This guest blog by Jessica Figueras from CxB – Cyber Governance for Boards explores what trustees and chairs can do to put in place a governance framework for cyber security.
Drama, intrigue and anxiety don’t promote good governance
Most charity leaders don’t have a technical background, but we read the news. Cyber security provides a constant source of click-generating drama and intrigue, and none more so than last year’s attacks on M&S, the Coop and JLR which emptied shelves, halted production lines and wiped billions off UK GDP.
We hear of “shadowy hacker groups”, illustrated with hooded figures in darkened rooms. “Cyber terrorists weaponise AI to bring down UK networks in seconds”, one headline reads. Another features plucky cyber heroes who “plot honeypots to catch hackers”. We are invited to look on passively while the cyber security insiders – goodies and baddies – slug it out in cyberspace.
The upshot of this drama-riven national conversation about cyber security is to breed a distinct lack of confidence amongst trustees and executives.
Trustees want to be helpful, but many are anxious and unsure how to approach the problem, particularly when executives aren’t leading proactively. Some of us respond by avoiding the issue, whilst others pepper executives with random ideas and questions: “Do we have the right kind of passwords?” “I heard there’s a bug in Windows.” “Is our IT helpdesk secure?”
These might be good ideas, but the fact is there are very many ways in which cyber security can go wrong. Your board needs a governance framework, not an excuse to micromanage.
Enter the Cyber Governance Code of Practice
Luckily, that framework already exists – it’s the UK government’s Cyber Governance Code of Practice, which is what CxB uses in our training with boards. It comprises 22 short actions, 14 of which start with the words “Seek assurance that …”
The Code of Practice shows us what good looks like – it’s about having a strategy, managing risk in a systematic way, showing positive leadership, having a well-rehearsed plan for when the worst happens, and seeking assurance on all these fronts.
Yet this may be easier said than done for a sector which will always struggle to access the resources it needs to protect itself.
Our wonderful civil society culture makes us vulnerable. Unclear organisational boundaries, a default attitude of trust, and a culture of ‘make-do-and-mend’: all make it harder to control IT infrastructure and enforce secure practices.
IT teams are under-resourced and under-skilled; legacy IT systems are impossible to replace because there’s no budget; outsourced services are expensive or inflexible.
These constraints make it even more important for your board to have a cyber security strategy, which will help you to focus scarce resources on the few things that really matter.
Focusing on what really matters
Cyber security is about people, process and technology. It’s easy to obsess about technology, but you need to think about overall capability which includes all three. What cyber security expertise, resources and assets do we have in the charity right now? What are our knowledge gaps?
There’s a lot available once you know what you need. You can recruit cyber volunteers from the regional Cyber Resilience Centres; charities with budget can hire an experienced cyber security professional as a ‘virtual CISO’ for a day a week. Suppliers can provide managed services, internal audit, consultancy, security testing and more.
Some boards may want to bring in a cyber specialist as a committee member. This can be an excellent way to kick-start cyber governance improvements, so long as that person has relevant and up-to-date knowledge, and helps upskill the board rather than encouraging them to step back. (And of course we at CxB provide board training – do get in touch if you’d like to know more.)
Your Risk Committee is a good home for ongoing cyber security oversight, although traditional RAG risk matrices aren’t ideal for managing cyber risk, which is somewhat complex and changes very quickly.
My tip is to work on a cyber-specific risk framework with technical staff. You could be facing dozens of different risks, some of which are far more impactful than others. Try to quantify each one in terms of how much it might cost your charity – in lost income, clean-up costs, fines, and so on – and use your limited resources to mitigate the most costly risks first. And cyber insurance is well worth a look.
Cyber governance will always be a work in progress – and that’s fine. The board does not need to be the primary source of technical expertise. But a charity that’s on a journey to cyber resilience needs its board to be a driver, not a passenger.
About CxB – Cyber Governance for Boards
We are a non-profit that supports boards and non-executives to exercise effective oversight of cyber security through peer insights, training, assessment and mentoring. Our four co-founders are trustees and NEDs who originally met as speakers on an Association of Chairs webinar in 2022, and established CxB the following year.
