In today's fast-paced digital landscape, where data breaches and cyber-attacks are on the rise, board members' roles have expanded to include cyber security as a vital part of corporate governance. Not all board members have a technical or cyber security background, but their decisions can significantly influence an organisation's security posture.

We’ve compiled a list featuring the top 3 tips to help board members manage cyber security successfully.


Tip 1: Establish the right environment

Culture provides the foundation for a cyber risk aware environment.

Embedding an effective cyber security culture within the organisation provides the foundations for ensuring cyber is understood and managed effectively.

Board members should focus on creating the right environment by ensuring that your leaders demonstrate their commitment to security.

Assess the language used to promote good security. Do individuals see security as a positive, an enabler, a blocker or ‘checkbox’ activity? Foster a positive cyber security culture where people view security as a collective effort, recognising its significance alongside people, process, and technology.

Look for signs of a ‘blame’ culture which may erode trust from within an organisation to adopt security measures.

As a board member, take time to engage and learn from your security team. Learn what matters most and what challenges currently exist. Engage with operational teams across your organisation to understand how ‘security’ is perceived. Look for opportunities to identify gaps which may have a strategic impact.

Expand cyber security expertise through senior leadership's oversight of recruitment and training processes that meet their cyber security needs, investment in personnel, external expertise, and talent development.


Tip 2: Position 'cyber' as a key business risk, not a technical issue

Cyber is too often seen as a technical issue when it is a business risk. Business risks can be caused and impacted by how an organisation operates and seeks to take advantage of future opportunities.

Cyber risk should be assessed in the context of organisational objectives. Board members should seek to understand the impact and likelihood of the risk materialising e.g., what are the common factors which may cause the risk to materialise and what type of impacts does this have on operations based on the strategic choices we are making (e.g., financial, operational, reputational)?

To manage risks effectively, it's important to have a good understanding of the technical estate and be able to identify which are the critical assets upon which the key businesses objectives depend. Board members should consider validating how well understood and controlled the organisations assets are.

Recognising and prioritising threats to assets is vital for effective cyber security investment, as it prevents inefficient attempts to defend against every threat. Threats evolve over time so it’s important to stay current and regularly perform threat assessments.

Many operational and organisational risks involve a cyber aspect, so cyber security risk should be seamlessly integrated into a broader risk management approach rather than treated as a standalone topic.


Tip 3: Implement robust measures to mitigate risks

Board members will be acutely aware that cyber security budgets are not infinite. Spend on cyber must be balanced with other investment decisions across the business e.g., marketing efforts for customer acquisition, or regulatory programmes.

A commercially focused, business aligned, risk-based approach should be adopted.

Board members should seek to understand how the effectiveness of cyber controls is being assessed, this includes validating new investments in cyber are delivering on their intended objectives.



If you are looking for additional support or guidance in this area, please reach out to our knowledgeable team.

Get in touch

Also see...

Change Portfolio Governance: Is Your Change Portfolio Really 'Green'?

If you're a change leader with responsibility for change portfolio management, Head of Internal Audit (HOIA), Chief Risk...

Regulatory Oversight, PRA ‘Dear CEO’ Letters – IT Change and Outsourcing

If you're a Head of Internal Audit (HOIA), Chief Risk Officer (CRO), Board member (incl. Non-executive Director), Audit ...

DORA Explained & How to Ensure Compliance

On 27 December 2022, the Digital Operational Resilience ACT (DORA) was published in the Official Journal of the EU. The ...