Board members are key decision makers for every firm. They also play a pivotal role in safeguarding a company from both internal and external pressures. In a listed firm the board will look to protect the interests of shareholders and employees; while in a private company the focus is usually on helping management to make consistent and effective decisions for the business.
However, it is a fact that boards are not generally perfectly structured for assessing and prioritising cyber risk. Age is one factor. But there is also recruitment bias to contend with. When recruiting for the board, the typical skillsets that are favoured by recruiters include law, regulatory expertise, financial and accounting qualifications or HR experience. Notably missing from this list are IT, risk management or cyber security expertise.
The UK government’s own 2019 survey found that currently only 38% of small firms have in place board members or trustees with responsibility for cyber security. In large firms, less than 60% have a specific board member with oversight of this key risk. Worst of all are charities, where the number is only 30%*.
This is shocking, given the potential impacts a cyber event can have on a firm – from prevention of trading to loss of reputation, or data theft fines and reparations.
The challenge to be faced is increased by the fact that, not only are a board’s external Non-Executives are unlikely to have been recruited because of IT skills; but frequently a firm’s staff Chief Information Security Officer (CISO) – or equivalent – will often not sit on the board, leaving a gap in decision-taking expertise, and sometimes even in board awareness of the risk at all.
The challenge is not just one of ‘being in the room’. Attitude and communication are also important barriers to board’s understanding of how to manage cyber risk. Former CEO of Lloyd’s, Dame Inga Beale commented that “communicating in the same language is one of the barriers to effective collaboration between boards and information security functions”** The challenge is for an IT specialist to speak clearly to the board, to address their main priorities; and in doing so, to move beyond technicalities and into overall business risk
How can this be achieved? There are some simple rules which can make a big difference. Firstly, it is critical to use effective and simple tools to illustrate the risk, for example, using financial models to demonstrate the cost of a data breach, rather than system maps showing outages in terms of time and physical areas affected.
The CISO needs to team up with other departments to clearly analyse the effect of a cyber incident, including looking at elements that are not within their remit such as public relations and associated negative publicity, legal ramifications and impacts on share price / revenues or profits. These issues are ones that boards understand and can respond to much more easily than system-focused descriptors.
Overall, the approach must be to give the board issues that they can quantify and use to measure the potential financial impact to the business. Conversely, don’t use jargon that may make the board feel out of their depth, as this will make them reluctant to question, become involved or take decisive action. The point of having a board is that regardless of their technical knowledge they should still be able to provide valuable advice and help management steer around both new and old risks.
Managing a board is a skill in itself, and getting the decisions made that you need becomes doubly tricky in the relatively new and complex field of cyber risk. If cyber security is your responsibility in a firm, you need to arm yourself with the understanding of a board’s approach, as well as taking time to talk in their language. The board’s input can be valuable. The key to getting the best out of them is to articulate clearly the whole-business impacts of a cyber risk. It is simply a case of learning how to speak the language of the board.
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch firstname.lastname@example.org