The view from the boardroom is different.

Having both served on boards and reported to boards, I know this to be true.

What is less well recognised in the executive suite is that whilst independent and non-executive directors may bring a wealth of valuable experience they may not always know what to ask — and of course, executive leaders are not always easy to help.

This is particularly true on subjects where everyone feels uncomfortable. Cyber is one of these. NED’s often feel outside their comfort zone, as it is usually not their expertise. Senior executives often feel the same, yet specialists in the area — even senior ones – rarely have prior board exposure or senior management training.

This can make board reports challenging, and lead to a defensive, and sometimes even fearful, environment: one where no-one feels comfortable to name the elephants in the room, and a situation when important lines of enquiry are not followed.

This short guide is designed to help by identifying key areas for enquiry for a productive and informative conversation on cyber risk and security between boards and senior leaders.

It’s a frame of reference you can have open in front of you on your phone, or copied into your notes for the meeting.

It ends with a list of questions to keep in your back pocket ready for your next board meeting, but I encourage you to speak to your cyber and tecnology leaders more informally outside the boardroom, too. They may not always feel comfortable to suggest it, but they will welcome it.

I hope you find this guide valuable, and if you do — please share it with your board.

Matt

Cyber enquiry for the Independent Director

In just a few years, cyber has transformed from the nerd in the corner into the Kim Kardashian of risk. Everyone, it seems, has an opinion on the issue. That’s because it’s serious — businesses can be built on, and destroyed by, cyber risk.

The World Economic Forum’s Global Risks Report 2019 ranks cyber attacks among the top seven risks facing the planet in terms of likelihood and impact, while high-profile CEOs including Warren Buffett of Berkshire Hathaway and Jamie Dimon of JPMorgan Chase see them as the number-one threat to business.

Despite this, a 2019 poll of 1,300 large international organisations has found that only 11 per cent of boards have taken direct responsibility for their firms’ cyber security.

Although the private sector’s investment in protective tech and compliance has increased, few business leaders have a clear understanding of cyber risk and confidence that the necessary safeguards are in place at their firms.

Practical advice for directors on this issue is still hard to come by, so here are some straightforward ways to improve your grip on cyber risk.

1. Lead from the front

Effective cyber security requires leadership, which should come first from the board and then from the executive responsible for this aspect of the business.

This is the other way round in many companies, with boards looking to their security leaders for guidance and objectives.

Ask your cyber exec to explain the threats facing the organisation. Then give them clear guidance on how quickly you want these addressed and what level of risk you can live with.

2. Talk to your CISO

Few chief information security officers (CISOs) have a close relationship with the board in their organisations — many do not report to it directly.

Meanwhile, the chief information officer, who has a very different mandate, often covers cyber security at the most senior level, yet IT operations and security priorities frequently conflict.

Boards can learn a lot from how security and technology leaders work together, but the best way to do this is to consult both of them.

Invite both your CIO and CISO to report together, and watch the dynamic.

3. Ask the right questions

To understand your firm’s level of resilience, ask your security leader to tell you:

1. what critical systems and data assets you have, where they are, and which ones are most important
2. what risk scenarios are most worrying, and how your controls will prevent them
3. how the company and the board will find out — and how quickly — when something goes wrong
4. how the organisation will respond if the worst happens, plus its chances of recovery.

Use the answers to guide your enquiry and to engage the board with your incident response plan.

4. Demand clarity in reporting

Recent research found that 96 per cent of board members want to invest more in cyber security.

What’s stopping them?

Security reporting can often be unrelated to business goals, or just unclear: qualitative terms such as “high”, “medium” and “low” risk mean little, and can be interpreted differently.

Ask for risk assessments that quantify the likelihood and impact of a cyber security breach in current terms — as you would for any other area of financial decision making. Good risk assessment can be done, but it’s more effort initially so your security leader needs your support to get it off the ground.

How does the potential cost of an incident compare with the investment you are being asked for?

If no-one knows, how you your exec team know when to put resources into cyber security rather than marketing or product?

5. Have the right team around the table

Not every company needs a “Cyber Ned”, but it is crucial to have someone on the board who has enough experience and knowledge to ask the right questions of the specialists.

That person could have led an executive-level response to cyber risk in the past, or observed first hand how other firms’ boards approached a cyber incident.

The challenge here is to get the appropriate skills on your board. Don’t assume that your most technically literate board member, such as a former chief information officer, will automatically fulfil this role.

Instead, assess the capabilities of the board and form a plan to address any gaps in knowledge.

6. Play your part in simulations

Research indicates that only 13 per cent of board members feel they have learnt from the security mistakes their firms have made.

A key contributor to this is a lack of understanding about how to handle a crisis.

All companies should regularly test their readiness.

This can be done as a desktop exercise, but it’s better if you make it as real as possible. For instance, the IBM X-Force Command Cyber Tactical Operation Center offers a training platform that can run full-scale simulations of cyber incidents.

A board member should get actively involved in such exercises to practise how to respond.

Have you sat down with your CEO and discussed how they would handle customer, investor and media response to a cyber crisis?

7. Practise dealing with the media

Serious cyber incidents will hit the headlines, so you need to have a media management strategy ready to limit any reputational damage.

