Every director should have a general understanding of cyber security risk and what it means for
directors’ oversight responsibilities.
Regulatory pressures (most notably, the EU General Data Protection Regulation (GDPR) and the
Directive on Security of Network and Information Systems (NIS Directive), an increasing reliance on
technology and big data, and the evolving threat environment place significant obligations on
organisations to reduce their cyber risks.
Cyber security affects all companies of all sizes in all sectors. Threats are serious and evolving, and
legal and regulatory requirements are growing. Regular communication between management and
the board on cyber security is critical to protect company interests and ensure accountability.
No longer relegated to the desk of the CIO, cyber security has now found its rightful place: front and
centre in the boardroom.
Despite this, less than 50% of corporate boards are actively involved in setting security strategy,
according to the PwC Global State of Information Security 2017 (GSIS) Survey. The survey shows only
39% of boards are involved in setting security policies, and only 31% review security and privacy
risks.
Although boards of directors and CEOs may not need to know how a certain type of malware can
penetrate a firewall, they will need to know what their organisation is doing to address those
threats.
Discussions at board level should include identifying which risks to avoid, accept, mitigate or transfer
(through cyber insurance), as well as reviewing specific plans associated with each approach.
The board must also ensure that the CISO is reporting at the appropriate levels within the
organisation. Sometimes the CIO’s agenda is in conflict with that of the CISO. As a result, some CISOs
now report directly to the CEO, or the COO or CRO.
(The survey reports that 40% of CISOs report directly to the CEO, whereas only 27% report to the
CIO).
Effective cyber security is an ongoing process. Armed with the right information, the board can play
an essential role in preventing problems before they arise.
Governance, compliance and data breach risks
It is evident that breaches can have enormous legal, financial and reputational consequences. The
GDPR will place even greater obligations on boards to address information governance and data
privacy, or face staggering financial penalties.
Cyber security and compliance are ongoing processes that must be regularly tested, maintained and
updated. Failure to implement and maintain essential security practices can significantly reduce your
organisation’s legal defensibility in the event of a data breach incident.
An international benchmark for achieving information security compliance
ISO 27001 is the international standard that describes best practice for an information security
management system (ISMS). An ISMS is a system of processes, documents, technology and people
that helps to manage, monitor and audit an organisation’s information security programme.
Achieving accredited certification to ISO 27001 demonstrates that an organisation is following
information security best practice, and delivers an independent, expert assessment of whether the
data is protected according to global best practice. Certification to ISO 27001 presents convincing
evidence to shareholders, boards, clients and regulators that an organisation has taken reasonable
measures to protect itself from a data breach.
Information security or cyber security?
Information security and cyber security are closely related. Cyber security is defined as the
protection of information from cyber-attacks. Information security is a broader term that describes
the protection of information and information systems from unauthorised access, use, disclosure,
disruption, modification, or destruction in order to provide confidentiality, integrity and availability
(CIA). Cyber security is usually seen as a component of information security.
Cyber security affects companies of all sizes in all sectors. Moreover, threats are constantly evolving
and your legal and regulatory requirements have become major issues – particularly with the
introduction of the GDPR (General Data Protection Regulation) and UK’s NIS Directive.
All of this means that regular communication between management and the board regarding cyber
security is more important than ever. It’s only by discussing these issues regularly and in a formal
environment that you can protect your sensitive data and company interests.
As you have probably seen, failure to do that could result in staggering financial penalties.
So how should you get started? The first thing to note is that cyber security is no longer something
that your CIO handles alone. Your requirements must be placed front and centre in the boardroom.
This is the only way that directors will understand cyber risks and what it means for their oversight
responsibilities.
Armed with the right information, the board can play an essential role in preventing problems
before they arise.
Our team of experts have identified the top questions that you need to ask your chief information
security officer, and compiled our advice here.

  1. What are the top risks our organisation faces?
    According to Gartner, by 2020 30% of Global 2000 companies will have been directly compromised
    by an independent group of cyber activists or cyber criminals.
    Organisations need to prioritise the real risks by identifying security gaps and their impact on the
    business, and ensure the budget to manage these risks is assigned accordingly.
    The board should also ask themselves whether they have a solid understanding of the impact of
    applicable (and emerging) legal, regulatory and contractual requirements related to cyber security
  2. Are we testing our systems before there’s a problem?
    There are many tests that can assess the vulnerability of systems, networks and applications.
    An important element of any security regime should be regular penetration tests. Pen tests are
    simulated attacks on a computer system with the intent of finding security weaknesses that could be
    exploited. They help establish whether critical processes, such as patching and configuration
    management, have been followed correctly. Many companies fail to conduct regular penetration
    tests, falsely assuming they are safe, but new vulnerabilities and threats arise on a daily basis,
    requiring the companies to continually test their defences against emerging threats.
  3. Are we conducting comprehensive and regular information security risk assessments?
    A risk assessment should provide the board with the assurance that all relevant risks have been
    taken into account, and that there is a commonly defined and understood means of communicating
    and acting on the results of the risk assessment.
    Without determining the risk associated with vulnerabilities, organisations often misalign
    remediation efforts and resources. This approach not only wastes time and money but also extends
    the window of opportunity for criminal hackers to exploit critical vulnerabilities.
