The Institute of Directors describes the non-executive director (NED) role as “providing a creative contribution to the board by providing independent oversight and constructive challenge to the executive directors.”
The 1992 Cadbury Report, The financial aspects of corporate governance, declared that a NED should “bring an independent judgement to bear on issues of strategy, performance and resources including key appointments and standards of conduct.”
Rob Newby, CISO at Smart DCC and NED at Intaso, argues that NEDs exist “for governance – a strict code of governance.” And he should know. Newby earned a non-executive diploma, an FT fully accredited post-grad qualification, in 2018.
The term cyber-NED has been doing the rounds for around half a decade, barely preceded by the concept. Yet an extensive search on LinkedIn reveals very few people listing cyber-NED as a title. Even those NEDs with strong cyber backgrounds are reluctant to wear a cyber-NED badge. But why?
Newby doesn’t subscribe to the notion of a cyber-NED. “There’s no such thing,” he says without hesitation. “You’re a NED, whatever type of NED you are. Your role is to support the UK governance code.”
Robin Oldham, who also earned the FT non-executive diploma, dances to the beat of a similar drum. “A cyber-NED is just a NED who happens to be experienced in cyber,” he adds.
Let’s bring Matt Palmer into the conversation. Palmer leads cyber resilience for (the island) Jersey but also holds the title of NED at Appital. Palmer’s take on the topic is a little different. “I think a cyber-NED is a NED with an honorary identifiable title. If you have significant cyber experience, you may be allocated that role by the board, but essentially, you’re still a NED,” he says. His take may have entered a grey area, but essentially, that’s still another tick in the ‘NEDs are NEDs’ box.
“A cyber-NED is just a NED who happens to be experienced in cyber.”
“You can add value anywhere as a NED, so I’d say cyber-NEDs are more just NEDs”, adds Lee Pitman, managing director of LSP Advisory. Pitman has previously held cyber-NED roles and is currently considering undertaking another. He counters himself with his following comment: “If your experience in cyber is purely why you’re there, however, it’s fair enough to use the label cyber-NED,” he says.
In this article, we’ll continue to use the term cyber-NED but take the name with a pinch of salt. We’re talking about NEDs who bring a wealth of cyber experience to the Boardroom as a NED. The role is fundamental, whatever you want to (or don’t want to) call it.
At the risk of kicking off with a negative, “the role of cyber-NED is ripe for failed delivery and misunderstanding,” laments Palmer. “There are generally low levels of board understanding and lack of experienced people who can operate at that level.”
Interestingly, when asked what a cyber-NED should do, Palmer’s gut instinct is to answer instead with what a cyber-NED should not do. “A cyber-NED can be interpreted as a cyber expert who has been taken on board to take care of IT. This would be a horrible thing; it wouldn’t work at all. A NED should not be operational, nor should a cyber-NED. The role [exists] to support and enable, not do.”
Newby is candid in his assessment of the misunderstanding around what a NED should do. “There was a review of non-executive roles and their understanding of the corporate governance code that we studied on the FT course, and there was shallow comprehension of a NED’s duties,” he says. “Most organisations onboard a NED to make the company more like their last company,” and often NEDs themselves have this mentality, he adds, “but that’s not necessarily how things should happen.”
It’s all very well and good understanding what isn’t in the cyber-NED job spec, but what is in the spec?
“It’s about governance code,” continues Newby. “Audit, risk, controls, policies, and procedures. Consider how security runs alongside technology. Security is a governance function for IT, and NEDs should be a governance function for your business.”
Increased accountability around governance is responsible for making today’s NED role a lot harder than it was a few decades ago, according to Palmer.
“There are generally low levels of board understanding and lack of experienced people who can operate at that [cyber-NED] level.”
At Smart DCC, Newby highlights the existence of “a technical NED” and considers the actuality of that role’s positive impact on him as CISO. “She’s brilliant; she is setting up a technical assurance board that will report to the main board. That gives me so much more scope as CISO; it enables me to get my message to the board without it being slowed down.” He considers that the mere existence of cyber-NED heightens his authority as CISO. Perhaps, then, one of the most important and impactful skills that a cyber-NED can bring is communication. If Newby’s message as CISO lands better with translation performed by their cyber-NED, that value is incredibly precious.
“Cybersecurity professionals make better NEDs.” It’s a bold statement that Newby lays down with ease. “Security people automatically think about business and risk, they have that governance mindset, and that’s what a NED needs.” His message to anyone from a background in governance, risk and compliance (GRC) is audacious: “You’ll make a better leader than you think you will.”
Oldham concurs. “A lot of [being a NED] is about risk management, which makes cybersecurity professionals good candidates.”
Setting aside experience, what behaviours or skills make an excellent cyber-NED? “Communication skills,” says Oldham simply. “People who will actively listen, and seek to understand views, and people who are curious and inquisitive about the business. NEDs must be generous with their experience but also considerate of others.”
Palmer summarises the requirements for an excellent cyber-NED: “They must bring the skills and experience necessary to lead the board on cyber, but also be capable of performing a full oversight role by understanding the risks, operations and finances.” (Check out our box-out compiling the five most desirable cyber-NED traits according to Palmer.) Without these skills that Palmer rightly lists, the cyber-NED becomes reliant on the direction of the CISO.