Baroness Dido Harding, TalkTalk’s CEO in 2010–17, sought to do the right thing by making a prompt public announcement when a cyber attack in 2015 compromised the details of millions of customers, yet she still had to handle intense criticism.

Bring in a public relations specialist or crisis management adviser, choose scenarios that most concern you and then ask your Chair, CEO, CIO or Comms Lead to stand in front of a camera and, with their help, practise how to handle a grilling from the media.

8 Focus on the human aspects

Cyber risk is seen as an IT issue, but research shows that some 90 per cent of incidents leading to cyber insurance claims resulted at least partly from human behaviour.

Your HR, IT and security teams should work together on this — discuss how your company’s culture supports cyber security and risk management, and make sure your board messaging encourages staff to take risk seriously.

If you are told not to worry because the company does an annual computer based training exercise, or induction for new employees, ditch the stats on completion rates and ask how they know it is actually effective. Most such programs are driven by compliance and deliver little benefit. Regular, bite-size engagment is much more effective.

Key questions to ask about your cyber risk

As a board member, you don’t need to be in the weeds to add value.

The first task is to understand what impact cyber risks could have on your organisation, and what your executive team is doing about it.

Then you can start to consider whether it is the right response.

This does not require any knowledge of firewalls, patching, or perimeters.

Understanding your business, it’s goals, and it’s performance is everything you need.

Here are 20 critical questions you can ask now with your board that will trigger the right conversation with management — using the expertise you already have.

Questions for the Board

1. Are we comfortable with the risks the company is taking?
2. Do we agree that the risks presented by management are our most critical risks?
3. Could these impact our business plan, and if so how do we address them?
4. Do we agree with risk appetite statement(s)?
5. What level of risk oversight do we want as a Board?
6. Do we have the right skills to assess this?
7. Do we have the right relationship with our security and technology leaders?
8. Do we understand the information presented, and is it useful: does it help inform decisions?

Questions for management

1. How does our risk compare to our risk appetite or tolerance?
2. What level of losses should we expect in a typical year?
3. What would happen if risk events were more frequent than we expect, or their impact was higher than we expect?
4. How could our risks impact future financing?
5. Are our current internal controls reducing risk effectively and sufficiently?
6. Do we need to do more? Or do less?
7. If we need to prioritize, which actions will have the biggest impact on risk for the investment required?

Questions for everyone

1. Do we have the right risk transfer in place (e.g. insurance, contracts and outsourcing terms)?
2. Are we confident that our insurance will cover our losses in the scenarios we have identified?
3. Are there some risks that we are happy to accept, and if so how do we monitor them?
4. Are there some risks we cannot accept at all, and if so what is the impact on our strategy and business model?
5. What is happening, internally and externally, that could change our assessment of risk?

Going deeper: do we need a cyber-NED?

Few boards feel adequately skilled for cyber security. Board members bring value through having ‘been there and done it’: no seminar can replicate that.

Increasing the diversity of skills on your board is always a good idea, as long as new board members can learn to operate at a strategic level and stay ‘hands-off’ in a non-executive capacity.

Board members need to be able to contribute credibly on a range of topics, and understand the dynamics of a boardroom environment.

That can be very new to technology and cyber security leaders who will likley not have prior board experience.

Don’t let that stop you though: more diversity on boards is a good idea, and how will experts in these fields gain this exposure if not through being given the opportunity to do so?

Of course you can’t be a ‘cyber-NED’ any more than you can make a ‘marketing NED’ — you are a director and share responsbility for the performance of the company. That does mean a certain level of capability is required. Candidates with this experience are out there, but they may not be in your network so you may need to engage a board search firm to find them. There are a number of services available today that have assess to suitable qualified candidates, and running an open recruitment process for your next NED or independent director will bring other benefits too.

You could also set up an advisory board to contribute missing skills, seek an external coach with expertise in this area, or ask your CISO to lead a series of short traning seminars for the board.

At the very least, make sure your cyber leader has direct access to the board and is regularly asked to present at it. If there is a disconnect, take action to upskill the board to resolve it.

About the author

Matt Palmer is an experienced NED and board level technology and cyber risk leader.

He has led global technology and cyber security functions across banking, insurance and capital markets — often through innovation, change, and M&A.

He is director of cyber strategy and risk advisory firm Cyberclaria, a board advisor to several fintech startups, and a board member of a national financial services regulator.

Both an accountant and a technologist, Matt has presented at many international conferences and was awarded Security Leader of the Year in 2018.

Connect with Matt on Medium, Linkedin and Twitter

Recent Articles By Author

• The Emperor’s New Clothes: Why Compulsory CBTs and Phishing Tests Keep Failing
• The Emperor’s New Clothes: Why Compulsory CBTs and Phishing Tests Keep Failing
• The Emperor’s New Clothes: Why Compulsory CBTs and Phishing Tests Keep Failing

More from Matt Palmer

*** This is a Security Bloggers Network syndicated blog from Stories by Matt Palmer on Medium authored by Matt Palmer. Read the original post at: https://medium.com/series/the-independent-directors-guide-to-cyber-in-the-boardroom-f5d81c13945f?source=rss-ca0fc895d58b------2