How to get your Board to be cyber-savvy
17 May 2017
Every week it seems there is another significant data breach or cyber-attack hitting the headline with the CEO having to explain what went wrong and what their organisation is doing about it. But the damage has been done and there some companies where the first thing that springs to mind about them is cyber-attack or breach.
Reputational damage and lost customer trust can take years to repair, and significant financial penalties may also be faced, especially in regulated industries and also as a result of the new General Data Protection Regulation (GDPR) which come into force in May 2018 in relation to personal data.
All of this means that it has never been more important for organisations to be able to demonstrate that they are doing all of the right things to:
- Prepare cyber defences and sufficiently protect data;
- Respond swiftly if there is a breach and limit the impact and;
- Recover and repair the damage considering aspects such as communications, compensation, insurance and implementing improvements from the lessons learnt.
However, many organisations are still well behind in terms of maturity of their cyber security and data protection. One of the root causes is lack of awareness and understanding at Board level of cyber risks and what can practically be done about them. This filters down into a lack of investment, lack of ownership and ‘heads in the sand’ in relation to cyber risk.
I have been supporting a number of organisations, of all shapes and sizes, to create Board awareness and, while there are a number of effective ways to do this, I’ve found one way to increase the likelihood of creating sustained board engagement is to run a Board awareness session on cyber risks, threats and practical mitigation steps. I have found that making it interactive (and, dare-I-say fun?) for the Board, as well as informative, achieves the best outcomes. Rather than having to focus on understanding technical issues explained to them through PowerPoint or a report, they can learn for themselves through a relatively short session. Done well, this gets the Board to sit up and take notice, and become comfortable they understand the key issues, assign real some ownership and invest in cyber security.
There are many ways to do this, and if you have a session that has worked for you we’d encourage you to share it with your industry colleagues during this Business Continuity Institute Cyber Awareness Week. The most successful way my teams at PwC have brought these awareness sessions to life - and avoided the dreaded ‘death by Powerpoint’! - is to use a workshop with a game that we call Game of Threats™.
Game of Threats™ is literally a game that the Board play during an interactive workshop. It’s designed for high level leaders who do not necessarily have a day-to-day understanding of cyber issues and uses a head-to-head strategy format to challenge players to make quick, high impact decisions - and assess their readiness to respond to a cyber-attack or data breach. In our workshops, the Board get the opportunity to pretend to be both the attackers and the defending company. It’s a really good way to get them to feel confident about some of the key issues. By using a game to familiarise the Board with different types of threat actors and their preferred methodologies, they walk away with a better understanding of the steps the organisation needs to take to better secure the company.
If you’d like to share your success stories or your challenges, we’d love to hear them and you can use the comments page or drop me an email or give me a call. I’m also happy to answer any questions you might have about Game of Threats™ in the same way.