One issue around which many boards and companies are rapidly developing their thinking, their systems and their processes is cyber security. While it’s just one aspect of the digital disruption that businesses are navigating, it’s a bit mucky and uncomfortable.
When it comes to cyber for businesses, the directors and executive teams all need to get comfortable with the unknown — because as much as businesses can plan for what a likely cyber attack will look like, we never really know. That’s how hacks happen.
So, how can boards equip themselves to help a business navigate cyber, and what should non-executive directors (NEDs) who don’t have a technical background be doing so they can participate in the conversation and add value?
In the past, many boards thought that recruiting an ex-CTO or CIO gave them security and allowed the other directors to defer to them on anything to do with IT and technology issues — whether it be strategy, design, systems, processes, hardware, or cyber threats. Today’s best option is when the entire board and executive upskill and don’t wait to strengthen their systems and processes after a breach has happened. Doing that is like buying an alarm after your house has been robbed.
Today, COVID has pushed more businesses online and cyber breaches are happening every day. While it may be only the big ones that make the news, even sole traders are impacted. Businesses have never had access to more personal data and behavioural patterns than they do now, so the onus is on them to protect their customers’ privacy.
The Accenture 2020 Cyber Threatscape Report found that businesses that operate an anytime-anywhere, transparent, calm, simple and ‘build for resilience’ approach will be best equipped to manage cyber threats. But what is the implication of this on directors?
The relevance of cyber security has meant non-executive directors who don’t have a classic functional technology background (I’m one of them) have had to upskill — fast — and continue to build our knowledge about trends and threats, new approaches and systems so that we can contribute and add value in the boardroom. It’s now rightly a priority that the whole board needs to be knowledgeable.
Here are some ways non-technical directors can build their knowledge and keep up to date with the evolving and unchartered area of cyber:
- Develop the right mindset The first step in building a functional understanding so that you can participate in critical discussions is to acknowledge that cyber is never going to go away. The second and third steps are to acknowledge that no-one in the business will ever truly know what a threat looks like for your business and that you need to be open to changing your viewpoint regularly on what good cyber security looks like. Change is guaranteed and we can all participate in a more valuable way when we admit what we don’t know and commit to never stop learning.
- Make it a priority COVID has definitely made this the case for most businesses, but if it hasn’t yet, cyber should be tabled on the agenda at every board meeting. Not only does this make cyber a board priority, but it has the effect of making it a cultural priority within the exec team and this filters through to the larger business. Cyber is now a business priority, not a tech priority that sits with the IT department. Putting cyber on every meeting agenda also helps the board as a group to build knowledge around cyber, share the latest data, and implement regular adaptations to the company’s approach to cyber. It’s a strategic risk but could also be a strategic advantage for business evolution.
- Consult with experts While the board and the executive can prioritise cyber security and do much of the required leg work when it comes to systems and processes, engaging experts brings a highly-focussed and independent perspective to critical cyber issues. They enable boards to identify future trends and potential threats, and the right expert will challenge a board’s thinking and rigorously test systems, people and potential gaps. Consulting with experts and inviting them to address the board should be diarised in a board’s professional learning calendar and mandatory for the board and key management personnel.
- Tailor your cyber thinking Because it’s the norm for a NED to be on several boards, when it comes to cyber we need to adapt the way we think about it for each company we advise. This is the case even when we’re talking about businesses operating in the same industry. Every business has different cyber strengths and weaknesses, gaps and threats. Even different employee cultures and processes play a role when it comes to impacting what good cyber security looks like for a business. So it’s imperative that we pay attention to these and don’t apply assumptions or learnings across the board. This is where industry-relevant threat intelligence is essential so we can mould our learnings to each business.
- Attend webinars, events and briefings While COVID cancelled events worldwide, it also pushed many events and training opportunities online making it easier than ever to attend and build knowledge. I’ve registered for this one with the AICD. It also opened up global events to the directors based here in Australia. Learning from markets like the US and Europe is a critical step in building our cyber knowledge about what threats can look like here. Plus, insights from global experts on future trends, case studies and industry-specific issues make attending overseas webinars and briefings accessible and invaluable.
- Read This one seems almost too simple to list here, as it’s so obvious. The one thing I will point out is that cyber needs time dedicated to reading — more than most board issues. We are lucky to work in a time when so much excellent information is available to us. When I subscribe to newsletters I always tick technology and risk as interest areas so that the latest information comes to me easily and from trusted sources. Some of the resources I rely on personally are McKinsey & Co’s insights reports, each of the regular updates from the Big Four accounting firms, and relevant tech newsletters such as IT News. Seems simple, but it works.
As the Australian Government and businesses consider legislative changes around cyber security, it’s more relevant than ever for non-technical directors to commit to being knowledgeable about cyber. This will ensure we can add value in the boardroom, uphold our governance requirements on cyber and instill cyber resilience within all the businesses we serve.