In today’s interconnected world, cyber security is no longer just an IT issue — it’s a strategic priority that should be on every board’s agenda. The rise in high-profile cyber attacks, data breaches, and technology outages is reshaping the responsibilities of boards in the UK and globally. It's imperative that cyber security has the same level of oversight and importance as other business risks like financial or legal.
The question is how should board members engage with this complex issue, especially given that many don’t come from technical backgrounds? Here’s a practical guide on what boards should know about cyber security and, more importantly, what they can do to drive meaningful action.
Cyber Security Is a Board-Level Responsibility
For too long, cyber security has been relegated to the back office, seen as a problem for IT teams to manage. However, it is critical that cyber security is treated as a core enterprise risk that demands active board oversight. Here’s why:
The Expanding Attack Surface: As organisations adopt new technologies like cloud, Internet of Things (IoT) devices, and AI technology, their "attack surface" grows. These technologies bring tremendous value but also create new vulnerabilities.
The Ease of Cyber Crime: Cyber attacks are becoming cheaper and easier to launch. For just a few pounds, an attacker can purchase tools to exploit weaknesses in even the most sophisticated organisations.
Regulatory Pressures: Boards are increasingly held accountable for cyber security issues, including operational failures or breaches. There are a number of regulatory drivers boards need to be aware of, including the UK’s GDPR and, for some CNI organisations, the NIS Directive. Frameworks like the NCSC Cyber Assessment Framework are just a few examples of evolving regulatory requirements. Non-compliance can lead to heavy fines and reputational damage.
Mergers & Acquisitions (M&A): Cyber security risks can significantly impact the value and success of M&A transactions, yet they are often overlooked or underestimated during the due diligence process. Boards must embed cyber security into their governance frameworks, treating it as a key driver of business resilience and value creation.
What Can Boards Do to Strengthen Cyber Security?
To effectively govern cyber security, board members don’t need to be experts, but they do need to be informed, engaged, and proactive. Here are six key strategies:
1. Integrate Cyber Security into Strategic Decision-Making
Cyber security should be a recurring topic in board meetings, not just an occasional update. It must be embedded into the company’s overall strategy. Boards should ask management:
How does our cyber security strategy align with our business objectives?
Are we prioritising the protection of critical assets, such as customer data or manufacturing processes?
Have we sought expert, external assurance of our cyber maturity?
By linking cyber security to the organisation’s broader goals, boards can ensure it receives the attention and resources it deserves.
2. Enhance Cyber Security Expertise
The lack of cyber security expertise on boards is a common challenge. Boards can address this gap by:
Training and Education: Regularly attend workshops, industry conferences, and utilise resources like the NCSC’s Cyber Security Toolkit for boards.
Engaging Consultants: Independent experts can provide insights into emerging threats and evaluate the organisation’s security posture.
Recruiting Cyber Specialists: Consider appointing board members with cyber security expertise to guide decision-making.
A knowledgeable board is better equipped to ask the right questions and hold management accountable.
3. Embrace Risk-Based Cyber Governance
Boards should prioritise a risk-based approach to cyber security, it is important they understand the criticality of assets to support decision making and ensure proportionality and an outcome-based approach when implementing controls:
Understand the Threat Landscape: Make sure the organisation is staying informed about the latest threats actors operating in their sector, how they are operating and the vulnerability posture.
Define Risk Appetite and Tolerance: Decide how much risk the organisation is willing to accept. The goal is to establish the minimum acceptable level to meet their strategic objectives.
Demand Risk Integration: Ensure that cyber-risk analysis is part of all major decisions, it should be included and embedded across different processes within the business.
Mature, Outcome-Focused Metrics: Boards must move beyond receiving raw data (e.g., the number of phishing emails received) and demand mature, accurate, and outcome-focused metrics. These metrics should provide clear insights into risk exposure and assess whether cyber security investments are delivering the intended results, empowering boards to make informed strategic decisions.
4. Foster a Culture of Cyber Resilience
It is important boards understand how security fits into the culture of the organisation, where security is, where it can be, and where it should be in the cultural spectrum. Cyber security culture often starts from the top and board members play a critical role.
Encouraging Collaboration: Ensure cyber security teams work closely with other departments like legal, compliance, and operations.
Promoting Awareness: Support company-wide cyber security training to help employees identify and report potential threats.
Engaging in Simulations: Participate in tabletop exercises and cyber attack simulations to understand how prepared the organisation is to respond to incidents.
Cyber security is not just about technology - it’s about people and processes.
5. Stay Ahead of Regulatory Changes
It is vital boards stay abreast of the regulatory landscape and understand how it impacts the organisation.
Understand Applicable Laws, Contractual Requirements and Compliance Frameworks: Familiarise themselves with frameworks like GDPR, the NIS Directive, and PCI DSS v4. Each has unique requirements for breach reporting, data protection, and compliance. These frameworks don't just have unique requirements, but sometimes they also set explicit expectations for boards - e.g. NIS2 (Article 20(2)):
“Member States shall ensure that the management bodies of essential and important entities approve the cyber security risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
Monitor Compliance: Regularly review the organisation’s compliance status and address any gaps.
Engage Legal Counsel: Work with experts to ensure the organisation’s cyber security practices meet regulatory standards.
In a global economy, boards must also account for differences in international regulations and ensure these are incorporated into the company’s response plans.
6. Ask the Right Questions
Board members don’t need to be cyber security experts, but they do need to ask probing questions that drive accountability. Key questions include:
What is our current cyber security risk profile and has an independent cyber risk assessment been carried out?
Have we aligned to any best practice framework and is there a cyber security strategy?
What is our overall cyber security posture?
Are we adequately resourced to address our cyber security needs?
How do we handle third-party risks in our supply chain?
Have we rehearsed our incident response plan? If we faced a major attack, could we recover?
By challenging the executive team, boards can ensure the organisation is not just reacting to threats but proactively preparing them.
Author
Emran Ali
Principal Lead Consultant
Emran is an information security professional specialising in strategy, security transformation, risk management, incident response and supply chain assurance for private and public sector organisations. He is a member of both ISC² and ISACA, and holds numerous certifications including CISSP, CISM, CCSP CRISC, SSCP, CCSK, ISO27001, ISO22301 and SABSA SCF.
Blogs
