutions

Board members also absorb information from vendor marketing, courtesy of a booming market for cyber-security solutions, which unsurprisingly feeds a perception that technology is the only real fix.

Your average non-executive director might start to believe the only way they can make a positive contribution is by learning about all the latest zero-day exploits and advanced tooling. Unless the organisation in question has no or few staff, that is probably a recipe for unhelpful micromanagement. 

From disempowerment to responsibility

The upshot of this misleading, drama-riven national conversation about cyber-security is to breed a striking lack of confidence amongst directors, and to disempower our boardrooms. 

It is time to push back! Your board can and should take up its rightful place behind the steering wheel. 

A board’s focus is governance, not operational details, so the usual guiderails for non-executives apply: you can trust your senior staff, so long as you also verify. 

External cyber-assurance takes different forms; it’s not only about pen testing. A good external advisor will help your board take a strategic approach. You need to understand the risks and their business impacts, which are unique to your organisation, then prioritise and resource your strategy accordingly. Spend wisely; people and processes are just as important as technology.

The NCSC’s Board Toolkit provides excellent guidance describing ‘what good looks like’ from a board perspective. You can use this to judge whether your organisation is doing the right things. 

Finally, it’s the board’s job to support workforce upskilling and positive culture change. Set a good example by making the conversation about cyber-security a constructive one, free from blame and intrigue, always listening and open to learning. 

The board does not need to be a source of technical expertise. But the organisation on a positive cyber-security journey needs its board to be a driver, not a passenger. 

Jessica Figueras is Co-founder, CxB (Cyber Governance for Boards) and International Cyber Expo Advisory Council Member

Main image courtesy of iStockPhoto.com