Board members need to improve their understanding of cybersecurity to better manage business risk, the head of the National Cyber Security Centre (NCSC) has argued.
Speaking at the CBI Cyber Conference in London this week, Ciaran Martin claimed that senior business leaders are laboring under three dangerous misapprehensions, that cybersecurity is: too complex so they won’t understand it, too sophisticated so they can’t do anything to stop it and targeted, so they’re not at risk.
Yet board members can’t manage risk they don’t understand, so they must become more cyber-literate, he said.
“No-one in government is asking you to make cybersecurity your top priority. Your core business is your top priority,” said Martin.
“We do expect you, however, to be good enough at cybersecurity to take care of the things you care about. And that means you have to understand what they are, and what you can do to protect yourselves. This means you need to be – at least a little bit – cyber-literate.”
Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.
“If you look at some of the previous guidance it simply says — cybersecurity should be discussed at board level. It doesn’t say how, and that a plan should be in place. That’s what we are moving on from today,” said Martin.
“So, over the past few months, we have been talking to businesses to work out where the gaps in their cybersecurity knowledge lie. And over the next few months we will be rolling out a suite of guidance on cybersecurity for large corporate organizations.”
During the speech, Martin posed five basic questions board members should be asking of their technical teams.
These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.
“Crucially, we are also telling you what to look for in the response,” he added.
“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”