Matt Palmer, director of Jersey’s CERT and NED at Appital, lists the five skillsets and traits that he believes are most crucial to making a successful cyber-NED:
Pitman adds that “do-er experience from the frontline” is a desirable practice to bring to the table, plus dexterity to deal with challenging situations whilst remaining calm. Not too much to ask for, then…
The frontline experience, however, brings its challenges. As Palmer explains, cyber-NEDs aren’t in Kansas anymore. “It can be frustrating for people who have had a career ‘doing’. You aren’t there to ‘do’; you’re there primarily for your judgement.”
He continues: “It’s all about helpfully challenging an executive team. Be an ally, but not an unthinking ally. Be willing to challenge, sometimes vigorously.”
Pitman also has a clear idea of what is undesirable from a NED: “those who have done a limited amount of research, trying to rinse-and-repeat what they’ve seen and done before. That’s where a NED becomes useless,” he laments.
Interestingly, our cyber-NED contributors have conflicting opinions on the organisations that would most benefit from a cyber-NED.
In one corner, we have Oldham, who argues that “technologically dependent organisations, and those who have gone through much digital transformation, need cyber-NEDs the most.”
In the other corner, Lee Pitman argues that the smaller companies, those less technically dependent and that don’t have the luxury of a CIO or CISO, will reap the most value from a cyber-NED. “The SME market can be blind to risk and don’t have the knowledge or expertise in cyber to help advise on risk exposure,” he argues.
And then we have Newby, who believes that few companies are even looking for a cyber-NED. “They prioritise hiring NEDs from a finance background, or risk, but rarely cyber.” What’s his opinion on this? “It’s narrow-minded,” he states without hesitation. “Everyone has more responsibility to look closer at cyber.”
“It’s all about helpfully challenging an executive team. Be an ally, but not an unthinking ally. Be willing to challenge, sometimes vigorously.”
“Having a cyber-NED is not for every organisation,” says Palmer candidly. “The business risk profile will be the differentiator. Organisations with a higher risk profile, those in highly regulated industries and those with a high data risk profile or large numbers of consumer data records need a cyber-NED the most.” I guess that puts him in Oldham’s corner.
Contrary to Newby’s theory that few organisations are searching for a cyber-NED, there is countless evidence to suggest that cybersecurity is moving rapidly up the Boardroom agenda. Reluctance to consider a cyber-NED, therefore, is, frankly, foolish.
Oldham flies the flag for bringing in a NED with “cyber and business risk knowledge into the boardroom.” He describes that move as utterly beneficial. Pitman, too, broadly sees the value of a niche skillset, pointing out the correlation between value and niche skill.
Palmer notes that it’s difficult for boards to find the right NEDs. “I’ve found no shortcuts,” he admits. He raises the challenge of gender balance. “We need to address the issue of how people are appointed,” he says. “The focus needs to be on competence, and if done right, boards will become more inclusive and representative of the level of challenge.”
Whilst the advantages reaped by an organisation with a cyber-NED are plentiful. There’s also the consideration of what it means for the cyber-NED. For Palmer, it means a definite improvement in his ability to do his day job. “I am 10 times more effective at my primary role because I have the context and understand the financial services and regulatory and business challenges because of my non-executive roles,” he believes.
Call the role cyber-NED, call it NED, call it whatever you want; there are undeniable benefits for organisations with the foresight to bring in a non-executive with cyber experience and knowledge. Add that experience to a GRC mindset and the ability to challenge the board insightfully and helpfully, and you’ve got one hell of a cyber-NED on your team. Although, that’s just one hell of a NED to you and me.
First things first: the role of the NED is not to be taken lightly. That may be stating the obvious, but the NEDs interviewed for this feature were all keen to point this out. Time commitment is substantial, and the weight of responsibility is heavy. Palmer’s advice is to take on a NED role out of a desire to contribute, not just to add a notch on your career development bedpost.
He recommends board apprentice programmes for experience, exposure, and understanding how boards operate. “There is support available from organisations like the Institute of Directors to help with that journey,” he advises.
Palmer also suggests that a governance role is a significant first step in your quest to becoming a NED. “Being a NED is a mindset more than anything,” he explains. “You can get that experience from serving on a Parish Council or a school governing board,” he offers, stating that there are no current pathways to train people as NEDs. “Well, there are pathways, but they’re not well-trodden,” he admits.
Newby recalls that the non-executive diploma “teaches you that cyber-NED roles will rarely be advertised.” He admits frustration, explaining that the roles are almost always recruited via networks, heavily relying on whom you know. Therefore it’s hard, as a cybersecurity professional, to break away from being pigeonholed as a NED within a cyber or tech company.
Palmer describes the catch-22 when navigating the leap into a cyber-NED role. “The challenge is that most people in executive roles in cybersecurity don’t have prior experience in NED roles to be well-positioned to do a non-executive role.” The same old catch-22 that many encounter when trying to take that first step onto whichever career ladder they are pursuing.
“The normal route into a NED role is having a previous executive role in an organisation similar to the one you’re going to,” says Palmer. “At a minimum, they’ll want experience reporting directly to a Board.” However, it’s essential to recognise, he adds, that “there’s a huge difference between reporting into a board and sitting on one.”
Oldham stresses the importance of finding a complementary role. “Find a role where you can add value. The best performing boards have diverse skills, and being a good non-executive director isn’t about any particular skill,” he says.