A non-executive director (NED) is an independent member of the board of directors not employed by the company. This doesn’t mean they’re unpaid. Of course, they are financially compensated. Nor does it mean they escape the responsibilities and liabilities of an executive director.
Indeed, the primary role of a NED is to provide independent oversight and judgment, bringing personal experience and unique skillsets to the boardroom. Given that cybersecurity has fast become a boardroom issue, this begs the question; what role should NEDs play here and is there a need for NEDs to be appropriately upskilled in all matters cyber?
“Regardless of whether NEDs have any cyber awareness or skills, or whether the Board allows NEDs to comment on cyber-related issues, all NEDs should seek constant confirmation and reassurance of the company’s or organisation’s security status and posture.” These are the words of Correy Voo, chairman at MIRACL, an information security infrastructure as a service specialist.
What’s more, Voo suggests that, where possible, they should also raise awareness of reported cyber issues which may impact the business. Assuming that, like many cybersecurity professionals, you accept the (admittedly cliché) security posture mantra of “not if we will face a cyber incident, but when,” then NEDs should be playing this key questioning role to foster cyber-resilience.
Paul Bentham, chief product officer at cyber resilience company, Immersive Labs, suggests that questions should include “are we prepared for cyber threats?” and, most importantly, “how do we know?” Boards are responsible for seeking assurance from Chief Information Security Officers (CISOs) and other security professionals to ensure those teams within the organisation have the resources required to confront cyber risk effectively. “Today, we are seeing an increase in Boards asking CISOs and other security professionals to demonstrate that proof,” Bentham says.
Nowhere can this be better exemplified than in the financial services sector, according to Conor Flynn, the CISO at Waystone, a supplier of governance, risk and compliance services to the asset management industry. “We are not expecting NEDs to be cyber experts,” Flynn says, “in the same way that a NED on the Board of a pharma company is not expected to have a master’s degree in Chemistry.”
“All NEDs should seek constant confirmation and reassurance of the company’s or organisation’s security status and posture.”
However, there is an expectation for NEDs to be able to assess, challenge, and help develop the cyber strategy. “This includes managing the risks, financial controls, and management performance,” Flynn continues, “and bringing in external expertise where necessary before instructing management to respond.”
This isn’t rocket science, but it is business common sense as directors are increasingly being held accountable for security alongside other types of business-level risks. “This has led to increasing scrutiny,” Bentham adds, “as Board members are demanding visibility into cybersecurity risks and organisational capabilities and readiness.”
If this is starting to sound like a job description for a dedicated specialist ‘cyber-NED’, that isn’t the intention. While there are arguments to be made for and against that case, which we’ll be exploring later this month, we’re focussing here on generic NEDs. That may seem at odds with the weight of cybersecurity expectations already laid at their feet, but bear with us as we ask another obvious question; How can NEDs best address becoming appropriately upskilled in cybersecurity?
“Even if NEDs are not cyber literate,” Voo insists, “they can learn about threats and raise issues to the Board for confirmation or closure. This places an obligation on the Board as a governing body to address the issues raised and close them off in officially recorded minutes.”
Voo doesn’t consider this hugely problematic, given that cybersecurity is a commonly accepted topic for discussion among a diverse business audience these days. “Cyber is no longer considered to be dark art practised by a select group of specialist technology wizards,” Voo says. While Voo concedes that some kind of formal training in cyber for NEDs would be preferable, that isn’t a prerequisite: “It doesn’t have to be deep training, just general awareness of the concepts and issues would be better than nothing.”
NEDs should always explore their business sector’s free training and educational materials. For example, within healthcare, NHS Digital provide a cybersecurity guide for NHS NEDs that helps them better understand how cybersecurity fits into their organisation and provides guidance on becoming more cyber-resilient.
NEDs, almost by definition, will likely bring a ‘broad but shallow’ level of business expertise, and over-qualification in one area could come at the cost of others. “In much the same way as the Board and its directors get independent expert support in areas such as legal advice,” Flynn says, “directors should be able to avail of cybersecurity support at the Board level, which is also an effective way to deliver cyber training to Board members,” including NEDs.
Suppose NEDs do not develop a general awareness of various topics, including cyber. In that case, Voo adds, “they risk making the entire Board ineffective and unable to address the contemporary needs of a modern business.”
Yet, within this ‘broad brush’ of experience, any organisation needs to include “at least one NED that has sufficiently detailed knowledge to be able to hold executive management to account,” according to Alan Calder, CEO of risk management and compliance specialist GRC International Group. Such expertise can come from a professional advisor to the Board, who can “provide that support while the NEDs improve their knowledge.”
This leads us to a further question; what are the dangers that this ‘knowledge gap’ creates for the business while NEDs acquire the necessary cybersecurity smarts?
Correy Voo again turns to the power of the collective in response. “Cyber threats are increasing in volume, sophistication, and diversity, so keeping up is always a challenge,” Voo says. “If the collective awareness among NEDs on a Board is improved, this creates a better overall composition of specialists and generic skills, ultimately making the Board more able to adapt to a range of emerging issues.”
By continuously assessing, building, and proving cyber-readiness for teams across the entire organisation, including NEDs, executives can confront new and emerging threats faster than traditional cybersecurity training approaches. Closing this knowledge gap, Paul Bentham admits, will take time. “The most important first step is to understand an organisation’s biggest risks and address them as quickly as possible,” he says.
We’ll give the last word to Waystone’s Conor Flynn, who points out that it is often said that the measure of any well-run business is in how it responds to, and deals with, a problem.
When it comes to cybersecurity problems, and don’t forget that ‘when not if’ mantra from earlier, incidents commonly evolve from the blind spots that directors cannot see, and the knowledge gap is a critical component here. “If NEDs are in a position to question and challenge management,” Flynn says, “and there are deficiencies in the response or execution, the Board can at least make an informed risk-based decision on dealing with those issues.”
Where there are unknown unknowns, there is a real risk to the business and to the director’s obligations as a director that may put them in breach of legislation or regulatory compliance. “If a Board is well prepared and has considered these matters in advance,” Flynn concludes, “there will be a more rapid and strategically aligned response than one where there are a lot of headless chickens and poor leadership.”