Boards are increasingly concerned about cyber security, ranking it as one of their top priorities, and for good reason. The cyber security risk is growing, ever more companies are being targeted, and while multi-million dollar ransoms attract the headlines, the impacts of a cyber incident are felt right across the business: higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, and regulatory actions, to name a few. Board interest is also being piqued as a result of growing media reporting of cyber incidents, a heightened board focus on operational resilience post-pandemic, investor pressure and a tightening regulatory environment.
While there has undoubtedly been progress in recent years on board governance of cyber security, many boards struggle to dispense their responsibilities. Many don’t understand their unique role on cyber security, lack the right level of cyber awareness and can’t turn to CISOs or other executives to bridge this gap, and as a result fail to challenge what they hear in the boardroom.
Board directors often lack the right level of cyber awareness. A majority (59%) of directors say their board is not very effective in understanding the drivers and impacts of cyber risks on their organisation, and in another study, a majority of said they “only somewhat” understand their company’s cyber security vulnerabilities. One of the main reasons for this knowledge gap is the small number of directors with cyber or related expertise, such as technology, information or corporate security. While some boards are actively targeting NED recruitment towards directors with these profiles, research on board succession suggests change will be slow; very few boards have explicit board term limits and mandatory retirement ages are increasing.
Most CISOs can’t bridge the gap in board awareness of cyber security. As we outlined in our paper, Cyber security leadership is broken, many CISOs struggle to communicate at board level, focusing on tactical and technical briefings, rather than strategic risk-based discussions. As one NED told us, “One of the things that's wrong with the cyber industry is it's very technically focused and dominated by people who speak technobabble and obsess about the minutiae of some interesting engineering element as opposed to the big picture around risk and the controls that make the biggest difference.”
Boards are increasingly turning to independent board advisors to help them make sense of what they hear and ask the right questions of CISOs. As CEO and seasoned NED, Nicola Horlick, reflected, “The normal audit is all about the figures, it's not necessarily about processes and making sure that you've got the best things in place for things like cybersecurity. So I think it’s important for boards to get someone to perform that independent assessment and advisory role.”
Independent board advisors can contribute to three aspects of cyber security governance:
- CEO and CFO: to help them challenge and arbitrate between the CISO, CIO and CTO in prioritising between security, reliability and uptime. Often security needs to be prioritised against features and functions of business systems or customer facing apps, for example. They can also help them to interpret reports from the CISO before or after board meetings, helping them to understand what questions to ask and which lines of enquiry to probe.
- Non-executive directors: independent cyber security advisors can offer 1-2-1 coaching and mentoring for NEDs, help them to prepare for board meetings, understand cyber strategy, formulate the right questions to ask, and help them to identify red flags. They can also help NEDs to benchmark the company’s stance on cyber.
- CISO: independent cyber security advisors are increasingly being hired to coach CISOs on how to communicate and engage appropriately at board level.
The benefits of enhanced digital and technology knowledge at board and executive level extend beyond a tech or cyber dividend. Large enterprises with digitally savvy executive teams where more than half of members are digitally savvy have 48% higher revenue growth and higher valuations (share price to sales ratio) and 15% higher net margins. As the percentage of digital savviness on top teams increases, so does net margin and revenue growth. For every 10% increase in top team digital savviness, there is a 0.4 percentage point increase in profitability and a 0.7 percentage point increase in revenue growth, compared with the industry average.
Effectiveness in the cyber security domain is a source of competitive advantage.
Read our full paper, 'Effective Cyber Security Board Governance – A source of competitive advantage'