How can non-executive directors help tackle the cyber security challenge?

09 January 2018

Non-executive directors (NEDs) have an important role to play in helping private businesses define a comprehensive approach to cyber security. An outside perspective can be invaluable to executive management teams who are struggling to adapt to new digital threats.

I’ve set out seven principles that boards can use for governance of cyber security risk. Using this framework, here are the questions I believe NEDs should be asking at monthly board meetings.

1)    Does the board understand its exposure to cyber security threats?

Understanding exposure is the first step to ensuring an adequate response. HR data is a valuable source of information for hackers, they’re not always looking for financials.

Can the leadership team identify why they might be targeted by hackers, what makes them vulnerable and what the impact of a successful attack might be? Do their clients or customers heighten the risk? Do current insurance policies cover a cyber breach?

2)     Does the organisation have the appropriate capability and resources?

Having an empowered and well-resourced security function is key to keeping organisations secure.

Are the board confident in the capability of their security function and its leadership? Can they drive a broad response to an attack across the whole firm if required? Is the CEO taking an active role in owning cyber security?

3)     What framework and approach is in place to respond to cyber attacks?

Addressing cyber attacks requires more than cyber security controls. Having streamlined technology, established processes to reduce human vulnerabilities and cyber security as a top consideration in all business decision making is crucial.

Has the organisation considered process vulnerabilities, such as weak registration processes or poor password management? Does the business measure the extent of their exposure to cyber threats?

4)     Has the organisation’s cyber security been independently tested and reviewed?

Independent testing will help assess the effectiveness of the organisation’s response to different attack techniques. Ethical hackers can help identify weak points and stress test systems.

Are cyber security defence systems and protocols being regularly validated by independent analysis? Is the speed with which issues are resolved being measured?

5)     Is there an incident response plan in place for the wider business?

Cyber security incidents are inevitable, responses need to be considered not just from a technical point of view, but also from a perspective of business management, reputation management and management of legal and regulatory risk.

How will an incident be communicated to the wider business, suppliers, service providers, customers and the media? What is the company’s track record for incident response and what could be learnt?

6)     What is the legal and regulatory environment?

Cyber security cuts across an increasingly complex legal and regulatory environment globally, understanding relevant regulation is key to having a watertight response.

Is the cyber security response compatible with industry regulation, data protection regimes, national security legislation, reporting requirements and product liability?

7)     How is this organisation collaborating to prevent future attacks?

No organisation can protect itself in isolation. Attackers commonly breach one organisation to target another and replicate successful attack techniques rapidly. Collaborating is essential to mitigate risks.

Is this organisation sharing cyber security information with relevant authorities, competitors and consumers?

I hope you found these questions a useful starting point to help boards structure their governance of cyber security risks, debate and make the tough decisions required to build an adequate response to threats.

If you have any questions or would like to discuss the themes of this blog in more detail, please contact Richard Horne via email: [email protected] 



Richard Horne
Profile | Email | +44 (0)20 7213 3227



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.