News / Talk governance, get buy-in: selling cyber security to the Board
Working for the last 25 years in infosec and cyber, I’ve seen horror-story failures and heroic successes, as an interim adviser, non-exec, and senior in-house cyber expert.I’ve worked hard to bring awareness that drives the right actions – but I’ll be the first to admit that I have met with varying degrees of success.
Why? Because I myself repeatedly came up against the self-same set of circumstances that I’d seen time and again around me: well-intentioned, smart people failing to justify themselves to their seniors and Boards to provide the right levels of cyber defence.It’s a familiar story, right? So how can non-execs change the narrative for good, and start getting the Board onside with cyber?
Communicate cyber but speak the Board’s own language
The critical step here is to learn to speak their language – the language of the Board.
Here are a few examples of how to engage with the Board and advance the cyber security agenda, but in the Board’s own native parlance: governance!
Raise the spectre of risk management
Frame cyber security as risk management, and immediately it’s on the Board’s radar.
Why? Because the UK Corporate Governance Code of September 2014, in Section C.2 Risk Management and Internal Control, states as a main principle that “The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its objectives. “The Board should maintain sound risk management and internal controls.”
Clearly, this should include the management and controls to address the cyber risks to the business!
Speak to governance requirements around the Board’s composition
There’s plenty of cyber-friendly regulatory governance to support this.
Section B of the Governance Code, for example, addresses in B1 the main principle that “The Board and its committees should have the appropriate balance of skills, experience, independence and knowledge of the company to enable them to discharge their respective duties and responsibilities effectively.”
Yet looking at the traditional composition of Boards, whilst there is clear representation for finance, operations, sector experience (often sales), commercial/legal and sometimes HR, cyber security non-execs seem to be quite rare.
Driving the point home even harder, once more in Board-speak, is Section B.4:
“All directors should …… regularly update and refresh their skills and knowledge”.
What kind of update and refreshment is more critical than keeping up to date with constantly developing and morphing cyber threats and the risk they present to the business?
In short, (you should be arguing), for Boards to undertake their duties effectively and not be in breach of governance, they should have independent, non-exec cyber security skill representation within the Risk Committee.
Show the Board they’re falling short on strategy
Boards prize their strategy-setting status, but cyber is the key to showing them their strategy procedure lacks governance credibility.
Section A.4 of the Code, for example, imposes the following obligation: “…non-executive directors should constructively challenge and help develop proposal on strategy”.
But again, it is difficult for Boards to effectively develop or challenge cyber security strategy if there is not at least one non-executive director with the necessary cyber security skill and experience!
It’s the same with Section B.5, which states as a main principle that “The Board should be supplied in a timely manner with information in a form and of a quality appropriate to enable it to discharge its duties”.
Currently, the ability to challenge the quality and robustness of the Board reports is restricted by the traditional composition of those Boards, such that if cyber security is a topic reported then the reporting has to be accepted at face value.
Without non-executive cyber security experience on the Board, it is unlikely that the Board will be in a position to obtain suitable depth and cyber security insight as part of the regular reporting regime.
Governance fail, cyber fail.
Question the Board’s performance measurement
The Board’s evaluation of its own performance is a governance staple.
Section B.6 of the Code, Evaluation, states, “The Board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and individual directors”.
This should include an evaluation of the independent skills required to challenge and support the executive. Again, there is no logical way cyber security skills can be excluded from this mix, particularly when CSO or CISO executive directorships already present on the Board testify to cyber security’s strategic importance to the business.
At the next annual evaluation of the Board’s composition, Chairs must ensure that non-executive cyber security is added to the required skill and experience base – or potentially be in breach of governance!
Most importantly, speak Board!
So forget about technology, forget about the megaflops and forget about the jargon.
(Mandela famously nailed this when he said of the other party in a negotiation “If you talk to him in his language, that goes to his heart.”)
Speak Board and the Board will listen!
Rob Vann, Reliance acsn