There are five trends driving board prioritisation of cyber security:
- Increasing frequency of cyber events: board directors are rarely more than two or three degrees of separation from a cyber security event. As Ian Haslegrave, a General Counsel commented, “I think there's been more transparency on the types of cases coming out and the impacts. The more of those events, the more likely that they're getting closer to somebody that they know.”
- Increased media reporting: most cyber incidents are not reported publicly, but a growing number are making the headlines. As one CIO and cyber board advisor reflected, “No-one wants to be the next Dido Harding,” referring to the former CEO of TalkTalk, who resigned following a major breach. This translates into discussions in the boardroom. CISO, Dr. Joe Da Silva, told us, “Media is obviously a factor; whenever there is something in the media, there are questions that come through to you, there's interest, there's curiosity about what's happened and whether it can happen here.”
- Pandemic focus on operational resilience: a heightened focus on operational resilience during the pandemic shone a spotlight on technology, digital and data systems. Steven McCord, a board recruitment consultant with Russell Reynolds Associates commented, “There has been a sea change in attitudes to technology leadership on boards over the last five years. It was certainly happening pre-pandemic, but what the pandemic did was accelerate this because it forced boards to think really hard about resilience, about cyber, about data, and also about basic operational technology.”
- Investor pressure: many investors see cyber as the canary in the coal mine for organisational health; if a company can demonstrate effective cyber preparedness, it is a sign of the strength of their overall leadership, operations and governance. Investor concerns form part of the SEC’s rationale for proposed regulation of cyber governance.
- Regulation: a growing number of regulators have acted on cyber, including most recently the SEC, which has implemented new requirements around disclosure and board and management oversight. It follows the EU’s NIS2 Directive, Australia’s Critical Infrastructure Act and Norway’s Security Act, amongst others. It seems likely more cyber regulation will emerge in the coming years.
Cyber security is now a boardroom priority; almost three-quarters of board directors rank it as a top priority. As a leading recruitment consultant working on non-executive board recruitment commented, “When you think about the things that keep them up at night, it’s cyber, because the impact can be unquantifiable. When it comes to data breaches, cyber hacks, the impact on your business can be exponential and potentially existential.” But our research shows us that boards continue to perform their governance role on cyber security because they struggle to define their role, lack the right level of cyber awareness, and CISOs are not adequately bridging the gap.
The Savanti model for cyber-engaged boards revolves around four key board actions:
1. Understand your unique role as a board
Boards have four roles in relation to cyber security:
- Set your company’s risk appetite for cyber security: boards should understand their risks and articulate the ones they are willing and unwilling to take. As the global CISO with a financial institution told us, “What a lot of boards don't yet do, but they should be doing, is setting the risk appetite. To set the right risk appetite, you have to understand what threat is particular to your business and what your vulnerability is.” It is especially important they acknowledge the risks they accept and the areas where they agree action should not be taken. NED, Paul Cutter, told us, “Part of the responsibility of the board is to define the risk appetite for the business and to hold management to account for managing within that risk appetite.”
- Resilience and recovery: boards should satisfy themselves that they understand how the organisation would recover from a breach, how long this would take, and the impacts it would have. Too many boards accept what they are told and make assumptions about recovery times that are unrealistic.
- Informed: boards have a responsibility to ensure they have a board-appropriate level of knowledge of cyber security that enables them to interrogate what they are told, ask the right questions and understand the responses they get from CISOs.
- Be prepared: boards need to ensure they are ready for their role during a crisis incident, have established policy positions on key issues such as ransomware payments, and have pre-approvals in place to streamline the response.
2. Be appropriately informed about technology, data and cyber security
As technology, digital transformation, data-led decision-making and effective cyber security become ever more critical to business, this should be reflected at board level. Calls for CISOs to be elevated to board level are too broad; board skills should be needs-driven. There are also currently few CISOs with the breadth of skills, experience and business acumen necessary for board positions, although this is growing over time. As one CISO commented, “I can only count on two hands the sort of person that we're talking about.”
Boards need well-rounded directors capable of contributing across all board discussions. As one board recruiter told us, “The challenge for boards and chairs is you have finite number of seats. Boards are like orchestras and everybody plays a slightly different instrument and they all to play harmoniously. You need people who can speak to their area of expertise, but they need also to lean into other conversations; otherwise, it’s less of a holistic discussion.” Boards should have at least one NED with experience in and capable of speaking at board level to technology, digital, data, cyber security or other forms of security, such as physical or supply chain.
As well as recruiting board members with specific expert knowledge, all board members should have sufficient knowledge to play an active role in cyber security discussions to avoid ‘board room cyber rubber necking’. As one global CISO put it, “I think they need to be GCSE French level fluent in cyber security.” Chairs should encourage directors to educate themselves, invite experts in to brief the board, allow and encourage NEDs to be in contact with CISOs between board meetings and ensure directors have access to independent board advisors.3. Put cyber security on the board’s agenda
Boards should make cyber security a regular discussion at their meetings, featuring at least quarterly and more frequently when there is something critical ongoing. As a global CISO with a financial institution commented, “The beginning of good looks like boards at least showing an appetite to get this, to ask the right questions, to make sure that cyber is a regular board level topic and not just discussed when there's a problem.” The board report should be delivered by the CISO to ensure cyber security discussions are not filtered through the lens of competing concerns, such as reliability and uptime, and also to ensure all questions can be addressed head on, rather than deferred and forgotten.
Companies with elevated technology, data and cyber risks should consider establishing a technology committee of the board, something that a small but growing number of companies are doing. Less formal than the audit committee, they bring focus and oversight and allow for open discussions that will help mature cyber security governance.4. Board and executive access to independent cyber security advisors
Boards can accelerate their cyber knowledge and enhance cyber governance through the use of independent cyber security advisors. A number of interviewees commented on their value. One NED told us, “Independent board advisors are invaluable. Any time I have served on the board that has had one, it's been fantastic because you can also have those conversations offline with them, call them up to ask them the question you didn’t want to ask in front of everybody.” Nicola Horlick reflected, “The normal audit is all about the figures, it's not necessarily about processes and making sure that you've got the best things in place for things like cybersecurity. So I think it’s important for boards to get someone to perform that independent assessment and advisory role.”
Independent board advisors can contribute to three aspects of cyber security governance:
- CEO and CFO: to help them challenge and arbitrate between the CISO, CIO and CTO in prioritising between security, reliability and uptime. Often security needs to be prioritised against features and functions of business systems or customer facing apps, for example. They can also help them to interpret reports from the CISO before or after board meetings, helping them to understand what questions to ask and which lines of enquiry to probe.
- Non-executive directors: independent cyber security advisors can offer 1-2-1 coaching and mentoring for NEDs, help them to prepare for board meetings, understand cyber strategy, formulate the right questions to ask, and help them to identify red flags. They can also help NEDs to benchmark the company’s stance on cyber.
- CISO: independent cyber security advisors are increasingly being hired to coach CISOs on how to communicate and engage appropriately at board level.
Read our full paper, 'Effective Cyber Security Board Governance – A source of competitive advantage'