Today, nobody challenges the need of treating the topic of cyber security at board level. Everyone recognises its strategic importance. However, many board directors are struggling with the best approach to this new generation of risks.
One difference with the more traditional risks like financial risks, operational risks, business risks, compliance risks or reputation risks, is that these are quite well known, well documented, and don’t evolve that fast (except in crisis situations such as the COVID one). Today’s board directors know these traditional risks well, have been exposed to them during their career and know how to handle them. Managing them is part of their leadership curriculum and companies normally have mature processes to deal with them.
As far as cyber is concerned, the risk comes together with the growing importance of technology and digitalisation in business. These are often new topics for executives or board directors and the risk management processes are rarely mature. Also, cyber has often been confined to experts, such as IT security teams. As a result, the appropriate knowledge and experience isn’t readily available at board level and board directors don’t feel at ease with it. The horror stories about nation state attacks and data breaches appearing daily in the papers or newsfeeds only add to the feeling of discomfort.
As a board director, you can turn this lack of knowledge in cyber into a real strength, by asking candid and common-sense open questions:
- Which key business processes are relying on IT / digital tools & assets ?
- How could these digital processes and assets be hit by cyber-attacks ?
- What would be the business consequences ? How bad can that be ? What is the likelihood of a significant impact ?
- How well is the company protected from these attacks ? Can they be detected ? Does management know how to recover from them ?
- How well equipped is the company to handle a crisis due to a cyber breach? How do you know it is well equipped ?
- Does the company have the right means, expertise and resources to achieve all of this ? Are these measures effective ? How do you know they are ?
- How do you measure all of this ?
- What do you know you don’t know yet ?
If you are the executive in charge of cyber, eg. the Chief Information Security Officer (CISO), and you’re asking yourself how to smartly introduce this complex topic to the board: wouldn’t it be great to put yourself in the board directors’ shoes eg. to realise how ill-equipped many of them are while they fully acknowledge that this matter falls under their board directorship responsibilities ? And wouldn’t it be great that you find ways to deal with that successfully ?
Executive coaching can also help you achieve that !