Board meetings should start with cyber-security, APMG says

Company boards are making a lot of decisions without considering cyber-security, which leaves their business wide open to threats, a new report by APMG International and Templar Executives says.

The two cyber-security firms have called for a different approach to these Board meetings, and for non-executive directors to hold directors to greater account for their cyber decisions.

Andrew Fitzmaurice, CEO of Templar Executives said: “Up until this point, the building blocks of decision making have typically omitted the cyber security threat landscape. While there is an argument to say that this is verging on corporate negligence, it is just a symptom of routine; the Chief Information Security Officer might come to the Board meeting twice a year to give a briefing that few understand. This needs to change. The cyber security threat landscape is too complex, fast-paced and important for Boards to ignore. This is a leadership and business issue. Boards must accept accountability and proactively foster a positive and holistic cyber security culture incorporating governance, policy, people and processes, as well as technology – so good practice becomes the norm.

Fitzmaurice says such meetings should start with a look at the cyber-security landscape.

“The most successful Boards start every meeting with a quick dashboard of the cyber security threat landscape and how they are doing, as well as the level of maturity to prevent and defend against attacks. From this point on, the company is in a position of strength to make decisions, with improved confidence, to meet business outcomes,” he said.

Richard Pharro, CEO of APMG, adds that this must come from a business angle and not a technical one to add the value, by making sure that everyone is speaking the same language: “Cyber security is still a new element for many Boards; they haven’t previously had the knowledge or inclination to prioritise it. Often, compliance is thought to be enough, but Board members need to take more of an active role in assessing cyber security. It’s crucial for them to be able to answer questions about what the business benefits of sound cyber practices are, or the impact on the bottom line of neglecting security. Without this, cyber security can be easily ignored or pushed to the bottom of the agenda.”

He concluded: “Non-executive directors have an important role to play here and are in the unique position to challenge their Boards on cyber security. The challenge is that many non-executive directors have not been exposed to cyber security in their past roles, so they can lack the knowledge and confidence needed to act on it. This highlights the importance of high quality training for non-executive directors to help them understand cyber security landscape. CESG Certified Training courses provide confidence that training is of a high standard and up-to-date with current thinking.”