Corporate boards must sharpen their awareness of cyber issues and take a more proactive approach towards preventing data breaches at their companies, according to a new report from security specialists Savanti.
Published on 11 September, Effective Board Governance of Cyber Security: A source of competitive advantage highlights a series of potentially dangerous gaps in boards’ current handling of this territory. Indeed, its opening pages cite recent PwC figures showing that almost 60% of directors believe that their boards are not very effective when it comes to understanding the drivers and impacts of cyber risks within their organisations.
One of the main reasons for that knowledge gap, the report points out, is the low headcount of directors with expertise in cyber or related areas, such as technology, data management or corporate security. And even though some boards are actively targeting recruitment of new non-executive directors (NEDs) towards candidates with the relevant profiles, sluggish talent pipelines are slowing the pace of change. Very few boards have explicit term limits, and more than half (51%) of those with mandatory retirement ages have set cut-offs of 75 or older – compared with 20% a decade ago.
A chief technology officer (CTO) interviewed for the report noted: “I’ve been an advocate for many years of boards needing to have more technology capability. There’s a lot of people there who have deep financial understanding and competence – but as more and more organisations are driven by a technology landscape, not having good technology experience there for governance and oversight is a real weakness.”
Another major issue is a disconnect between board members and their companies’ chief information security officers (CISOs), with the latter often preferring to dispense dry and jargonised technical briefings, rather than contribute to strategic, risk-based discussions.
An NED told the report: “One of the things that’s wrong with the cyber industry is it’s very technically focused and dominated by people who speak technobabble and obsess about the minutiae of some interesting engineering element, as opposed to the big picture around risk and the controls that make the biggest difference.”
In the course of its interviewing and research, Savanti identified four common board postures for cyber security.
The report attributes this unengaged stance to several factors, including the issue that some directors don’t see cybersecurity as important. Meanwhile, others prefer not to speak first for fear of exposing their lack of understanding. According to Microsoft NED and senior security specialist Anne Woodley, most boards don’t know what questions to ask to be able to challenge CISOs, “so they move on because they don’t want to look stupid”.
2) In the weeds
Boards get bogged down for two main reasons. First, when CISOs focus on threats and controls, they tend to lead directors away from strategic, risk-based discussions towards high-level, technical matters. Experienced NED Paul Cutter told the report that the conversation must be based around “stuff [that boards] understand and care about”, which will help to shape the organisation’s response. Second, boards that tend to micromanage in general will also micromanage on cyber security.
Even boards with a measure of specialist expertise could be tempted to defer to the CISO, especially if that individual is a good communicator – an issue that the report dubs “the cyber-board trust paradox”. Deferential boards, it notes, are often cyber aware enough to ask the right questions, but not enough to understand the answers – and their deference to the CISO limits the scope for discussions that would mature their posture.
In this best-case scenario, boards with high-quality cyber governance understand that they are responsible for ensuring that the executive is managing relevant risks effectively for the entire business. Any board in that category is engaged, informed, constantly learning and in ongoing dialogue – not just with its CISO, but among its own members – about how best to tackle the cyber risks facing its organisation.
With that in mind, the report urges boards to adopt the following action points.
1) Understand your unique role as a board
In relation to cyber security, boards have four roles:
- setting the company’s appetite for cyber risk;
- understanding how to calibrate the organisation’s resilience and recovery reflexes;
- keeping up to date with cyber security developments and asking the right questions; and
- being prepared for a crisis.
2) Be appropriately informed about technology, data and cyber security
Chairs should i) encourage directors to educate themselves, ii) invite experts in to brief the board, iii) allow and encourage NEDs to be in contact with CISOs between board meetings and iv) ensure that directors have access to independent board advisers.
3) Put cyber security on the board’s agenda
Boards should make cyber a regular discussion point at their meetings, focusing on the topic at least quarterly – and more frequently in the event of any critical, ongoing issue. Any company with particularly elevated technology, data and/or cyber risks should consider establishing a technology committee within its board.
4) Provide directors and the executive team with access to independent cyber security advisers
As Money&Co founder and CEO Nicola Horlick told the report: “The normal audit is all about the figures – it’s not necessarily about processes and making sure that you’ve got the best things in place for areas like cyber security. So, I think it’s important for boards to get someone to perform that independent assessment and advisory role.”
In a statement, Savanti CEO Richard Brinson said: “Many investors see cyber as the canary in the coalmine for the health and resilience of a business – if a company can demonstrate effective cyber preparedness, it is a sign of the strength of their overall leadership, operations and governance.”
ICAEW Head of Tech Policy Esther Mallowah says: “Effective board governance of cyber security has been a challenge for many years and, as the report highlights, progress has been made in acknowledging its importance. However, implementation remains a challenge – largely because of knowledge and skills gaps.”
She notes: “Measuring and articulating cyber-skills levels among board members can be tricky, and competency frameworks could perhaps assist with this. Boards should recognise that developing cyber and digital skills is an ongoing process, reflecting the evolutionary nature of technology and cyber threats. As such, independent advisers can certainly help to fill knowledge and skills gaps. While those advisers will typically be external, boards should also take care not to overlook independent internal functions, such as technology audit, as sources of potentially valuable insight.”
Annual Conference: Technology
Technology is rapidly evolving, and AI is transforming the way we work and communicate. ICAEW's Annual Conference 2023 focuses on the need for accountants to adapt and stay up to date.
You may also be interested in
Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.Find out more
Do you use Excel in your organisation? Are you using it to its maximum potential? Develop your skills and minimise spreadsheet risk with our Excel resources. Join the Excel Community
Finance in a Digital World
ICAEW has worked with Deloitte to develop Finance in a Digital World, a suite of online learning modules to support ICAEW members and students, develop awareness and build understanding of digital technologies and their impact on finance.