    Since a threat (known or unknown) is the agent that takes advantage of a vulnerability (such as
    outdated software), this relationship must be a key factor in the risk assessment process. Advanced
    security operations teams use threat intelligence to understand potential threat actors’ capabilities
    and current activities and plans, and to anticipate current and future threats.
  4. How do we demonstrate compliance with our cyber security controls?
    An audit can support the board’s need to understand the effectiveness of its cyber security controls.
    If an organisation has chosen to comply with an information security standard such as ISO 27001, an
    independent review of its information security controls can be conducted by a certification body,
    and can be used to provide evidence of the organisation’s commitment to information security.
    This can then be used as a competitive advantage when bidding for new business, as is the case with
    companies certified to ISO 27001.
    Certification can also provide compelling evidence that an organisation has exercised due care in
    protecting its information assets.
  5. Do we have an effective information security awareness programme?
    A startlingly large number of breaches are caused by employee error or negligence. In fact, the GSIS
    survey reveals that employees are responsible for 27% of all cyber security incidents. Social
    engineering remains a common tactic whereby criminals can break into a network through
    underhanded methods, by exploiting vulnerable or uninformed employees (e.g. by distributing
    malware through malicious links).
    The critical importance of an effective staff awareness programme cannot be emphasised enough.
    Research shows that traditional cyber security awareness measures can be greatly enhanced by a
    multifaceted security programme that creates a total culture change and tackles persistent incorrect
    employee behaviours.
  6. In the event of a data breach, what is our response plan?
    Cyber security experts will agree that it is no longer a matter of ‘if’ but ‘when’ you will be breached.
    The critical difference between organisations that will survive a data breach and those that won’t is
    the implementation of a cyber resilience strategy, which takes into account incident response
    planning, business continuity management (BCM) and disaster recovery strategies to bounce back
    from a cyber-attack with minimal disruption to the business.
    The board should also be aware of the laws governing its duties to disclose a data breach. The NIS
    Directive and the GDPR are both examples of legislation that will introduce corporate breach
    notification obligations.
  7. Are we adequately insured?
    Recent reports reveal that cyber insurance is not adequate to protect companies from a full-scale
    cyber-attack. Although it is difficult to quantify how expensive a data breach can be, information
    about other data breaches in your industry should provide an indication of the potential damages
    your organisation might face.
    The IBM Cost of Data Breaches Study 2017 shows the average overall cost of a data breach to
    organisations was $3.62 million (€2.92 million). Many organisations don’t realise that they are liable
    for a data breach even if the data is stored in the Cloud, or if a third party with which it shares
    information is breached.
  8. Do we comply with leading information security frameworks or standards?
    Examples include the leading international information security management standard, ISO 27001,
    the Payment Card Industry Data Security Standard (PCI DSS) and the Cyber Essentials scheme (which
    provides basic cyber security protection against 80% of cyber-attacks).
    Certifying to leading international standards such as ISO 27001 means that a company employs
    proven best practice in cyber security, and presents a holistic approach to protecting not only
    information online but also risks related to people and processes. An organisation may also opt for
    independent certification to verify that the controls it has implemented are working as intended.
  9. Is our information security budget being spent appropriately?
    Setting the information security budget is not just about having more money to buy more
    technology to patch cyber security holes: the key is to take a strategic approach to budget allocation
    in order to make a real difference to the organisation’s information security posture. Increased
    security does not translate to increased technology. In fact, technology alone won’t protect your
    business from the ever-present threat.
    Organisations need to safeguard their ongoing security status by prioritising what steps should be
    taken to keep compliant with current legislation and prioritise the prevention and treatment of
    attacks.
  10. Do we have visibility into the network?
    Poor network behaviour visibility can wreak havoc in an organisation. The IBM Cost of Data Breach
    Study 2017 revealed that the average time to detect a data breach is 191 days.
    Many administrators do not have deep enough access to the network and security intelligence they
    need in order to have an accurate picture of what’s really going on, and lack the tools that can
    quickly identify, interpret and act on threats.
    IT and security teams should be empowered to maintain clear and continual visibility over the
    network.
  11. Are supplier risks and risks in the supply chain part of our risk register?
    Cyber threats may reach an organisation through any number of vulnerable points along the supply
    chain. The cyber security of any one organisation within the chain is only as strong as that of the
    weakest link in the supply chain. It is often the smaller organisations within a supply chain that,
    because of limited resources, have the weakest cyber security. Dealing with supplier risks requires a
    broad, inclusive approach that allows organisations to identify their place within the supply chain
    and map their cyber security dependencies and vulnerabilities.
    Organisations should implement a multi-stakeholder supply chain risk assessment process that
    engages as many members of the supply chain as possible.
  12. When did we last test our recovery procedures?
    Ponemon Institute’s 2017 Cost of Data Breach Study: Impact of Business Continuity Management
    revealed that BCM programmes significantly reduced the time to identify and contain data breaches.
    Effective BCM helped save companies 43 days in the identification of a breach and 35 days in
    containing it. BCM and disaster recovery plans must be regularly tested to establish whether the
    business can recover rapidly following an attack. Some of the ‘what if’ thinking should be
    establishing how vulnerable fallback options themselves are to cyber-attacks. For example, a
    malicious assault on your data may not be detected for some time and backup data may have also
    been compromised