I am delighted to announce the launch of the NCSC’s refreshed cyber security Board Toolkit. The feedback we received from non-executive directors and our i100 industry team will ensure the toolkit remains up-to-date, relevant, and framed in language that boards are familiar with.
The vast majority of organisations in the UK rely on information, data and digital technology to function. For businesses today, cyber security is therefore essential, and Board members have a pivotal role in improving their organisation’s cyber resilience and exploiting the opportunities that technology brings. The toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout your organisation. It will help you to make informed cyber decisions that are aligned to your wider organisational risks, and ensure cyber security is assigned appropriate investment against other competing business demands.
As a board member it is important to view cyber resilience strategically. Cyber security risk should have the same prominence as financial or legal risks in board discussions. Crucially, cyber security is not just ‘good IT’; it underpins operational resilience and when done well, enables your organisation’s digital activity to flourish.
The toolkit helps organisations to adopt a methodical and proactive approach to cyber security, and outlines basic safeguards that can greatly reduce the likelihood – and impact – of cyber attacks. I’d encourage all board members to take time to read the toolkit, and use it drive productive cyber security discussions between boards and key stakeholders in your organisation. Lindy Cameron – Chief Executive Officer, NCSC
The vast majority of organisations in the UK rely on information, data and digital technology to function. Cyber security ensures organisations can operate effectively in our increasingly online world. When it’s done well, cyber security is so much more than a compliance function or the implementation of technical controls. You can use it to exploit the opportunities that technology brings, drive your ompany’s agenda, and deliver real value throughout your organisation. Crucially, good cyber security facilitates better cyber resilience; the ability of an organisation to protect itself from, respond to, and recover from a cyber attack, data breach or service outage. The Executive Team, Audit Committee, Risk Committee and Remuneration Committee all have roles to play in making sure that thereis the right level of assurance in the business, but ultimate accountability to the shareholders is with the board.
What is the Board Toolkit? The NCSC’s Board Toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes and technologies.
What are benefits of using the Board Toolkit? Boards are pivotal in improving the cyber security of their organisations. The benefits of effective cyber security include: > Organisations can prioritise areas for investment that balance the value of protection against the needs of the business. This will enable them to create a roadmap for improvements and set aside a budget for the risk exposure. >Taking cyber security seriously builds trust and confidence with customers and shareholders, particularly at a time where risks and threats are becoming increasingly complex in customer supply chains. >Organisations that need to demonstrate compliance to regulators are able to do so more efficiently where cyber security is well integrated into the business. >Organisations that understand their ‘enterprise estate’ (that is, their people, systems, processes and technology) are better able to identify areas that are critical to the business operation and identify appropriate resources to mitigate against identified threats. >Organisations with a healthy security culture are able to learn from incidents, driving improvement and innovation. As well as benefits to productivity it can also lead to greater employee wellbeing and retention. >Investing resources in cyber security training and education enables organisations to prepare their workforce for adverse events and incidents by empowering their decision making.
Who is the Board Toolkit for? The toolkit is aimed at board members in medium to large organisations in any sector. That could be:
a Board of Directors a Board of Governors/Advisors Non-executive Directors or a Board of Trustees
Additionally, committees reporting to the board and security practitioners may find the Essential activities section useful in ensuring the organisation is adopting best practices. The included questions will help frame discussions with the board and key stakeholders. If your organisation already has a risk management process in place, this toolkit can help you to embed cyber risks through this process, which includes understanding your organisation’s overall cyber security strength and resilience.
If your organisation has a mature cyber risk management process in place, the toolkit will give board members the confidence to challenge how frameworks (such as NIST, ISO/IEC 27005 or CAF) are helping the organisation to achieve its broader objectives. Regardless of how established your cyber risk process is, the accountability for cyber risk is still with the board, even when cyber aspects are outsourced. Good cyber security has to work for your organisation. It has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept. Which is why ultimately, cyber security is a board-level responsibility.
