While we as individuals are struggling to stay on top of the proliferating reports about Cyber incidents at companies we often know and regard as well managed, how are boards expected to keep their Cyber risk management practices current? Many boards dedicate more time to Cyber Risk management during board meetings. As a NED, we can shape the discussion of Cyber risks in the boardroom. How much of the board’s attention should be given to technology? How is Cyber risk management different from the management of other risks? How can the organisation we serve best align strategy and Cyber risk management? However, the step from understanding the risks and taking action can be challenging: The Cyber Security Breaches Survey 2023 ‘found that while cyber security is seen as a high priority by senior management at 71% of businesses and 62% of charities, this has not translated into action or greater ownership of cyber risk at the most senior level.’
In 2023 I was invited by NEDonBoard, Institute of Board Members to represent the NED voice and share my experiences at a series of co-design workshops led by the Department for Science, Innovation and Technology with the aim to reflect the NED perspective in the drafting of a Cyber Governance Code of Practice for boards to draw upon to enhance their organisations’ Cyber risk management.
The participants in the co-design workshops were fully aware of the already existing support and guidance available to directors, in particular the Cyber Security Toolkit for Boards, published by the National Cyber Security Centre (NCSC). We also reviewed international best practices and adopted what we found to the situation in the UK. The consensus in the co-design workshops was that, to trigger further improvements in cyber practices across a wide spectrum of organisations, including small businesses and not-for-profit organisations, an easy-to-read and action focussed Cyber Governance Code of Practice was needed. The outcome of this consultation process is the Cyber Governance Code of Practice, for which the UK Government is calling for views (deadline: 19 March 2024).
This Code of Practice can serve as a framework helping NEDs shaping boards’ Cyber risk agenda. Please engage with this Code of Practice if you are seeking an opportunity to learn about good practices and to update your understanding of Cyber risk management. Not only will you gain insights from reading the Code of Practice but the UK Government’s Call for Views is also inviting you to have your say, share your views and reflect the needs of the non-executive director and board community, and the businesses you serve.
The Cyber Governance Code of Practice is structured using the following five principles:
- A: Risk Management which addresses risk ownership and suggests a business-driven risk prioritisation.
- B: Cyber Strategy includes the assessment of required investments in Cyber resilience.
- C: People is a principle that champions a positive Cyber culture and alignment with the strategy.
- D: Incident Planning and Response is a crucial principle addressing the capabilities to recover from a Cyber incident.
- E: Assurance and Oversight provides a framework for good practices on reporting and alignment with internal communication practices.
Written by Susanne Alfs, Member and Ambassador for NEDonBoard, Institute of Board Members. Susanne is a seasoned technology professional with a passion to improve the collaboration between the business and technology teams. She is a non-executive director, chair of a Technology Committee and an interim manager.