Dave Machin
Cyber attacks are becoming ever more prevalent, sophisticated and damaging. But despite the growing threats, cyber risks don’t always get enough time, scrutiny and challenge from the Board. In many cases, overuse of technical jargon in the reporting can limit discussions.
That’s why it’s so important that non-executive directors (NEDs) know the right questions to ask to cut through the jargon and give them assurance that the cyber security bases are being covered. Key questions for you as a NED include:
The ‘right’ approach demands balance – setting cyber risk appetite that balances the organization’s value chain and strategic differentiators with necessary controls. As a Board member, you should have a clear understanding of your organization’s risk appetite and be able to influence how this applies to cyber risk. You should also have a clear view of the cyber risk positions, the gaps in defences and the costed strategy and plan to address these deficiencies. This will give you confidence that the risks are understood and that the pace of remediation is aligned with your organization’s risk appetite.
You should also be seeing a regular (e.g. annual) independent cyber capability maturity assessment against an industry standard framework such as the NIST Cyber Security Framework.
The top-level risk dashboards and other reporting statistics you receive need to clearly demonstrate the cyber risks in business terms and reflect the metrics that matter within your organization when it comes to measuring control effectiveness, the accountabilities to deliver against those controls and the understanding of any actions needed to maintain progress against your defined risk targets.
Cyber security assessments can often be laden with technical jargon, lack business context or be too generic to translate into meaningful targets and interventions. It’s therefore important that your organization can distil cyber security risk into an intelligible assessment that you can easily understood and therefore oversee and challenge to ensure the organization is managing the risk effectively and increasing its cyber risk posture.
Open and honest conversations are critical in ensuring that risks are understood and not ‘brushed under the carpet’ or hidden in technical jargon. You should be discussing how the changing threat landscape is impacting your organization’s risk exposure, and whether any changes are required to the agreed investment plan for remediation as a result. You should also be continually reviewing the current and target risk positions to ensure they reflect the current context and that the necessary progress is being made in improving the organization’s risk posture. If you’re having control or metric-oriented discussions rather than risk-oriented discussions, there may need to be a re-balance of focus.
At Berkeley, we have experience of helping organizations through all stages of their cyber journey. We can help to:
Discover the key cyber-related questions other members of your leadership team should consider
Strengthen your security and readiness to respond. Read more.
Ensure external stakeholders are satisfied. Read more.
Ensure your supply chain security. Read more.
Improve your ability to navigate the cyber landscape. Read more.
Enhance your security and risk management. Read more.
Allocate the right roles and responsibilities. Read more.
Create a culture of security across your organization. Read more.
Share: