11 Oct 2022
by Dr. Bernard Parsons MBE

Does your Board understand how cyber impacts upon collective responsibilities? (Guest blog by BeCrypt)

Guest blog by Dr. Bernard Parsons MBE, CEO at Becrypt Ltd #Cyber2022

I was recently reviewing for use the National Cyber Security Centre (NCSC) Board Toolkit, assessing its relevance to Becrypt and our customers. If you’ve not read it yet, it may well be worth doing so – some key themes outlined below.

Expertise

There is growing evidence that cyber security is now a prominent Board issue. In the past five years, the percentage of Boards that consider cyber security a business risk has risen from 58% to 88% [1]. According to recent surveys [2] [3], cyber security is the most challenging issue to oversee, as Directors need to be able to ask second-order questions of the CISO. But such expertise is unlikely to exist through formal training - only 2% of Board members rank cyber expertise as the highest recruitment priority[4]. Of Directors who joined the S&P 500 in 2021, less than 4 percent have experience leading a function such as cyber or IT.

OK, enough statistics.

Addressing the expertise challenge

NCSC’s Toolkit aims to help develop relevant expertise and enable the right conversations within organisations, offering a brief introduction to cyber, then signposting where more information can be found. But the Toolkit demonstrates that discussing cyber issues at a high level does not require deep technical expertise. Boards are typically already competent at managing complex risks based on legal, financial or geo-political issues, with not everyone a trained lawyer, accountant or diplomat.

Work out what you care about the most

Cyber teams cannot prioritise security controls without direction from the top. As not all cyber risks can be mitigated, the Board needs to set priorities by considering what is most valuable to the organisation. What are the 'crown jewels'? What are high impact disruptions? This needs to be an ongoing discussion as Boards will have business insight that technical teams may not, and only by combining this with techie’s insights can you get a full picture of what is important to protect.

Integrate cyber security into your organisation's objectives and risks

As organisational dependencies on digital are complex and varied, cyber risk overlaps with operational, legal and financial risk. Cyber security therefore needs to be integrated with organisational business processes to be successful. Ultimately, the role of cyber security is to enable the organisation's objectives and competitive advantage - adding value, rather than hindering progress. This requires a positive cyber security culture and appropriate investment and management of cyber security.

To integrate cyber means learning to adequately answer:

  • As a Board, do we understand how cyber security impacts upon our individual and collective responsibilities?
  • As an organisation, who currently has responsibility for cyber security?
  • As a Board, how do we assure ourselves that our organisation's cyber security measures are effective?
  • As an organisation, do we have an effective and appropriate approach to manage cyber risks?

In summary

The questions, and the Toolkit in general, are designed to drive engagement at Board that is relevant to individual Board members, and drive engagement between Board and the individuals or committees that are created to drive business improvements. The questions demand that a high-level picture of relevant controls and processes is painted, facilitating an ongoing engagement to judge their continued effectiveness and relevance in the wider business context.

References

[1] Gartner, 2021.

[2] Diligent Institute, 2022

[3] Spencer Stuart2021

[4] PWC, 2021


Help to shape and govern the work of techUK’s Cyber Security Programme

Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.

*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.


Upcoming events 

Cyber Innovation Den

On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.

Book now!

Cyber Security Dinner

In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.

Book now!


Get involved

All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.

lock-tech-security-web-training.jpg

The Cyber Management Committee sets the strategic vision for the cyber security programme, helping the programme engage with government and senior industry stakeholders.

Office-working-laptop-196947631-web-1500px.jpg

The CSSMEF is comprised of SME companies from the techUK membership. The CSSMEF seeks to include a broad grouping of different SME companies working in the Cyber Security (CS) sectors.

 

 

Authors

Dr. Bernard Parsons MBE

Dr. Bernard Parsons MBE

CEO, Becrypt Ltd