Too many Board decisions are being made without considering cyber security, leaving companies open to increased information risk and threats, say APMG International and Templar Executives. The cyber security training and certification firms have called for a serious shake-up to traditional Board meetings and for non-executive directors to hold directors to greater account for their cyber decisions.
APMG warned earlier this month that understanding cyber security and acting on it has now become part of a Board member and non-executive director’s legal duty of care to a company. However, both firms claim that today an alarming number of Board decisions are made without looking at them through a cyber security lens.
Andrew Fitzmaurice, CEO of Templar Executives, award winners of the ‘Best Cyber Security Firm 2015’*, said: “Up until this point, the building blocks of decision making have typically omitted the cyber security threat landscape. While there is an argument to say that this is verging on corporate negligence, it is just a symptom of routine; the Chief Information Security Officer might come to the Board meeting twice a year to give a briefing that few understand. This needs to change. The cyber security threat landscape is too complex, fast-paced and important for Boards to ignore. This is a leadership and business issue. Boards must accept accountability and proactively foster a positive and holistic cyber security culture incorporating governance, policy, people and processes, as well as technology – so good practice becomes the norm.
“The most successful Boards start every meeting with a quick dashboard of the cyber security threat landscape and how they are doing, as well as the level of maturity to prevent and defend against attacks. From this point on, the company is in a position of strength to make decisions, with improved confidence, to meet business outcomes,” he said.
Richard Pharro, CEO of APMG, adds that this must come from a business angle and not a technical one to add the value, by making sure that everyone is speaking the same language: “Cyber security is still a new element for many Boards; they haven’t previously had the knowledge or inclination to prioritise it. Often, compliance is thought to be enough, but Board members need to take more of an active role in assessing cyber security. It’s crucial for them to be able to answer questions about what the business benefits of sound cyber practices are, or the impact on the bottom line of neglecting security. Without this, cyber security can be easily ignored or pushed to the bottom of the agenda.”
He concluded: “Non-executive directors have an important role to play here and are in the unique position to challenge their Boards on cyber security. The challenge is that many non-executive directors have not been exposed to cyber security in their past roles, so they can lack the knowledge and confidence needed to act on it. This highlights the importance of high quality training for non-executive directors to help them understand cyber security landscape. CESG Certified Training courses provide confidence that training is of a high standard and up-to-date with current thinking.”