Boards and Executives

There is an increasing need to move the issue of cyber security from the domain of the IT department up to the level of the Executive and/or Board.  An organisation-wide response is required to properly mitigate cyber security issues. This section provides a guide for leadership discussions about cyber security risk management.

Put cyber security on the agenda before it becomes the agenda - Institute of Directors.

Understanding cyber security risk for your business is a challenge that boards and directors must become comfortable with.  As cyber risk is better understood as an enterprise wide issue, rather than a technology risk, “(B)oards need to take responsibility for cybersecurity to be able to lead in a digital age,” Institute of Directors Acting CEO Simon Arcus says.

To help boards in this leadership role, during Connect Smart Week 2015 the Institute of Directors launched a new course and practice guide for directors.

The new course – Leading in a Digital Era – focuses on the leadership role boards need to play in being successful in the current business environment, while the Cyber-Risk Practice Guide offers five principles to help boards understand and monitor cyber-risk, develop strategies for seeking assurance, and oversee management. It also poses critical questions directors have a duty to ask.

  • To download a copy of the Cyber Risk Practice Guide please follow this link.
  • For more information on the Leading in a Digital Era course please follow this link.
  • For more information on the Institute of Directors please follow this link

Advice for Boards and Directors - National Cyber Security Centre

Basic information risk management has been shown to prevent up to 85% of cyber attacks.

Organisations should take steps to review, and invest where necessary, to improve security. Executives and Board Members need to lead the development of a cyber security culture in their organisation.

  • Incorporate cyber risks into existing risk management and governance processes
  • Elevate cyber risk management discussions to the Executive
  • Implement industry standards and best practices
  • Evaluate and manage your organisation’s specific cyber risks
  • Provide executive oversight and review
  • Develop and test incident response plans and procedures
  • Develop a policy on working on Home and Mobile Devices
  • Ensure your organisation has cyber security training and awareness
  • Establish account management processes to limit user privileges and monitor/log user activity
  • Produce a policy to control access to removable media, e.g. limit use and scan for malware before importing onto the corporate system
  • Establish a monitoring strategy for all ICT systems and networks so that unusual activity is identified
  • Apply security patches and ensure that the secure configuration of all ICT systems is maintained
  • Create a system inventory and define a baseline build for all ICT devices
  • Establish anti-malware defences that are applicable and relevant to all business areas
  • Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.
The above advice incorporates work originally researched, drafted and published by the National Cyber Security Centre and its international partners. Download a copy of the NCSC guide for Board and Executive members: Cyber Security and Risk Management - An Executive level responsibility.

Connect Smart tips for Boards and Executives

If you are uncertain about your organisation’s ability to manage its information risks, here are some practical steps that can be taken through corporate governance mechanisms:

  1. Confirm that you have identified your key information assets and the impact on your business if they were to be compromised.
  2. Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks.
  3. Confirm that you are appropriately managing the cyber risks to your information and have the necessary security policies in place.

Companies may not have all the expertise needed to implement some of these steps and assure themselves that the measures they have in place meet today’s threats. Audit partners should be able to provide assistance in the first instance. For information risk management expertise, organisations should seek advice from members of appropriate professional bodies or those who have attained industry recognised qualifications.

For government users, the Government Chief Information Officer (GCIO) has established a single panel to provide support to government agencies to continually improve their privacy and security practices. Find out more about the panel on the ICT website.