Cyber security for Boards
Cybersecurity is a significant organisational risk and needs the active attention and oversight of` Boards. This means delving deeper and ensuring there is adequate governance, preparedness, resilience, as well as partnerships with the organisation to manage cybersecurity threats.
The principles for cyber-risks are no different to other areas of organisational risk.
Boards must understand the risks, determine their risk appetite and seek assurance around management. There are six underlying ways that boards should approach their oversight of organisational cyber risks:
1. Be actively engaged on cyber security issues.
Access expertise and put cybersecurity on the board agenda. Boards should have ready access to cybersecurity expertise. Discussions about cyber-risk management should be given regular time on the board meeting agenda.
2. Take an organisation wide approach.
Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Cyber security should be thought of in the same way that 'health and safety' is.
3. Establish good governance mechanisms
Cyber security is a organisation wide risk and Boards should see an enterprise-wide cyber-risk management. This will likely include an overarching framework and regular categorisation of the risks with frequent discussion around which risks can be avoided, accepted, transferred, or managed.
4. Understand the legal and regulatory context.
Boards should understand the legal implications of cyber-risk as they apply to the organisation’s specific circumstances. Do this for your organisations primary legal location and the international locations your organisation conducts its business in.
5. Support preparedness and resilience building.
It is only a matter of time before your organisation will be impacted in some way by cyber attacks and it is important to foster appropriate preparedness. This could include running simulation exercises that test the organisation as this will show the Board how ready and resilient the organisation really is.
6. Encourage partnerships.
Cyber security is a team sport and its highly likely that your organisation will need to work closely with suppliers, third party cyber security expertise, government agencies, sector/industry, and non-government entities. Boards need to encourage the organisation to be well connected to their eco-system and contribute to its resilience.
Comments