Corporate boards must sharpen their awareness of cyber issues and take a more proactive approach towards preventing data breaches at their companies, according to a new report from security specialists Savanti.

Published on 11 September, Effective Board Governance of Cyber Security: A source of competitive advantage highlights a series of potentially dangerous gaps in boards’ current handling of this territory. Indeed, its opening pages cite recent PwC figures showing that almost 60% of directors believe that their boards are not very effective when it comes to understanding the drivers and impacts of cyber risks within their organisations.

One of the main reasons for that knowledge gap, the report points out, is the low headcount of directors with expertise in cyber or related areas, such as technology, data management or corporate security. And even though some boards are actively targeting recruitment of new non-executive directors (NEDs) towards candidates with the relevant profiles, sluggish talent pipelines are slowing the pace of change. Very few boards have explicit term limits, and more than half (51%) of those with mandatory retirement ages have set cut-offs of 75 or older – compared with 20% a decade ago.

A chief technology officer (CTO) interviewed for the report noted: “I’ve been an advocate for many years of boards needing to have more technology capability. There’s a lot of people there who have deep financial understanding and competence – but as more and more organisations are driven by a technology landscape, not having good technology experience there for governance and oversight is a real weakness.”

Trust paradox

Another major issue is a disconnect between board members and their companies’ chief information security officers (CISOs), with the latter often preferring to dispense dry and jargonised technical briefings, rather than contribute to strategic, risk-based discussions.

An NED told the report: “One of the things that’s wrong with the cyber industry is it’s very technically focused and dominated by people who speak technobabble and obsess about the minutiae of some interesting engineering element, as opposed to the big picture around risk and the controls that make the biggest difference.”

In the course of its interviewing and research, Savanti identified four common board postures for cyber security.

1) Passive

The report attributes this unengaged stance to several factors, including the issue that some directors don’t see cybersecurity as important. Meanwhile, others prefer not to speak first for fear of exposing their lack of understanding. According to Microsoft NED and senior security specialist Anne Woodley, most boards don’t know what questions to ask to be able to challenge CISOs, “so they move on because they don’t want to look stupid”.

2) In the weeds

Boards get bogged down for two main reasons. First, when CISOs focus on threats and controls, they tend to lead directors away from strategic, risk-based discussions towards high-level, technical matters. Experienced NED Paul Cutter told the report that the conversation must be based around “stuff [that boards] understand and care about”, which will help to shape the organisation’s response. Second, boards that tend to micromanage in general will also micromanage on cyber security.

3) Deferential 

Even boards with a measure of specialist expertise could be tempted to defer to the CISO, especially if that individual is a good communicator – an issue that the report dubs “the cyber-board trust paradox”. Deferential boards, it notes, are often cyber aware enough to ask the right questions, but not enough to understand the answers – and their deference to the CISO limits the scope for discussions that would mature their posture.

4) Cyber-engaged

In this best-case scenario, boards with high-quality cyber governance understand that they are responsible for ensuring that the executive is managing relevant risks effectively for the entire business. Any board in that category is engaged, informed, constantly learning and in ongoing dialogue – not just with its CISO, but among its own members – about how best to tackle the cyber risks facing its organisation.

Elevated risks

With that in mind, the report urges boards to adopt the following action points.

1) Understand your unique role as a board

In relation to cyber security, boards have four roles: 

1. setting the company’s appetite for cyber risk; 
2. understanding how to calibrate the organisation’s resilience and recovery reflexes; 
3. keeping up to date with cyber security developments and asking the right questions; and
4. being prepared for a crisis.

2) Be appropriately informed about technology, data and cyber security

Chairs should i) encourage directors to educate themselves, ii) invite experts in to brief the board, iii) allow and encourage NEDs to be in contact with CISOs between board meetings and iv) ensure that directors have access to independent board advisers.

3) Put cyber security on the board’s agenda

Boards should make cyber a regular discussion point at their meetings, focusing on the topic at least quarterly – and more frequently in the event of any critical, ongoing issue. Any company with particularly elevated technology, data and/or cyber risks should consider establishing a technology committee within its board.

4) Provide directors and the executive team with access to independent cyber security advisers

As Money&Co founder and CEO Nicola Horlick told the report: “The normal audit is all about the figures – it’s not necessarily about processes and making sure that you’ve got the best things in place for areas like cyber security. So, I think it’s important for boards to get someone to perform that independent assessment and advisory role.”

In a statement, Savanti CEO Richard Brinson said: “Many investors see cyber as the canary in the coalmine for the health and resilience of a business – if a company can demonstrate effective cyber preparedness, it is a sign of the strength of their overall leadership, operations and governance.”

ICAEW Head of Tech Policy Esther Mallowah says: “Effective board governance of cyber security has been a challenge for many years and, as the report highlights, progress has been made in acknowledging its importance. However, implementation remains a challenge – largely because of knowledge and skills gaps.”

She notes: “Measuring and articulating cyber-skills levels among board members can be tricky, and competency frameworks could perhaps assist with this. Boards should recognise that developing cyber and digital skills is an ongoing process, reflecting the evolutionary nature of technology and cyber threats. As such, independent advisers can certainly help to fill knowledge and skills gaps. While those advisers will typically be external, boards should also take care not to overlook independent internal functions, such as technology audit, as sources of potentially valuable insight.”