This discussion between Ian Davies, Deputy Chairman of BMT Group and Senior Independent Director at the Institute of Chartered Accountants in England and Wales and Nick Wilding, global head of cyber resilience at AXELOS Global Best Practice, tackles some key questions that boards and senior executives have to be asking in the face of corporate damage being caused by increasing cyber-attacks:
(NW) Q1. So what does cyber resilience mean to you?
(ID) It’s a thorough response to a whole enterprise, risk management issue. Where cyber security addresses the technical aspects, effective cyber resilience assesses the business impacts of cyber risks and encompasses the critical human factors required to better protect the information and systems most critical to success. No enterprise is bullet-proof from cyber criminals. A key challenge they face is to identify quickly when an attack is happening and to take appropriate steps to prevent it doing serious damage. That may require responding publicly to reassure customers, suppliers and shareholders – often this public response extends rather than limits the damage already caused.
Q2. How do we know what we need to protect?
Each company’s success – its reputation and competitive advantage is unique. The board has to understand what the critical information and systems are that enables this success and decide where they must focus their investment and often limited resources. It may include fixed assets, intellectual property, information and systems in the cloud, customer data and supplier relationships which, if compromised, could cause long-term damage to the business.
Q3. How can the board effectively manage cyber resilience governance and assurance?
I think cyber risk is neglected in the boardroom of many organisations. However, directors are now realising that it’s not simply an IT matter and it is consequently rising up the board agenda. The board should set the right tone from the top and regularly communicate the importance of good resilience to all their people. They need to create an environment where their people have the confidence and are encouraged to speak out, suggest ideas and share their experiences, even if it’s in response to an unusual style of email from the CEO. Boards should designate an executive director to take the lead on cyber resilience, someone whose variable pay will be performance-related. It might mean recruiting someone new with the required expertise, or promoting someone internally – maybe the CISO or IT director – to provide an in-depth, quarterly business briefing. This should focus on the risks and vulnerabilities that affect business strategy, growing the business and delivering great customer service – the board’s critical priorities.
Q4. How important are standards, frameworks and best practice?
They are very important. Government and business have collaborated to design and launch new initiatives, such as the Cyber Essentials scheme in the UK, which promote good cyber security practices. Complying with standards and frameworks is an essential part of an effective response, and will address the majority of simple weaknesses, but compliance is only one part of an effective response. It’s a good starting point but organisations need to view cyber as a critical risk that needs managing constantly. It’s about continual learning and adaptation, in the same way organisations regularly adapt and evolve their technical security controls to meet ever-changing threats. I believe all company boards would benefit from some foundation cyber resilience learning designed to raise awareness and insight and to promote better quality debate at board level.
Q5. What role do all our staff need to play in protecting what’s most precious to us?
Your people should be your most effective defence against cyber attacks. Yet they need innovative, engaging and regular learning to achieve this. Many boards don’t know how effective their current cyber awareness training and learning is, or how to measure that. Mostly, organisations continue to rely on annual e-learning that is often unengaging and repetitive. Typically, it has little or no long-term effect on changing or sustaining resilient behaviours. They should take a lead from the airline industry which has an enviable safety record for good reason: constant drills, training and retraining.
Q6. What do you advise boards do to create an effective incident response plan in the event of a crisis?
Boards should treat cyber resilience in a similar way to managing fire risk. Staff don’t object to hearing the fire bell tested every Tuesday or standing in the car park once a month as part of the drill. So, directors should undergo a simulation exercise which involves a cyber security breach scenario. In that instance they would need to know the key people essential to managing an effective response to a cyber-attack. Which directors are contactable and are all their contact details readily available? A good simulation – that takes up board time rather than business operations time – will test people and needs to be repeated as cyber risks evolve. The more effective the planning, the less likely you’ll need to use it; when getting an almost real-world sense of the time and cost involved in managing a cyber incident, companies will develop new controls and processes to make a breach less likely.
Q7. What advice would you give to board directors who are beginning to ask themselves key questions about cyber resilience?
Board directors need to imagine the most uncomfortable questions they could face at a public accounts enquiry and what answers they would give. Such questions could include:
- Who is responsible for cyber resilience on the board?
- How many times has cyber resilience come up in board decisions?
- What steps do you take to protect the security of your customer data?
- Are you confident that all your people are being provided with regular, relevant and engaging cyber awareness learning?
- How do you effectively manage your third party cyber risks?
- What are you doing to ensure your internal policies, for example your Bring your own device policy, are not exposing the business to greater risk? Even if a board relies upon a non-executive director for expertise in cyber resilience initially, it remains a whole board responsibility for policy in terms of cyber threats and risks and responses.
Q8. How can you build a sustained, integrated and collaborative approach across the organisation most effectively?
The approach has to be a combination of continual risk assessment training and multiple forms of communication in order to tackle an ever-evolving threat. When people are exposed to the key messages about cyber risk in a variety of ways then the message is more likely to get through and become embedded in the culture. Q9. What can board directors do today to help minimise the cyber risks faced by their organisation? Send a copy of this article to their board chairman and ask for cyber resilience to be an agenda item for the next available meeting. Ask the company secretary for any internal audits of cyber security and ask the external auditors for a copy of recent management letters and their reports on cyber resilience. Finally, be prepared for the cyber resilience agenda point at the next board meeting. It’s not a topic where you and the rest of the board should be sitting there in an awkward and uninformed silence.