ICAEW.com works better with JavaScript enabled.
Exclusive

Cyber security for boards

Author:

Published: 21 Apr 2020

Exclusive content
Access to our exclusive resources is for specific groups of students and members.
Log in Find out more
Board support has long been recognised as vital to achieving good cyber security. But boards have often struggled to have good conversations with cyber security specialists and understand their risks around cyber. So how can boards make sure that they are asking the right questions and getting good answers from their cyber security teams?

Cyber is not an IT issue

The starting point for boards is a recognition that cyber security is not simply a matter for the IT department. Cyber risks go across all aspects of the business and thinking about them needs to be integrated at all levels of strategy and operation. That could include the cyber risks of rolling out new digital products and services, the impact of cyber attacks on company operations, the reputational or commercial damage of a major data breach or the fines that could be levied by regulators in the event of significant failings in security.

Traditionally, though, cyber risk has been seen through the prism of IT and it has been hard to shift this perception. Chief Information Security Officers (CISOs) have often reported into IT, and the technical language of security has led to significant communication gaps with boards. However, this has been changing. Many businesses are recognising the tensions between security and IT, when judgments have to be made which balance security, speed of delivery and functionality. Consequently, it is now increasingly common for a CISO to report into a risk-related function rather than IT, which may help to make discussions less technically-orientated.

Many boards have also improved their cyber literacy, following a growth in board training on cyber security issues. Some boards have brought in Non-Exec Directors with more expertise in this area or developed good relationships with external advisors on the topic. For many businesses, though, more is needed.

Mechanisms for engagement

 ICAEW’s Audit insights series on cyber security has drawn out a number of ways that boards can engage more effectively on the topic. Key points include:

  • Board meetings and regular updates: surveys show that cyber security is increasingly a standing item on board agendas, enabling boards to get regular updates on incidents, performance and any other relevant issues. Getting good information which can support decision making about cyber is key here, and this can still be challenging. Information is often technical rather than focused on business risk or impact. As a result, a priority of boards should be to work with CISOs to develop dashboards and other information that is meaningful to their business and helps to make good decisions about cyber security.
  • Threat intelligence and peer stories: understanding who might be wanting to attack your business can help to bring home cyber security risks and galvanise the attention of boards. Similarly, stories about the experience of industry peers can be helpful, along with high-profile data breaches that are reported in the media.  Exploring these kinds of case studies can underline the types of threats faced by businesses, highlight how attackers get into systems and the impact on businesses, as well as the critical actions needed to protect the business. ‘How would we have fared in comparison?’ can form the basis of a useful discussion.
  • Testing incident response plans: having a robust plan to respond to attacks and incidents is a basic good practice. Testing it at board level is often a very good way of bringing to life the practical challenges and decisions that would need to be made in the heat of the moment. How to communicate with customers and regulators, for example, or when to switch off systems – these are likely to be difficult decisions so testing out processes and working through key decisions can be very valuable for boards.

Another a way of engaging on cyber security, at least for some board members, is to consider the role of assurance and commission additional work which specifically looks at cyber security. While the statutory audit includes some cyber-related risks, it is limited and a more widespread review can serve to provide boards with comfort that their organisation is managing the risks well and identify areas for improvement. As the UK government considers the regulatory environment around cyber security, providing greater assurance around these practices is likely to go up board agendas.

Board Toolkit 

The UK National Cyber Security Centre (NCSC) provides a wide range of resources to help businesses of all sizes to implement good cyber practices, including some resources specifically targeted at boards. The 10 steps to cyber security, first published back in 2012, provides a baseline for the basic steps all organisations should be taking, especially large ones, and highlights some key questions for boards.

This has been supplemented by the Board Toolkit, which aims to provide a structure for discussions between boards and cyber security specialists. It covers a wide range of topics, including culture, organisational structures and expertise, risk management, threat intelligence, incident response and collaboration with suppliers and partners. In each case, it outlines the things boards should do, the key priorities for organisations as a whole and some discussion points to work out what ‘good’ cyber security looks like for the individual organisation.

In the process, it highlights 5 questions to get boards started in their discussions with their cyber teams, along with some possible answers to look for:

  • How do we defend our organisation against phishing attacks?
  • How does our organisation control the use of privileged IT accounts?
  • How do we ensure that our software and devices are up to date?
  • How do we make sure our partners and suppliers protect the information we share with them?
  • What authentication methods are used to control access to systems and data?

    • The board toolkit is supported by ‘Exercise in a box’, which is a tool to help organisations run incident management practices with boards and others. These resources are all free to use and feedback from members that have used them with boards is very positive.

    A Tech Faculty webinar, in partnership with NCSC, will explain the board toolkit in more detail.

    About the author

    Kirstin Gillon, Technical Manager, ICAEW Tech Faculty

    Open AddCPD icon

    Add Verified CPD Activity

    Introducing AddCPD, a new way to record your CPD activities!

    Log in to start using the AddCPD tool. Available only to ICAEW members.
    Login

    Add this page to your CPD activity

    Step 1 of 3
    Download recorded
    Download not recorded

    Please download the related document if you wish to add this activity to your record

    What time are you claiming for this activity?
    Mandatory fields
    Next step

    Add this page to your CPD activity

    Step 2 of 3
    Mandatory field
    Back Next step

    Add activity to my record

    Step 3 of 3
    Mandatory field
    Back Add activity to my record

    Activity added

    Go to my CPD record

    An error has occurred
    Please try again

    If the problem persists please contact our helpline on +44 (0)1908 248 250
    Add activity to my record