contact Search
Search

How NEDs can get on top of cyber risks

Dave Machin

Cyber attacks are becoming ever more prevalent, sophisticated and damaging. But despite the growing threats, cyber risks don’t always get enough time, scrutiny and challenge from the Board. In many cases, overuse of technical jargon in the reporting can limit discussions. 

That’s why it’s so important that non-executive directors (NEDs) know the right questions to ask to cut through the jargon and give them assurance that the cyber security bases are being covered. Key questions for you as a NED include: 

1Do I have a clear view of the cyber risk appetite, strategy, and plan?

The ‘right’ approach demands balance – setting cyber risk appetite that balances the organization’s value chain and strategic differentiators with necessary controls. As a Board member, you should have a clear understanding of your organization’s risk appetite and be able to influence how this applies to cyber risk. You should also have a clear view of the cyber risk positions, the gaps in defences and the costed strategy and plan to address these deficiencies. This will give you confidence that the risks are understood and that the pace of remediation is aligned with your organization’s risk appetite. 

You should also be seeing a regular (e.g. annual) independent cyber capability maturity assessment against an industry standard framework such as the NIST Cyber Security Framework.

2Am I receiving the ongoing reports needed to understand key cyber risks and assess how they are being managed and mitigated?

The top-level risk dashboards and other reporting statistics you receive need to clearly demonstrate the cyber risks in business terms and reflect the metrics that matter within your organization when it comes to measuring control effectiveness, the accountabilities to deliver against those controls and the understanding of any actions needed to maintain progress against your defined risk targets.

Cyber security assessments can often be laden with technical jargon, lack business context or be too generic to translate into meaningful targets and interventions. It’s therefore important that your organization can distil cyber security risk into an intelligible assessment that you can easily understood and therefore oversee and challenge to ensure the organization is managing the risk effectively and increasing its cyber risk posture. 

3Are we having sufficiently productive conversations at the Board about cyber security?

Open and honest conversations are critical in ensuring that risks are understood and not ‘brushed under the carpet’ or hidden in technical jargon. You should be discussing how the changing threat landscape is impacting your organization’s risk exposure, and whether any changes are required to the agreed investment plan for remediation as a result. You should also be continually reviewing the current and target risk positions to ensure they reflect the current context and that the necessary progress is being made in improving the organization’s risk posture. If you’re having control or metric-oriented discussions rather than risk-oriented discussions, there may need to be a re-balance of focus.

How Berkeley can help

At Berkeley, we have experience of helping organizations through all stages of their cyber journey. We can help to:

  • Define your cyber strategy to set clear goals and ensure alignment with business strategy 
  • Deliver your cyber transformation program 
  • Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
  • Deliver specific projects in your cyber portfolio that you may be struggling with
  • Rebuild and strengthen your cyber capabilities post cyber-attack
  • Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews 
  • Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.

Get on top of your cyber risks

Discover the key cyber-related questions other members of your leadership team should consider

CEO

Strengthen your security and readiness to respond. Read more.

CFO

Ensure external stakeholders are satisfied. Read more.

Head of Procurement

Ensure your supply chain security. Read more.

CISO

Improve your ability to navigate the cyber landscape. Read more.

CRO

Enhance your security and risk management. Read more.

CIO

Allocate the right roles and responsibilities. Read more.

CHRO

Create a culture of security across your organization. Read more.