A recent poll of City of London bosses by the Financial Times called on companies to hire a “younger generation of boardroom directors to head off the systemic threat that cyber risk poses to the financial system”.¹
I welcome business leaders openly discussing the significant and potentially catastrophic impacts that a successful cyber-attack can have on their organizations. Yet I’m concerned that suggesting a younger generation will help at the ‘top table’ highlights part of the problem that exists in many boardrooms.
Cyber risks are, whatever we may think, now part of ‘business as usual’ for any organization. We don’t need any more high profile media headlines to know that cyber-attacks represent a real and present danger to what we value most: our corporate and personal reputations, our hard-fought competitive advantage and the trust of our customers. Cyber risk is now regularly reported by industry research as one of the top five risks facing any organization.
Those who work on boards typically have a deep understanding of business and of the potential risks, including the cyber risk, to the delivery of their strategic objectives. This is an essential requirement as an effective cyber resilience strategy must be inextricably linked to your overall business strategy. The challenge for most boards is that cyber risk is unlike any other risk they usually consider. It’s persistent, often hidden, increasingly industrialized and highly tuned to exploit your vulnerabilities. But it’s a risk all the same and like all other risks it should be quantified effectively so that an appropriate risk appetite can be agreed that supports the business’s objectives.
For me, the age of your board directors is irrelevant. The key skills required to effectively manage cyber risks in the boardroom are not technical and nor do you need to be a younger ‘digital native’ to acquire them. Indeed, it’s the very business experience more senior board directors have that should place them in the ideal position to respond appropriately. It starts with the boardroom understanding what information and systems are most critical to them, being curious and asking the pertinent questions about cyber risks and the vulnerabilities of what is most precious to them. They need to understand that this is not something that the IT team alone can or should manage. The greatest vulnerability for any organization is its people, but people also represent the most effective security control for better managing cyber risks.
Boards should focus on decreasing the risk of attack as well as understanding the processes that are in place to manage a cyber-attack when it occurs. In this context I believe there are some core questions any boardroom needs to know the answers to:
- Do we have a cyber resilience strategy and does it support our agreed business strategy?
- Do we know what information and systems are most critical to our organization and our mission? If we do, where are they and who has access to them?
- Do we have an engaging and effective information security awareness program in place across our organization designed to influence and drive new cyber resilient behaviours?
- Do we have a well-defined, tried and tested, crisis response plan in the event of a data breach?
- Do we adopt a risk based approach to cyber resilience using best practice or are we simply focusing on compliance to regulations and standards?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
- What do we do to identify the cyber risks from our third parties particularly the risks associated with our most critical suppliers?
- How do we remain vigilant against the changing threat landscape and how this impacts the vulnerabilities to our most precious information and systems?
Cyber risk is just one of many which must be understood by the board. The board needs to set the right ‘tone from the top’ and inspire their entire workforce to have the required awareness and skills to be vigilant at all times. Age is not one of the requirements to make this happen.
¹ Financial Times, 15 December 2015
See our RESILIA™ section for more information about cyber resilience.
Read more AXELOS Blog Posts from Nick Wilding
Cyber Resilience: it’s all about behaviours
Cyber Resilience: it’s all about behaviour, not bits and bytes
Cyber Resilience: We need to TalkTalk
Cyber Resilience: developing a new language for all
Looking for Business Leaders in the Cyber Resilience Race