Cyber Security For Boards: Governance Principles To Consider
Cyber security is a key concern for almost every board member. But how best should directors discharge their duties?
Evidence suggests that so far board awareness of cyber security risk is not driving better preparedness. Boards of directors can and should play an important role in protecting organisations from the increased risk of cyberattack.
There are some useful resources available for boards members, providing guidance on what to do to ensure that cyber security risks are being properly managed by the executive team. We review a couple of those below.
Background
We’ve written before about Cyber security and boards, including:
- Tips for talking to the board about cybersecurity
- Board questions about cybersecurity
- ASIC’s focus on cybersecurity
This post focuses on more specific resources available for boards, supporting how they should manage cyber security – one resource from the AICD and the other from the UK National Cyber Security Centre.
AICD Cyber Security Governance Principles
The Australian Institute of Company Directors has published Cyber Security Governance Principles, designed to provide better practical guidance for directors to oversee and engage with management on cyber security risk.
The AICD’s key principles include:
- Set clear roles and responsibilities: Directors should clearly understand and delineate their roles and responsibilities in managing cyber security. They also need to ensure that there is a dedicated leadership team responsible for cyber security.
- Understanding the cyber security environment: Directors must be aware of the cyber security landscape, including the types of threats the organization may face. Ongoing education and awareness programs should be in place for the board.
- Ember cyber security in existing risk management processes: Cyber security risks should be integrated into the overall risk management framework. Regular risk assessments and updates on the organization’s cyber security posture are essential.
- Promote a culture of cyber resilience: Cyber strategy, proactively overseen by the board, can be a business enabler by identifying opportunities for the organisation to build cyber resilience. Cyber resilience, includes response and recovery plans for potential cyber incidents. Stress testing and simulations can help ensure preparedness for cyber incidents.
- Third parties and Supply Chain: Risks with third parties and the supply chain must be understood and managed, with regular review and audits of third-party cyber security practices.
- Legal and regulatory compliance: Directors should understand and stay informed about cyber security laws and regulations and ensure the organization remains compliant.
- Continuous improvement: Cybersecurity is an ongoing process that requires continuous monitoring and improvement. Directors should encourage a culture of continuous improvement and adaptation to new threats.
- Culture and awareness: Promoting a strong cyber security culture within the organization is crucial.
The principles were published in 2022 and provide easy-to-understand, high-level guidance.
The AICD Top 10 Director Questions
| Roles and responsibilities | 1. does the board understand cyber risks well enough to challenge |
| 2. Who has primary responsibility for cyber security in our management team? | |
| Cyber strategy | 3. Who has internal responsibility for the management and protection of our key digital assets and data |
| 4. Where and with whom are our key digital assets and data located? | |
| Cyber risk management | 5. Is cyber risk specifically identified in the organisation’s risk management framework? |
| 6. How regularly does management present to the board or risk committee on the effectiveness of cyber risk controls? | |
| Cyber resilient culture | 7. Is cyber security training mandatory across the organisation and is it differentiated by area or role? |
| 8. How is the effectiveness of training measured? | |
| Cyber incident planning | 9. Do we have a Cyber Incident response Plan, including a comprehensive communications strategy, informed by simulation exercises and testing? |
| C10. an we access external support if necessary to assist with a significant cyber security incident? |
UK NCSC Cyber Security Toolkit for Boards
The UK National Cyber Security Centre has also published a comprehensive set of cyber security resources for boards.
One of the fundamental premises is that the role of boards is to ensure that cyber security is embedded across the organisation:
Cyber security is not just ‘good IT’. It should be integrated into organisational risk management and decision making, and all the business units in your organisation should be clear about their cyber security obligations and responsibilities. Done well, cyber security will enable your organisation’s digital activity to flourish, adding value to your business. It’s also a team sport, and as Board Member, it’s vital that you empower everyone.
The UK NCSC resources include a series of briefing packs covering the following:
- What is cyber security?
- Introducing the cyber security toolkit for boards
- Board toolkit questions for Boards to ask
They are short and easy to follow. There is a supporting series of useful documents including a Board Tookit Questions. The questions provide an excellent starting point for boards.They are designed to encourage productive cyber security discussions between (such as legal, procurement and HR as technical teams).
