I have a lot of sympathy for UK boards of directors.
UK boards of directors have had cyber pushed onto their agenda by the government, regulators and the Financial Times for several years. Unfortunately many board members are often ill-equipped to fully understand the executive decisions regarding cyber they have now been prompted to review. This is exacerbated by a similar lack of understanding of cyber security among executive management teams and a lack of communication skills and business acumen among CISOs.
There is a lot of black and white reporting by CISOs to boards declaring either outright success or outright failure of cyber initiatives. This is driven in part by the boards lack of understanding combined with the lack of time they have to try and understand the content.When CISOs are allowed near boards they tend to demonstrate a relative lack of communications skills compared with other senior management and they are sensitive not to undermine their own achievements. As a result both CISOs and boards tend to jump into discussing apparently fait accompli solutions before the full complexity of the issues have really been communicated and understood. The issue is that cyber security remains an unsolved problem that requires continual attention and refresh,there is a lot of grey in real-world cyber security management that boards of directors unfortunately only discover when investigating the aftermath of a major breach.
Boards of directors are usually made up of very clever and committed individuals but they are, for the most part, part-time generalists with a very broad remit. In theory their role is to oversee executive management rather than make decisions themselves although a CEO that disagrees with their board tends to have a short tenure. There is little formally required of boards short of financial competence in signing off the accounts and to act in the interests of the asset owners. The financial services regulators in the UK can set quite fearsome tests of competence to proposed board members but there is no requirement for technical literacy or cyber competence which is an issue for increasingly technology-driven digital companies.
There has been some discussion in the corridors of power of a defined ‘cyber competent person’ but little of any practical nature to define what that means. To my knowledge there have also been a number of boards recently investigating the concept of a cyber-specialist non-executive director to head up focused risk committees, a colleague of mine mentions a number of US boards who have done exactly that in her blog here. This sounds interesting but harder to imagine in the UK (especially in financial services firms) with the extant financially competent requirement. If you thought good cyber people were hard to hire before now ask them to take liability for signing off a FTSE 100 firms accounts as well. Unicorns are just not rare enough to be a good analogy anymore.
Another emerging cyber challenge I wouldn’t relish as a board member is balancing the national security aspects of addressing systemic cyber risk with acting within the powers granted by the constitution of the firm. Most boards are empowered by asset owners to ensure the firm makes money. Spending cash and time addressing systemic cyber risks that don’t specifically reduce the risk to the firm itself may well go beyond the boards fiduciary responsibilities. As firms have become the front-line in nation state sponsored cyber-enabled economic warfare this question will keep coming to the fore.
If a firm ensures it receives no more damage than any other firm during a systemic attack but does not contribute to the prevention or limitation of such an attack then it is delivering prudent risk management, if it invests hundreds of millions into its capabilities to actively defeat such an enemy does the board leave themselves vulnerable to asset owners who think there could have been a more profitable use of that money? I suspect we may eventually see legislation not only making good corporate cyber citizenship a responsibility, much like having a concern for the social and economic context of the firm, but also providing the legal basis for a board to oversee a firm that has a more collaborative view and reach.
We’ve seen an increasing convergence between commercial and state interests since the mid-20th century, a normal state of affairs prior to the early 18th century. There have been ‘real world mercenaries’ and now we are seeing their cyber equivalents increasingly coming to light. Moving beyond the more combative roles, the collusion or mutual support between states and commercial enterprise has a long history but the global reach and multi-national nature of markets makes this convergence increasingly uncomfortable to navigate and boards may well find themselves thrust into the front line of geopolitical conflicts in which they have little or no direct interest or role apart from as a target or collateral damage, other boards may find themselves coming under regulatory pressure to fix the defenses around systemic problems beyond the reach of states in the market infrastructures operated by or dominated by their businesses.
The need to understand and navigate the cyber world is pressing for boards who need to adapt to the new world quickly as the world continues to change around them. In this area scenario planning leading to some form of targeted exercise or training is a good vehicle for starting towards a cyber competent board but long term it will likely take the appointment of cyber specialist non-executive directors to ensure boards are truly able to peer through the clouds of grey in cyber security management and provide effective oversight.
How about requiring all board members to undergo cyber security awareness, in line with their existing role? One thing I was taught early on in security risk management was the benefit of a wide variety of views – note, talking about risk, not the technical side. I’m not sure boards need a single super-expert unicorn as you’ve described, when the decisions they are required to make at board level are never black/white, true/false. (I fully sympathise with the difficulty in getting a cyber person to take on that liability…)
I’ve tried to approach this in practice by framing and phrasing a ‘cyber’ risk into each of the typical CxO perspectives. It’s time-consuming, but I think it’s better than having one mega-risk called ‘cyber attack’ that is meant to represent all the lower-level tehcnical/asset-specific risks.
Cyber security awareness… yes absolutely. If a CISO and his exec mgmt sponsor don’t do ti the FT will do it for you which rarely ends well.
Boards generally want to know what the right decision is (According to their exec mgmt team), how it compares to their peers and what the risks of not making that decision are versus the proposed rewards. They don’t want to be told about a problem because it’s not their job to solve problems unless they are exceptional business ending issues. The problem is that they don’t get much detail around risks taking or not taking a decision or about the peer response which means they get presented a decision in an area they don’t understand but do worry about which they effectively have to wave through untested.