How and when to bring cybersecurity into the boardroom

Cyber and information security have always played a key role in the sustainability and competitiveness of an organisation. Yet it is now, following media coverage of data breaches and the impact this has had on consumer trust and organisational reputation, as well as the financial impact (especially under UK GDPR), that boards are increasingly focused on this area and the associated risk mitigation strategies. Much like governance in general, cyber and information security must be embedded in an organisation’s DNA for it to be truly effective.

The problem

Robust cybersecurity has become a ‘must have’ not just for building cyber resilience but also for organisations seeking investment. It’s also come to be seen as essential for board directors seeking to safeguard the long-term reputation of their organisation and their future career. Stakeholders are also concerned about cyber resilience and will often conduct their own due diligence; they have a vested interest in the organisations they associate with and its ability to get it right when it matters most. Whilst some cyber breaches cannot be mitigated, strong governance enables an organisation to bounce back quicker after an attack and win back the trust of its stakeholder’s.

You may not be surprised to hear that the most common cause of cyber-attack is an oversight from one of the organisation’s key stakeholders (employees, vendors, etc.), but these insider threats can also come from the boardroom, especially considering the sensitive information board directors manage, the use of less secure personal email accounts to transfer information or the social engineering attacks used to target directors (i.e. whaling).

What should the board be asking?

Directors are accountable for their actions and those of the organisation in which they support. It is important that the right questions are being asked. Here we set out some high-level example questions:

• How is our organisation cyber resilient?
• Are our cyber practices fully aligned with our risk appetite?
• Are we planning and forecasting appropriately against the most relevant cyber threats for our sector?
• Where is our biggest cyber threat?
• When did we last invest in our cyber/information security?
• Is the organisation’s cyber culture set from the top and are we, as board directors, leading by example? 

The solution

So, what can be done? Whilst some attacks cannot be prevented, action should still be taken to mitigate the risk. Below are four key steps which can help your organisation build a more robust approach to cyber resilience:

1) carry out an annual audit of governance policies, processes and procedures, for example the approval of third parties (vendors);

2) carry out an annual audit of the organisation’s IT controls;

3) drive a culture of good governance from the top that embeds appropriate workforce behaviours; and

4) allocate sufficient budget to cyber and information security related projects to ensure they are completed to an appropriate standard.

Safeguarding information is the responsibility of the board, but not all directors have the expertise to critically question an organisation’s approach. Hiring a virtual chief information security officer (vCISO) is a great way to increase focus and understanding on cyber within the organisation. A vCISO can assess cyber-risk and develop and implement the policies, procedures and controls needed to strengthen defences and achieve compliance standards.

If employing a vCISO is an option for your organisation it will be important to foster a strong collaboration between the board and the vCISO, especially during the COVID-19 pandemic given the heightened risks associated with organisations working from home. This increases the ‘attack surface’ of the organisation and exposes a significant risk of interruption to business operations in an already challenging time for many organisations.

When should cyber be brought into the boardroom?

In short, from day one. Organisations that implement the right governance frameworks and standards from the start build a culture of good cybersecurity governance. That said, many directors do not currently have the sufficient expertise in this area. But all is not lost: these skills can be learnt through accredited leadership training courses such as CISM training. This certification, provided by ISACA (an international professional association focused on IT governance) gives senior leaders a grounding in information security governance, program development and management, incident management and risk management. There are also cyber awareness and resilience courses specifically designed for board directors.

What resources should you be reviewing?

For those interested in learning more, a starting point would be to review the following resources:

• COBIT 5/2019 – A framework that builds cyber resilience through seven enablers: 1) policies, procedures and frameworks; 2) organization structure; 3) processes; 4) culture, behaviour and ethics; 5) information; 6) services, applications and tools; and 7) people, skills, talent and competencies.
  • ISO 31000 – A family of standards relating to risk management methodologies. 
  • ISO 27005 – A family of standards with guidelines and techniques for managing information security risks.
  • NIST 800-53 – A set of standards and guidelines that help identify necessary security and privacy controls.
  • COSO frameworks – A principles-based framework in which the 17 principles for effective internal controls are established.
  • NIST Privacy framework (2020) – A tool developed to help organisations identify and manage privacy risk helping to reinforce customers’ trust and the ethical use of data.

María Isidro, CCO & Director of Operations, 1600 Cyber, Erika Percival FCG, Founder & CEO, Beyond Governance.

Where can I find more information?

1600 Cyber and Beyond Governance, in partnership, will on Thursday 4 March 2021 at 2pm GMT be holding a free webinar ‘How are Cyber and Information Security helping your company build trust?’. Visit the link to register. The webinar will dive into how cyber resilience and a focus on privacy can support an organisation’s reputation and safeguard trust amongst its key stakeholders.