The non-exec's dilemma: cyber security liability versus knowledge
12:00 Friday, 23 October 2020
UK Cyber Security Council
Becoming a non-executive director (NED) is an important step on the career ladder. Once you are “in”, it can become self-perpetuating: you are lending your skills and experience to the companies whose boards you have joined, and in return you gain fresh skills and experience from fields you had perhaps not previously explored.
The Institute of Directors sounds an interesting note of warning to prospective NEDs, however: “It is important to note that UK law does not distinguish between executive and non-executive directors - all board members have the same duties and responsibilities. Becoming a NED is therefore a serious undertaking which requires self-examination and detailed research into companies which present a NED opportunity”.
Cyber security expertise is far less common on company boards than “traditional” skills such as finance or management. Yet cyber risk is up there among the top items on organisational risk registers. So as a NED, not only do you need to do the “detailed research” into the company that you are joining, but there is an additional question to ask: how does one align the cyber threats one does not inherently understand with the liability that exists despite use of the words “non-executive” in the job title?
There are two parts to the answer.
First, find out about cyber security. This initially sounds glib, but in fact some understanding of cyber security is essential. And there really is no excuse not to have a basic knowledge because: (a) as a director of a business you should have at least a basic understanding of all elements of the business’s operation; and (b) although there are many technical elements to cyber security, one can gain a solid understanding of the concepts without being technically minded. Even before the rampant growth in online security seminars and tutorials that has happened as a result of the COVID-19 pandemic, the number of online learning opportunities was vast; with the move online due to COVID-19 the number has increased by an order of magnitude – and the cost has plummeted. There really is no excuse for not finding out the basics.
Next, ask for the facts. Just as you expect, say, the CFO to prepare the financial statements rather than having to do them yourself, ask the business for comprehensive data on security. As with the financial data, you want facts and trends: subjective opinion does not belong in a security report, and if you want the opinion you can invite the security specialist to a board meeting and ask for it. Even without in-depth security expertise you can tell, for example, where a vulnerability rating of “C” for a web site is lower than the “A” that is required by the policy, or where the trend of PCs with up-to-date patch levels is down rather than up.
With just some basic knowledge of cyber security – which generally does not have to be overly technical or complicated – you can gain a surprising level of understanding of the cyber posture of the business.
And as an independent board member, you know enough to prompt you to influence the executive team to put resources where they are needed in order to address deficiencies.