The questions cover the following:
| Embedding cyber security in your organisation | 1. Has an independent cyber security risk assessment been carried out? |
| 2. Is a cyber strategy in place? | |
| 3. Does cyber security feature in the priorities of all business units across the oganisation? | |
| 4. Does everyone know where accountability and responsibility sit? | |
| 5. Do all board members get involved in discussions of cyber security? | |
| 6. Do cyber security reports help support decision-making? | |
| Developing a positive cyber security culture |
|
|
|
|
|
|
|
| Growing cyber security expertise | 1. Can your HR team point to specific cyber skills areas which are currently needed by the organisation, and is there a plan to address the gaps? |
| 2. Are you seeing improvements in metrics of cyber hygiene? | |
| 3. Do you have good employee retention in key cyber security roles? | |
| 4. Does the diversity of your staff compare favourably with business and industry-reported figures? | |
| 5. Does your organisation review cyber skills to establish gaps on a regular basis? | |
| 6. Does the board have sufficient knowledge to make strategic decisions about cyber security? | |
| Identifying the critical asset in your organisation | 1. How complete and up to date is your inventory? |
| 2. Do you have assurance that changes are considered and recorded to keep the baseline up to date? | |
| 3. Does the board have assurance that the critical assets are known, who is responsible for each asset, what it is used for and where it is stored? | |
| 4. Have the priority objectives been clearly communicated and is here assurance that those priorities guide cyber security efforts? | |
| Understanding the cyber security threat | 1. Can board members name the top cyber security threats faced by the organisation and outline the measures that are in place to mitigate their impact? |
| 2. Do threat assessments involve representatives from across
the business, and are they linked to your cyber risks? |
|
| 3. Do you have relationships with representatives from other organisations in your sector? | |
| 4. Are your experts attending key cyber security events? | |
| Risk Management for cyber security | 1. Do we know the current risks the business is exposed to from cyber events? |
| 2. Do we have a process that ensures cyber risk is integrated with business risk? | |
| 3. Do we have an effective approach to managing cyber risks? | |
| 4. Has the board clearly set out what types of risks it would be willing to take, and those which are unacceptable? | |
| Implementing effective cyber security measures | 1. Are effective security metrics shared with the board? |
| 2. Does the board understand the overarching purpose of the cyber security measures? | |
| 3. Can new implementations of cyber security measures be traced to the risks they mitigate? | |
| 4. Are new implementations of cyber security measures being rolled out in close engagement with the workforce? | |
| 5. Has your cyber security posture been reviewed in the past 12 months? | |
| Collaborating with your supply chain and partners | 1. Is supplier performance being regularly measured against defined metrics, and is this visible to board members? |
| 2. Is your organisation developing threat assessments and incident response exercises in collaboration with suppliers and partners? | |
| 3. Are high-severity supply chain risks tracked and reported to the board? | |
| 4. Does the organisation have a defined process for onboarding and managing suppliers? | |
| 5. Are products/services provided by partners/suppliers documented? | |
| Planning your response to cyber incidents | 1. Does your organisation have an incident response plan in place, and do you regularly exercise it? |
| 2. Does every board member understand what’s required during an incident? | |
| 3. If a significant cyber incident has occurred in the recent past, can the person responsible for cyber security report what improvements have been made? | |
| 4. Are cyber incidents considered in the design of your Disaster Recovery (DR) and Business Continuity Plans (BCP)? | |
| 5. As an organisation, do we know where we can go for help in an incident? |
These UK NCSC questions align to those in the AICD Principles, reinforcing that boards should ensure there is:
- allocated responsibility for cyber security at the highest level of the organisation;
- an understanding of cyber security risks;
- a cyber security strategy directed at the identified risks;
- incident response and supply chain management controls in place;
- a process for monitoring and measuring the effectiveness of the cyber security contrls.
Conclusion
There is little doubt that the number of cyberattacks will continue to grow with the steady adoption of new technologies and digital transformation. Boards are aware of the issue but are struggling to provide the direction and strategic oversight that organisations need.
Although there is a growing focus on the role of boards, it remains to be seen is whether boards and organisations will be able to respond in a timely and effective way to these increasing challenges.
Resources:
- AICD Cyber Security Governance Principles
- UK Cyber Security Toolkit for Boards
- Australian Cyber Security Centre Resources for Business and Governments
Jodie Siganto
Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.