The role of the Non-Executive Directors in effectively overseeing security
Being a non-executive director of a large company in today’s heavily interconnected environment is a challenging task. The multitude of diverse risks that you need to ensure are maintained under effective management control is wide and complex, none more so than security.
With a plethora of different security standards and frameworks which an organisation can choose to align itself against, coupled with the breadth of the security domain covering everything from the physical premises security to cyber security operations and the ever-increasing threat landscape that the company operates within, it’s a tough ask for a Non-Exec Director to maintain domain expertise in all of these areas, as well as all of the other risk areas in order to provide robust challenge and support.
Within the UK, the primary objectives of the Non-Exec Director is to ensure effective governance, utilise their significant external expertise to support and where appropriate, challenge constructively, whilst at the same time holding the executive team of the company to account. But after reviewing the Non-Exec Director statement of duties and speaking to several non-exec directors within large companies, it’s clear, there is no formal definition of their role in ensuring effective security within the organisation.
Couple this with statements within the UK National Cyber Security strategy which outlines that the majority of cyber-attacks that organisations face within the UK are largely because of easily preventable vulnerabilities, in a lot of cases, it is not the sophistication of the attack, but the vulnerability of the victim that is the deciding factor on whether the attack is successful or not.
The UK government is currently consulting with the Information Security community on the accreditation, professionalising and potential chartering of the Chief Information Security Officer (CISO) role, which, in our opinion would be a welcome step forward in terms of ensuring only those with the right background and skills can hold the role of Chief Information Security Officer, very similar to that of an architect, barrister or solicitor, after all the majority of the information the executive and non-executive team receive on security is from the Chief Information Security Officer, so its imperative it can be relied upon.
The Non-Exec Director needs to ensure that they have absolute clarity over who is responsible and accountable for information security within the organisation, and whom, around the board table, is the NED sponsor for the CISO. Who ensures adequate time and exposure of this critical area is allocated within the board agenda? They need to know what information the company holds that is deemed sensitive across the full spectrum of operations, as well as what is the current level of risk exposure, and what third parties play a role in the end-end data protection chain. They need to ensure that the IT and security leadership team have the complete picture, in our experience, it’s still common place for companies not to have a 100% picture in relation to the assets and infrastructure on their network, if a piece of infrastructure is not known about, it cannot be effectively protected This problem is compounded with the move to cloud, where anyone can spin up a service with a credit card. With all of this factored in, ultimately the NED’s need to know how the security and data risks within the organisation are being mitigated, what’s the current capability within the teams and what residual risk remains, they can then take an informed view on the next course of action.
Here at Cambridge Cyber Advisers, we often run sessions for company leadership, boards and non-executive directors, the top question we always receive is “what are the questions we should be asking the security team?” its immediately obvious why this should be the number one question, Non-Exec directors of stock market listed companies have fiduciary responsibility and accountability over the effective governance of the organisation on behalf of the shareholders of the company, they need to be able to effectively discharge this accountability by ensuring appropriate challenge and that the right activities are being effectively performed. There are numerous sources of information available online on the right questions the board should be asking of their security team. We have tried to collate the best list below based on our experience.
- Is information security recognised by the executive team as a business issue rather than a pure IT issue?
- Do all of our employees understand the role they play in protecting the organisation?
- Is the ‘tone from the top” clear and present, are ‘we’ doing what we say in relation to security?
- Is security managed at a suitable granular level on the company’s risk register? a risk statement mentioning cyber is not enough!
- Is the Audit and Risk Committee providing the right level of internal governance and effective reporting back to the main board?
- Is the board receiving the right level of information and ‘meaningful metrics’ in order to be able to challenge / support effectively?
- Are we taking a threat led approach, ensuring we know the threat landscape our company operates within?
In addition, the audit and risk sub-committee which is normal structure to within companies to oversee security activities on behalf of the board should be also getting into the detail with an effective security dashboard composed of meaningful metrics, key performance indicators and key risk indicators that clearly show the organisations cyber risk posture in relation to the organisation’s strategic risks.
So the Non-Exec Directors play a critical role in ensuring effective security within an organisation, many are embracing this role, and ensuring that they increase their personal exposure to the topic by engaging cyber advisers to ensure the internal team are receiving the right level of challenge, that the right level of investment in terms of people and budget is allocated to the IT and security function to achieve and maintain risk tolerances or preferences.
Cambridge Cyber Advisers perform this role for companies of all sizes ranging for medium sized organisations up to FTSE 10 companies, ensuring that the organisations security journey is clearly understood at all levels and the security activities are being actioned in the right sequence for maximum risk reduction, please get in touch to discuss your requirements.