... and what good looks like
Richard Brinson and Rachel Briggs OBE
As a result of insufficient cyber knowledge and the lack of clarity about role, many boards struggle to challenge what they hear about cyber security. Some take it as read, others remain silent for fear of betraying their ignorance, and others still hone in on tiny details because they are not sure how to tackle the bigger picture. Research shows this creates the risk of ‘cyber sophistry’; as one PhD-qualified CISO, Dr. Joe Da Silva, told us, “There’s an opportunity for CISOs to pull the wool over board’s eyes. I’ve been at plenty of organisations where if you tell them it’s all fine, nobody’s going to question you. Boards need to be able to assure themselves that they can verify what they are being told. The concept I used in my research on cyber security in organisations is ‘Cyber Sophistry’, which is the opportunity for CISOs to manipulate or spin things in such a way that means that boards don’t look too closely.”
It can lead boards into a holding pattern on cyber security. In a survey of 800 global board directors, 83 percent identified cyber security as a top priority, but less than half had taken any dedicated action, such as requesting cyber security updates, conducting third party audits, or involving themselves in their organisation’s cyber security threat response simulations. Only one-third of IT and security executives believe their interactions with the board reduce organisational risk. Around half of board directors believe their organisation is unprepared for a cyberattack.
We identified four common cyber security board postures: passive, in the weeds, deferential and cyber-engaged. Boards are rarely just one; they alternate between these approaches within and between meetings and over time, and there are different levels of maturity within individual boards.
Three common bad board postures on cyber security
Passive: this is driven by a number of factors. Some are passive because they don’t think cyber is important. One CISO commented, “I’ve been at board meetings talking about security and half the non-execs are looking out the window or playing with their phones.” Others prefer not to speak first for fear of exposing their lack of understanding. Anne Woodley, a NED and Senior Security Specialist at Microsoft, told us, “Most boards don't know what questions to ask to be able to challenge it, so they move on because they don't want to look stupid.” When passive boards recruit a technology or cyber NED, they often defer to them, something we call ‘board room cyber rubber necking’. As one NED told us, “Whenever the topic comes up, you see the heads swivel towards that person.”
In the weeds: this happens for two main reasons. First, when CISOs focus on threats and controls, it leads boards into a tactical rather than strategic and risk-based discussion. As experienced NED, Paul Cutter, told us, “I don't think most frameworks are very helpful for boards. The board conversation has to be at the right level and it has to be about the stuff they understand and care about and then track that to where the organisation should respond.” Second, boards that tend to micromanage on all areas, also micromanage on cyber security. As experienced NED and CEO, Nicola Horlick told us, “I'd rather spend time making sure we've got the right person being the CTO or CDIO, rather than have the board hanging over their shoulder, breathing down their neck, trying to make sure that they've chosen the right system.”
Deferential: even boards with relevant experience can tend towards being deferential to the CISO, especially when that individual is trusted and communicates well and appropriately at board level. This is the cyber board trust paradox. As one CISO told us, “The more trusted you are and the better the content that you write for them, the fewer questions they ask you because they trust you. That is obviously a good thing in one regard, but actually it's potentially open to abuse.” Deferential boards are often cyber aware enough to ask the right questions, but not enough to understand the answers, and their deference to the CISO means they reduce the opportunity for conversations that would mature their posture.
Good board posture on cyber security – cyber-engaged boards
In contrast, boards that are what we call ‘cyber engaged’ lean into their role governing cyber security. They understand that they are responsible for ensuring the executive is effectively managing cyber risk for their company. As such, they are engaged, informed, constantly learning and are in an ongoing dialogue with their CISO and amongst themselves about cyber risk for their organisation. Exactly what cyber-engaged looks like will differ according to a company’s cyber risk profile. These boards exhibit six behaviours:
- They have a clear understanding of the unique role of the board
- They recruit directors with specialist knowledge of technology, digital, data or cyber
- They invest in education to raise their individual and collective knowledge of cyber security
- They make cyber security a regular topic of discussion in board meetings
- They ensure cyber security has a home within a designated board committee
- They seek out advice from the CISO and independent cyber advisors
Read our full paper, 'Effective Cyber Security Board Governance – A source of competitive advantage'
For more information on Savanti’s board advisory service or contact Richard Brinson (CEO of Savanti, part of FSP) or Rachel Briggs OBE (Executive Advisor to Savanti) or add your details below: