How NEDs can get on top of cyber risks

Cyber attacks are becoming ever more prevalent, sophisticated and damaging. But despite the growing threats, cyber risks don’t always get enough time, scrutiny and challenge from the Board. In many cases, overuse of technical jargon in the reporting can limit discussions. 

That’s why it’s so important that non-executive directors (NEDs) know the right questions to ask to cut through the jargon and give them assurance that the cyber security bases are being covered. Key questions for you as a NED include: 

1Do I have a clear view of the cyber risk appetite, strategy, and plan?

The ‘right’ approach demands balance – setting cyber risk appetite that balances the organisation’s value chain and strategic differentiators with necessary controls. As a Board member, you should have a clear understanding of your organisation’s risk appetite and be able to influence how this applies to cyber risk. You should also have a clear view of the cyber risk positions, the gaps in defences and the costed strategy and plan to address these deficiencies. This will give you confidence that the risks are understood and that the pace of remediation is aligned with your organisation’s risk appetite. 

You should also be seeing a regular (e.g. annual) independent cyber capability maturity assessment against an industry standard framework such as the NIST Cyber Security Framework.

2Am I receiving the ongoing reports needed to understand key cyber risks and assess how they are being managed and mitigated?

The top-level risk dashboards and other reporting statistics you receive need to clearly demonstrate the cyber risks in business terms and reflect the metrics that matter within your organisation when it comes to measuring control effectiveness, the accountabilities to deliver against those controls and the understanding of any actions needed to maintain progress against your defined risk targets.

Cyber security assessments can often be laden with technical jargon, lack business context or be too generic to translate into meaningful targets and interventions. It’s therefore important that your organisation can distil cyber security risk into an intelligible assessment that you can easily understood and therefore oversee and challenge to ensure the organisation is managing the risk effectively and increasing its cyber risk posture. 

3Are we having sufficiently productive conversations at the Board about cyber security?

How Berkeley can help

At Berkeley, we have experience of helping organisations through all stages of their cyber journey. We can help to:

• Define your cyber strategy to set clear goals and ensure alignment with business strategy 
• Deliver your cyber transformation programme 
• Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
• Deliver specific projects in your cyber portfolio that you may be struggling with
• Rebuild and strengthen your cyber capabilities post cyber-attack
• Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews 
• Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.