CHAPTER 10: BOARD-LEVEL COMMITMENT AND INVOLVEMENT
In the past, cyber security was thought of as primarily an issue for the IT department. In a world where technology forms an integral part of the business, however, ensuring that technology works as it should is part of an organisation’s strategy, and as such a matter for the board. How well an organisation delivers its IT services both internally and externally directly impacts how satisfied its customers are, and therefore its overall business success.
Furthermore, without board support, any cyber security project will likely fail – if not through a lack of resources, then through the lack of organisation-wide commitment. At the end of the day, if staff see that top management are not taking security seriously, they will follow their example.
Securing board-level commitment
To secure top-level commitment, it may pay to focus on how the possible impact and cost of a cyber incident are now more severe than ever. There is not just a growing body of legislation under which organisations could face hefty fines – most notably the GDPR – but data breaches and cyber attacks also receive more media coverage now than ever before. In turn, this can lead to significant financial and reputational damage. Clearly, cyber security is a business issue, and therefore a matter for the board.
Having said that, do not just rely on shock tactics like citing real-life incidents experienced by partners and competitors, or you risk executives switching off as such scenarios simply seem too unlikely. Instead, emphasise that cyber security is an increasingly important prerequisite to compete for business, and that the board’s visible support is essential to the long-term success of any cyber security programme.
If you want to be more specific about the types of business opportunities improved security may bring, you could focus on security schemes that are common prerequisites for big contracts – especially government ones – and how even a basic scheme like Cyber Essentials requires senior management to sign off on the certification process before certification can be awarded.
Finally, it may also be worth reminding directors that they have a duty under Section 172(1) of the UK Companies Act 2006 (and equivalent laws in other jurisdictions) to consider “the likely consequences of any decision in the long term” and “the desirability of the company maintaining a reputation for high standards of business conduct”.
Demonstrating board support
First, the board must appoint a senior executive to take responsibility for cyber security. It must also ensure that sufficient resources are allocated to manage cyber risks effectively.
Cyber security should also be a topic discussed at board meetings on a regular basis. Such meetings should keep the board up to date with the threat landscape and any emerging risks, so it can respond appropriately where required by, for example, allocating further resources.
The board should also provide direction and support to the organisation’s cyber security efforts by, for example:
• Signing off information security policies (also see Chapter 23) and certification applications;
• Setting relevant objectives and integrating them into business processes;
• Identifying possible barriers to implementation by talking to operational-level managers about their concerns, and finding ways to overcome those barriers;
• Giving regular briefings on the importance of cyber security and the steps the organisation is taking;
• Providing a keynote address or introduction to cyber security training materials; and
• Visibly adhering to security best practice themselves, and welcoming suggestions for improvement.
Remember that the key is to be visibly adhering to company policies, promoting best practices, supporting lower-level staff, and so on. If the board only guides from behind closed doors or delegates its responsibilities to others, many of the benefits of board support will be lost.