Rise of the (Cyber) NED

To adequately examine the role of a cyber-NED, it is perhaps helpful to take a step back to consider the role of a non-executive generally.

The Institute of Directors describes the non-executive director (NED) role as “providing a creative contribution to the board by providing independent oversight and constructive challenge to the executive directors.”

The 1992 Cadbury Report, The financial aspects of corporate governance, declared that a NED should “bring an independent judgement to bear on issues of strategy, performance and resources including key appointments and standards of conduct.”

Rob Newby, CISO at Smart DCC and NED at Intaso, argues that NEDs exist “for governance – a strict code of governance.” And he should know. Newby earned a non-executive diploma, an FT fully accredited post-grad qualification, in 2018.

What’s in a name?

The term cyber-NED has been doing the rounds for around half a decade, barely preceded by the concept. Yet an extensive search on LinkedIn reveals very few people listing cyber-NED as a title. Even those NEDs with strong cyber backgrounds are reluctant to wear a cyber-NED badge. But why?

Newby doesn’t subscribe to the notion of a cyber-NED. “There’s no such thing,” he says without hesitation. “You’re a NED, whatever type of NED you are. Your role is to support the UK governance code.”

Robin Oldham, who also earned the FT non-executive diploma, dances to the beat of a similar drum. “A cyber-NED is just a NED who happens to be experienced in cyber,” he adds.

Let’s bring Matt Palmer into the conversation. Palmer leads cyber resilience for (the island) Jersey but also holds the title of NED at Appital. Palmer’s take on the topic is a little different. “I think a cyber-NED is a NED with an honorary identifiable title. If you have significant cyber experience, you may be allocated that role by the board, but essentially, you’re still a NED,” he says. His take may have entered a grey area, but essentially, that’s still another tick in the ‘NEDs are NEDs’ box.

“A cyber-NED is just a NED who happens to be experienced in cyber.”

Robin Oldham

“You can add value anywhere as a NED, so I’d say cyber-NEDs are more just NEDs”, adds Lee Pitman, managing director of LSP Advisory. Pitman has previously held cyber-NED roles and is currently considering undertaking another. He counters himself with his following comment: “If your experience in cyber is purely why you’re there, however, it’s fair enough to use the label cyber-NED,” he says.

In this article, we’ll continue to use the term cyber-NED but take the name with a pinch of salt. We’re talking about NEDs who bring a wealth of cyber experience to the Boardroom as a NED. The role is fundamental, whatever you want to (or don’t want to) call it.

Cyber-NED job spec

At the risk of kicking off with a negative, “the role of cyber-NED is ripe for failed delivery and misunderstanding,” laments Palmer. “There are generally low levels of board understanding and lack of experienced people who can operate at that level.”

Interestingly, when asked what a cyber-NED should do, Palmer’s gut instinct is to answer instead with what a cyber-NED should not do. “A cyber-NED can be interpreted as a cyber expert who has been taken on board to take care of IT. This would be a horrible thing; it wouldn’t work at all. A NED should not be operational, nor should a cyber-NED. The role [exists] to support and enable, not do.”

Newby is candid in his assessment of the misunderstanding around what a NED should do. “There was a review of non-executive roles and their understanding of the corporate governance code that we studied on the FT course, and there was shallow comprehension of a NED’s duties,” he says. “Most organisations onboard a NED to make the company more like their last company,” and often NEDs themselves have this mentality, he adds, “but that’s not necessarily how things should happen.”

It’s all very well and good understanding what isn’t in the cyber-NED job spec, but what is in the spec?

“It’s about governance code,” continues Newby. “Audit, risk, controls, policies, and procedures. Consider how security runs alongside technology. Security is a governance function for IT, and NEDs should be a governance function for your business.”

Increased accountability around governance is responsible for making today’s NED role a lot harder than it was a few decades ago, according to Palmer.

“There are generally low levels of board understanding and lack of experienced people who can operate at that [cyber-NED] level.”

Matt Palmer

At Smart DCC, Newby highlights the existence of “a technical NED” and considers the actuality of that role’s positive impact on him as CISO. “She’s brilliant; she is setting up a technical assurance board that will report to the main board. That gives me so much more scope as CISO; it enables me to get my message to the board without it being slowed down.” He considers that the mere existence of cyber-NED heightens his authority as CISO. Perhaps, then, one of the most important and impactful skills that a cyber-NED can bring is communication. If Newby’s message as CISO lands better with translation performed by their cyber-NED, that value is incredibly precious.

