Advice for Non-executive Directors
The UK Government has issued this advice on balancing cyber security risk & reward with confidence. Not always an easy task – in fact one of the biggest challenges any senior cyber security stakeholder has is ensuring that the Board understands how cyber security risks affect the business.
Knowing What You Don’t Know
As the guidance points out, the things any Director should be worried about are the things that you don’t know about today. We see this all the time – security issues are often somewhat obscure in detail, and consequently the business impact is not widely acknowledged at an executive level. All to often, there is a big disconnection between the technical aspects of the security discussion, and the corresponding business conversation that should be taking place at Board level.
A great example here is penetration test reporting. It’s not always easy for a non-technical person to understand the implications of a particular finding. Does the penetration test report include a plain English management summary? Can the Director be confident that issues that may impact the business are being addressed?
Understanding Cyber Security Risk & Reward
Of course there’s more to building and maintaining a secure environment than simply conducting penetration tests, but if there’s one thing that can improve overall security, it must surely be better communications between all stakeholders. This is where the role of the Non-Executive Director can be hugely influential. There’s a great opportunity to enable the Board to make informed decisions about cyber security risks – and that is definitely good for business.