Author: Paul Dorey
Cyber Security Decisions in the Boardroom
Cyber Security Risk is nothing new. A day does not go by without a news item reporting an attack on businesses, government departments or even individuals. Yet somehow this can still seem to be very distant and just the concern of technical staff rather than business executives and Directors.
This summer things became more real when household names such as M&S, Co-op and Jaguar Land Rover were hit, and we could see empty food shelves in the stores and hear of cars that couldn’t be serviced along with halted production lines. It is increasingly common to know of even small companies and charities, who have been impacted by a cyber-attack.
The fact is that any organisation, large or small, which connects to the Internet can be subjected to attack – and that could be any business. Attacks are not always technical – the recent attacks on retailers worked by the criminals phoning up IT help desks and talking them into issuing new passwords and tokens to give access.
Cyber Governance Code of Practice
The risk of cyber security disruption is so important to our economy and society, that governments are taking action. In April, the UK government published their Cyber Governance Code of Practice which is a voluntary framework for directors to guide them in overseeing cyber risk. It identifies key responsibilities for executives and Directors, including those who are not in technical roles or who do not have a technical background.
The code covers the themes of:
Risk Management – gaining assurance that technology, processes, information and services are identified and prioritised, including being part of general risk management and controls.
Strategy – setting the focus on the most important risks and directing that funding and resources are allocated effectively and proportionately.
People – promoting a security culture that helps staff identify and overcome security pitfalls, as well as executives and directors ensuring they have their own cyber literacy.
Incident Planning, response and recovery – getting assurance that the organisation can respond to and recover from any cyber-attack which they experience as breaches will most likely happen.
Assurance and oversight – getting clear, understandable, reporting on the cyber security status from line management, technical staff and very importantly, from suppliers.
All of these are business themes require business direction setting for the company and direction setting for suppliers, particularly those providing IT services. Because priority is driven by business importance, cyber security is not something which can be just delegated to the supplier. This sounds challenging, but cyber security is now an essential risk management skill which can bring confidence to staff, customers and regulators.
New course: GTA Cyber Security Courses for Directors and Executives
In response to this growing importance of cyber security for any organisation and its Directors, the GTA has been developing a non-technical course for senior leaders with Paul Dorey, an experienced CISO and Visiting Professor in cyber security at Royal Holloway, University of London.
Book a place HERE