The makings of a decent cyber-NED

“Cybersecurity professionals make better NEDs.” It’s a bold statement that Newby lays down with ease. “Security people automatically think about business and risk, they have that governance mindset, and that’s what a NED needs.” His message to anyone from a background in governance, risk and compliance (GRC) is audacious: “You’ll make a better leader than you think you will.”

Oldham concurs. “A lot of [being a NED] is about risk management, which makes cybersecurity professionals good candidates.”

Setting aside experience, what behaviours or skills make an excellent cyber-NED? “Communication skills,” says Oldham simply. “People who will actively listen, and seek to understand views, and people who are curious and inquisitive about the business. NEDs must be generous with their experience but also considerate of others.”

Palmer summarises the requirements for an excellent cyber-NED: “They must bring the skills and experience necessary to lead the board on cyber, but also be capable of performing a full oversight role by understanding the risks, operations and finances.” (Check out our box-out compiling the five most desirable cyber-NED traits according to Palmer.) Without these skills that Palmer rightly lists, the cyber-NED becomes reliant on the direction of the CISO.

---

---

Pitman adds that “do-er experience from the frontline” is a desirable practice to bring to the table, plus dexterity to deal with challenging situations whilst remaining calm. Not too much to ask for, then…
The frontline experience, however, brings its challenges. As Palmer explains, cyber-NEDs aren’t in Kansas anymore. “It can be frustrating for people who have had a career ‘doing’. You aren’t there to ‘do’; you’re there primarily for your judgement.”

He continues: “It’s all about helpfully challenging an executive team. Be an ally, but not an unthinking ally. Be willing to challenge, sometimes vigorously.”

Pitman also has a clear idea of what is undesirable from a NED: “those who have done a limited amount of research, trying to rinse-and-repeat what they’ve seen and done before. That’s where a NED becomes useless,” he laments.

Cyber-NEDs aren’t for everyone

Interestingly, our cyber-NED contributors have conflicting opinions on the organisations that would most benefit from a cyber-NED.

In one corner, we have Oldham, who argues that “technologically dependent organisations, and those who have gone through much digital transformation, need cyber-NEDs the most.”

In the other corner, Lee Pitman argues that the smaller companies, those less technically dependent and that don’t have the luxury of a CIO or CISO, will reap the most value from a cyber-NED. “The SME market can be blind to risk and don’t have the knowledge or expertise in cyber to help advise on risk exposure,” he argues.

And then we have Newby, who believes that few companies are even looking for a cyber-NED. “They prioritise hiring NEDs from a finance background, or risk, but rarely cyber.” What’s his opinion on this? “It’s narrow-minded,” he states without hesitation. “Everyone has more responsibility to look closer at cyber.”

“It’s all about helpfully challenging an executive team. Be an ally, but not an unthinking ally. Be willing to challenge, sometimes vigorously.”

Matt Palmer

“Having a cyber-NED is not for every organisation,” says Palmer candidly. “The business risk profile will be the differentiator. Organisations with a higher risk profile, those in highly regulated industries and those with a high data risk profile or large numbers of consumer data records need a cyber-NED the most.” I guess that puts him in Oldham’s corner.

Contrary to Newby’s theory that few organisations are searching for a cyber-NED, there is countless evidence to suggest that cybersecurity is moving rapidly up the Boardroom agenda. Reluctance to consider a cyber-NED, therefore, is, frankly, foolish.

If you still haven’t found what you’re looking for…

Oldham flies the flag for bringing in a NED with “cyber and business risk knowledge into the boardroom.” He describes that move as utterly beneficial. Pitman, too, broadly sees the value of a niche skillset, pointing out the correlation between value and niche skill.

Palmer notes that it’s difficult for boards to find the right NEDs. “I’ve found no shortcuts,” he admits. He raises the challenge of gender balance. “We need to address the issue of how people are appointed,” he says. “The focus needs to be on competence, and if done right, boards will become more inclusive and representative of the level of challenge.”

Whilst the advantages reaped by an organisation with a cyber-NED are plentiful. There’s also the consideration of what it means for the cyber-NED. For Palmer, it means a definite improvement in his ability to do his day job. “I am 10 times more effective at my primary role because I have the context and understand the financial services and regulatory and business challenges because of my non-executive roles,” he believes.

Call the role cyber-NED, call it NED, call it whatever you want; there are undeniable benefits for organisations with the foresight to bring in a non-executive with cyber experience and knowledge. Add that experience to a GRC mindset and the ability to challenge the board insightfully and helpfully, and you’ve got one hell of a cyber-NED on your team. Although, that’s just one hell of a NED to you and me.

---