The National Cyber Security Centre (NCSC) today launched a new “Board Toolkit” designed to offer strategic guidance on cybersecurity and support closer collaboration between boards and their technical teams.
The 10-section report will “help business leaders understand that cyber risk should be managed the same way as any other business risk,” Minister David Lidington said.
Computer Business Review digested the report for time-poor executives.
NCSC Board Toolkit: 10 Takeaways for Executives
Section 1: Take This Personally/strong>
As a Board member, you will be targeted, the NCSC board toolkit notes. Board members have access to valuable assets (both information and money) and organisational influence. But a methodical approach to ensuring security can remove low-hanging fruit; the vast majority of attacks are still based upon well-known techniques, and even sophisticated attackers start with the simplest and cheapest options.
The key thing to understand about cyber security defences is that they need to be layered and include a range of measures, from technology solutions to user education to effective policies. It is critical that Board members understand and follow their organisation’s security policies, the NCSC notes. Here’s some guidance.
Section 2: Embedding Cybersecurity Into your Structure
A cyberattack brings with it operational risk, legal risk, and financial risk. Everyone needs to be involved in building resilience and enterprise processes need to reflect this.
If the CISO reports to a intermediary to the Board who only focuses on one aspect of risk – finance or legal or technology – this can hinder the ability for the Board to see cybersecurity’s wider implications.
Ask these four questions:
- Does the board understand how cybersecurity impacts collective responsibilities?
- Who has responsibility for cybersecurity in the organisation?
- How does the board assure that cybersecurity measures are effective?
- Is cyber risk integrated with business risk?
Section 3: Mind the Skills Gap
There is a cybersecurity skills shortage. You enterprise needs to get ahead of it.
Baseline current and future requirements. (Are you dependent on one or two people?) Be flexible and “imaginative” in how build your team: there are many talented women and minorities working in cyber security, but they are often less visible. Train existing staff, even if they are not from a security background.
It may be worth buying in external expertise. Consider:
- Recruiting a skilled non-executive director to your Board.
- Employing a consultant to provide specific cyber security advice.
- Identifying specific cyber security services which can be fulfilled by a third party.
- Recruiting employees who already have the skills you need.
Section 4: Positive Security Culture
Develop a positive security culture. Lead by example. Consider:
- Properly resourced staff awareness
- Staff input iswhen creating new policies or system designs.
- Security metrics which focus on success rather than failure (for example, how many people identified phishing emails rather than how many clicked on them).
- Support from senior leadership on the importance of security.
Section 5: Understand your Technical Estate
Clearly articulate to your security team what are your business priorities (e.g. protecting customer-facing services) and what are your data “crown jewels”.
Keep your baseline up-to-date. This should include:
- An up to date register of systems, including all internet-connected, partner-facing, systems and network
- Details of data sets; which services, systems and users have access to them, where are they stored, how are they managed
The NCSC says: “Boards will have business insight that technical teams may not have (such as which particular partner relationship must be to be rioritised); technical teams will have insight into the enablers for key objectives (such as which networks or systems do particular partners rely upon).” Conversation is critical.
Section 6: Understand the Nature of the Threat
One of the best sources of information on good practice and relevant threats can be your sector peers. Talk to each other. The NCSC offers a Cyber Security Information Sharing Partnership as a secure forum for collaboration.
- As an organisation, which threats do we assess are relevant to our organisation, and why?
- As an organisation, how do we stay up to date with the cyber threat?
- As an organisation, how do we use threat intelligence to inform business as usual?
Section 7: Is Risk Management a Tick-Box Exercise?
Cyber security risk should be integrated with your organisational approach to risk management. And metrics can be tough (“a typical output of good cybersecurity is the absence of a failure, which can be hard to measure”).
Ask: Do we have an effective and appropriate approach to manage cyber risks? For example, a framework that clarifies:
- How risks are escalated
- What the threshold is for Board involvement in a risk decision
- How you convey the confidence in a particular risk assessment
- How often risks are reviewed
- Who owns which risks
- Who is responsible for the framework itself and for ensuring it is fit for purpose (for example, ensuring that the output of the risk assessment process genuinely reflects the assessment of the risk)
Section 8: Implementing Your Defensive Measures
Get your basic cybersecurity controls in place. Here are some frameworks:
Layer your defences and include defences against internal bad actors. This can include strong links between HR processes and the IT account function, defined processes to identify, triage, and fix any exploitable vulnerabilities within the technical estate and a network architecture that minimises the harm an attack can cause.
Section 9: Collaborate with Suppliers
“Review your current supply chain arrangements to ensure you are setting out your security needs clearly and identifying the actions you need to take as a result. Assume that your partners will be compromised at some point. Plan the security of your networks, systems and data accordingly with this assumption in mind.
- How do we mitigate the risks associated with sharing data and systems with other organisations?
- How do we ensure that cyber security is considered in every business decision?
- Are we confident that we are fulfilling our security requirements as a supplier?
Section 10: Plan Your Response
Have an incident response plan.
“The Boardneeds to be explicit about who it is willing to devolve authority to (especially outside core working hours), and exactly what that authority covers.”
Rehearse your response to different scenarios with regular exercises.
And finally, create a no-blame culture. Critically for the Board, new regulation, such as GDPR, is clear that responsibility for incidents or data breaches sits with the organisation and not an individual. Therefore the Board is ultimately responsible for any cyber security incident as the governing body.
“Apportioning blame will be seen as poor cybersecurity practice”