UK Boards Struggle For Coherent Cybersecurity Board Governance
Cybersecurity is now the responsibility of the board of directors and a large majority of UK boards are still struggling to find a coherent approach to cybersecurity. The need to have a cybersecurity expert sitting on your board has never been so clear. There is increasing acknowledgment of the threat and growing recognition of its complexity, but a solid response is lacking at many UK companies.
A 2018 survey of the FTSE 350 companies by the UK government, called the “FTSE 350 Cyber Governance Health Check”, shows that 72 per cent of these large UK companies now consider cybersecurity a high or very high risk, but less than half, only 46 per cent, have a dedicated cybersecurity budget.
Developing a well-conceived and effective board governance model for cybersecurity is essential. Boards need to take a step back and work out the governance framework first. Then, working closely with cybersecurity experts, a full-scale response should be created, implemented and then effectively tested.
The Board Governance Model For Cybersecurity
The first step, according to a report by the Advanced Cyber Security Centre, is for boards to develop a holistic and dynamic understanding of an organisation’s cybersecurity risks and responsibilities – this is the decision-making framework. To achieve this, the board “needs direct access to CIOs, CISOs and risk officers, along with all the business executives responsible for their own data risks in a distributed accountability model,” the report explains.
The next step is to create a framework for the board’s engagement with management on this issue – enabling collaboration. “Boards should be able to ask questions that management hasn’t thought of,” the report comments.
The board should serve as an advisor to management, providing strategic guidance on cybersecurity and helping to guide management’s strategic risk evaluation. Few UK boards are ready to provide this kind, as most boards have not yet developed a sufficient partnership with management, the report shows. Boards need more access to expertise, either through a board member with cybersecurity skills or through a third-party expert. The board can then build confidence with management for its ability to formulate a cybersecurity strategy. To help achieve the needed expertise at the board level, “CISOs and CIOs should present jointly at board meetings to provide a holistic view of digital strategies and security,” the note continues. “Boards as a whole should review cybersecurity more consistently as a business risk; the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews.”
What is the size and scale of the challenge that companies face in building a balanced board?
Finally, the board should move to supporting operations. The first step is a complete inventory of systems and the respective internal controls. “Start with your ‘crown jewels’ – and by that, [we] mean the information assets whose loss expectancy exceeds your risk tolerance,” warns the Manchester office of cybersecurity advisor Coalfire in a recent report.
Most UK companies are in the process of implementing digital transformation projects, and additional investments for security may strain budgets. As cybersecurity budgets continue to grow, budget fatigue has become a frequent area of concern shared by CFOs, CEOs and boards. This is because cybersecurity investments are seen as “separate” from IT investments, and hence do not represent a complete picture of security spend.
The Advanced Cyber Security Center recommends that boards should review these projects with cybersecurity as an integrated element. There should be a security-related aspect as part of all IT-related decisions in general.
Both boards and management require cyber risk frameworks that provide a means to make informed risk judgments. Unfortunately, “Cybersecurity hasn’t yet developed the standard, historically proven risk frameworks that financial and audit risk functions have refined over decades,” leaving management with little to rely on. There is a danger that boards and management can become distracted with the search for quantifying cyber risk, and this means they are unlikely to spend enough time on critical strategic decisions, as the report makes clear.
Want to learn more about how board management software can allow your board to better respond to a crisis?
Download the Forrester Report and see how your board could improve their communication practices.
“Boards should prioritise and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards,” the report concludes.
Diligent: Board Governance Support For Cybersecurity
Diligent, the pioneer in modern governance, has created a suite of integrated SaaS applications that provide the means to achieve all these objectives. Our board governance software helps boards prepare the governance framework they need for effective performance, as well as the board governance applications that enable implementation of that framework, addressing all the key areas where boards need support.
First, Diligent Governance Cloud provides a vast library of insights on board governance and how to implement it. Next, the secure and reliable communications that our board portal enables drives discussion. And all that discussion, along with other documents and memoranda, is stored in encrypted form on the board portal, so that directors can access it at any time and update it in real time.
Then our board management software offers tools to implement policies for every aspect of board governance. There is an application for board succession planning that scans thousands of candidates so that you can find the right ones for your board. Another app supports creating a matrix for board composition and helps determine the best possible board members for the organisation’s mission. The governance library of materials will help board members make informed decisions about how to work with management or on formulating strategy. And a board evaluation app makes this process easier and more effective.
All these functionalities work seamlessly with Diligent’s Governance Cloud, which provides a secure, cloud-based system that supports every aspect of a board’s work. Diligent makes it just as easy to access policies so board directors can review them according to legal or regulatory mandates, business objectives, risk and internal controls. Diligent’s Governance Cloud enables the creation of board governance that leads to improved performance.
December 2, 2019
UK Section 172, Directors and Company Secretaries Responsibilities
What is Section 172 of the Companies Act: What Has Changed? Section 172 of the UK Companies Act 2006 makes clear that every director must make a good faith effort to promote the success of the company. It goes…
November 19, 2019
UK Shareholders Rights: Report Highlights Change Coming to Executive Pay
Stakeholders Take Center Stage in Diligent’s Report Boards of directors consider shareholder rights and stakeholder needs as key priorities, the new report – Stakeholders Take Center Stage: Director Views on Priorities and Society by The Diligent Institute in partnership with the Rock…
November 18, 2019
Best Practice For Board Committee Charters
In the UK, the role of the board committee has vastly expanded in recent years. With that increase in importance and scope, the need for board committees to work from clearly established charters that delineate their responsibilities has become critical. The importance of well-defined responsibilities for board…