Boards are increasingly concerned about cyber security, ranking it as one of their top priorities, and for good reason. The cyber security risk is growing, ever more companies are being targeted, and while multi-million dollar ransoms attract the headlines, the impacts of a cyber incident are felt right across the business: higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, and regulatory actions, to name a few.
While there has undoubtedly been progress in recent years on board governance of cyber security, many boards struggle to dispense their responsibilities. Many don’t understand their unique role on cyber security, lack the right level of cyber awareness and can’t turn to CISOs or other executives to bridge this gap, and as a result fail to challenge what they hear in the boardroom.
Drawing on our collective experience working with clients across dozens of sectors and interviews with non-executive directors, executive committee members and technology experts, we propose a 5-point plan for effective cyber security board governance:
Actions for boards
1. Understand your unique role as a board
Boards have four roles in relation to cyber security:
- Set your company’s risk appetite for cyber security: boards should understand their risks and articulate the ones they are willing and unwilling to take. As the global CISO with a financial institution told us, “What a lot of boards don't yet do, but they should be doing, is setting the risk appetite. To set the right risk appetite, you have to understand what threat is particular to your business and what your vulnerability is.” It is especially important they acknowledge the risks they accept and the areas where they agree action should not be taken. NED, Paul Cutter, told us, “Part of the responsibility of the board is to define the risk appetite for the business and to hold management to account for managing within that risk appetite.”
- Resilience and recovery: boards should satisfy themselves that they understand how the organisation would recover from a breach, how long this would take, and the impacts it would have. Too many boards accept what they are told and make assumptions about recovery times that are unrealistic.
- Informed: boards have a responsibility to ensure they have a board-appropriate level of knowledge of cyber security that enables them to interrogate what they are told, ask the right questions and understand the responses they get from CISOs.
- Be prepared: boards need to ensure they are ready for their role during a crisis incident, have established policy positions on key issues such as ransomware payments, and have pre-approvals in place to streamline the response.
2. Be appropriately informed about technology, data and cyber security
As technology, digital transformation, data-led decision-making and effective cyber security become ever more critical to business, this should be reflected at board level. Calls for CISOs to be elevated to board level are too broad; board skills should be needs-driven. There are also currently few CISOs with the breadth of skills, experience and business acumen necessary for board positions, although this is growing over time. As one CISO commented, “I can only count on two hands the sort of person that we're talking about.”
Boards need well-rounded directors capable of contributing across all board discussions. As one board recruiter told us, “The challenge for boards and chairs is you have finite number of seats. Boards are like orchestras and everybody plays a slightly different instrument and they all to play harmoniously. You need people who can speak to their area of expertise, but they need also to lean into other conversations; otherwise, it’s less of a holistic discussion.” Boards should have at least one NED with experience in and capable of speaking at board level to technology, digital, data, cyber security or other forms of security, such as physical or supply chain.
As well as recruiting board members with specific expert knowledge, all board members should have sufficient knowledge to play an active role in cyber security discussions to avoid ‘board room cyber rubber necking’. As one global CISO put it, “I think they need to be GCSE French level fluent in cyber security.” Chairs should encourage directors to educate themselves, invite experts in to brief the board, allow and encourage NEDs to be in contact with CISOs between board meetings and ensure directors have access to independent board advisors.
3. Put cyber security on the board’s agenda
Boards should make cyber security a regular discussion at their meetings, featuring at least quarterly and more frequently when there is something critical ongoing. As a global CISO with a financial institution commented, “The beginning of good looks like boards at least showing an appetite to get this, to ask the right questions, to make sure that cyber is a regular board level topic and not just discussed when there's a problem.” The board report should be delivered by the CISO to ensure cyber security discussions are not filtered through the lens of competing concerns, such as reliability and uptime, and also to ensure all questions can be addressed head on, rather than deferred and forgotten.
Companies with elevated technology, data and cyber risks should consider establishing a technology committee of the board, something that a small but growing number of companies are doing. Less formal than the audit committee, they bring focus and oversight and allow for open discussions that will help mature cyber security governance.
4. Board and executive access to independent cyber security advisors
Boards can accelerate their cyber knowledge and enhance cyber governance through the use of independent cyber security advisors. A number of interviewees commented on their value. One NED told us, “Independent board advisors are invaluable. Any time I have served on the board that has had one, it's been fantastic because you can also have those conversations offline with them, call them up to ask them the question you didn’t want to ask in front of everybody.” Nicola Horlick reflected, “The normal audit is all about the figures, it's not necessarily about processes and making sure that you've got the best things in place for things like cybersecurity. So I think it’s important for boards to get someone to perform that independent assessment and advisory role.”
Independent board advisors can contribute to three aspects of cyber security governance:
- CEO and CFO: to help them challenge and arbitrate between the CISO, CIO and CTO in prioritising between security, reliability and uptime. Often security needs to be prioritised against features and functions of business systems or customer facing apps, for example. They can also help them to interpret reports from the CISO before or after board meetings, helping them to understand what questions to ask and which lines of enquiry to probe.
- Non-executive directors: independent cyber security advisors can offer 1-2-1 coaching and mentoring for NEDs, help them to prepare for board meetings, understand cyber strategy, formulate the right questions to ask, and help them to identify red flags. They can also help NEDs to benchmark the company’s stance on cyber.
- CISO: independent cyber security advisors are increasingly being hired to coach CISOs on how to communicate and engage appropriately at board level.
5. Actions for regulators, investors and public bodies
Effective cyber security board governance is vital – not just for individual companies, but to create the trust and integrity that societies and economies rely upon. There is, therefore, an important role for regulators, investors and the public sector.
- Regulators: While regulation should be the last resort in many situations, it is time to act on cyber security with smart and focused regulation. This means requirements for boards to: report on relevant expertise at board and senior management level on cyber security; report on risk management arrangements for cyber security; and disclose breaches to the relevant public authority to build a more comprehensive shared picture of the emerging threat. Many of our interviewees agreed; Anne Woodley, a NED and Senior Security Specialist at Microsoft reflected, “I'm not a fan of overregulation, but smart regulations and targeted regulations, would help to raise everyone’s standards up a little bit and make it easy to understand how you're measured against it.” This chimes with wider research, with 80% of senior executives agreeing that mandatory disclosure of cyber incidents, with comparable and consistent formats, is necessary for building confidence and trust. We welcome the July 2023 SEC regulations on cyber security disclosure of incidents and board and management oversight.
- Investors: investors should continue to ask questions of their portfolio companies to help drive action on cyber security and more effective governance.
- Public-private partnerships on cyber security: they can deliver three vital outcomes for cyber security: a) shared and improved knowledge about incidents and trends, b) shared best practice on cyber security management and governance, and c) joint activities to strengthen the cyber security capability of organisations and the general public. The National Cybersecurity Centre does sterling work in the UK and should be further resourced and supported to extend this work to ensure all organisations have somewhere to turn for information, mentorship, best practice, and joint working. As a former senior law enforcement leader told us, “The policing world is intelligence heavy but resource poor, and business is the reverse. Potentially it's a match made in heaven, bringing the two much more closely together.”
Getting cyber security governance right is not just a win for the security of individual companies; evidence shows that large enterprises with digitally savvy executive teams have significantly higher revenue growth, valuations and net margins. Effective cyber security also brings many top line benefits, including greater success rates when tendering for new clients, improved data insights, investor confidence and maintenance of shareholder value during mergers and acquisitions.
Read our full paper, 'Effective Cyber Security Board Governance – A source of competitive advantage'