Cyber security for boards
Board support has long been recognised as vital to achieving good cyber security. But boards have often struggled to have good conversations with cyber security specialists and understand their risks around cyber. So how can boards make sure that they are asking the right questions and getting good answers from their cyber security teams?
The starting point for boards is a recognition that cyber security is not simply a matter for the IT department. Cyber risks go across all aspects of the business and thinking about them needs to be integrated at all levels of strategy and operation. That could include the cyber risks of rolling out new digital products and services, the impact of cyber attacks on company operations, the reputational or commercial damage of a major data breach or the fines that could be levied by regulators in the event of significant failings in security.
Traditionally, though, cyber risk has been seen through the prism of IT and it has been hard to shift this perception. Chief Information Security Officers (CISOs) have often reported into IT, and the technical language of security has led to significant communication gaps with boards. However, this has been changing. Many businesses are recognising the tensions between security and IT, when judgments have to be made which balance security, speed of delivery and functionality. Consequently, it is now increasingly common for a CISO to report into a risk-related function rather than IT, which may help to make discussions less technically-orientated.