Lack of cyber security know-how in the boardroom hampers effective cyber risk management

Side view of two blurred businessmen talking in conference roomA new survey of FTSE350 companies by KPMG found that a quarter of boardroom respondents never receive high-level updates from CIOs or security chiefs on the online risks they are facing.

Responsibilities are unclear

Moreover, there is lack of clarity as to who should be responsible for cyber security in the boardroom. 16% of the respondents said the CEO should take responsibility, while 31% claimed this should be the CFO and 15% named the CIO as being accountable for cyber security.


Although 61% of board members said they had a good understanding of their company’s key data assets and 55% said they understood the impact of losing it, only 24% admitted they regularly reviewed risk management around valuable corporate data and 65% said they rarely or never did.

Supply chain assurance

More firms are concerned with the cyber security posture of their supply chain. The survey revealed that 48% of the FTSE350 firms have inserted clauses in their contracts on cyber security risk, up from a third in 2014.

Good security governance practices moderate the cost of cyber crime

If there is one thing about cyber security that would resonate with the board, this would be the potential for cost-savings. The good news is that organisations can indeed make savings if they deploy good security governance practices according to a report by Ponemon Institute.

The 2014 Cost of Cyber Crime Study revealed that “companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cyber crime costs that are lower than companies that have not implemented these practices. This so-called ‘cost savings’ for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.”

Make cyber security a board issue

The proliferation of cyber attacks and data breaches has become such a significant challenge for businesses that more and more leaders and influencers are calling for the boardroom’s attention. In December 2014, the Bank of England warned in its Financial Stability Report that most UK financial institutions are still viewing online security threats as “technical’ issue, rather than one that should be tackled at board-level”.

Cabinet Office minister Francis Maude also urged companies that cyber security is an “issue for the boardroom”.

What the board needs to know

No one expects the board to know the nitty-gritty details of cyber security, but board members should have a certain level of cyber security awareness and be familiar with their organisation’s cyber security posture, and the relevant cyber risks, at least from a high level.

Risk management

The board should integrate cyber security risk management in the company’s risk management framework and obtain regular and frequent reports on cyber risks. Cyber security should be part of the board’s meeting agendas.


Importantly, the board should ensure that the organisation has implemented basic ‘cyber hygiene’ and adheres to international best practice. In the UK, the Cyber Essentials scheme has emerged as the default minimum standard for cyber security, while ISO 27001 is the international information security standard and is widely adopted globally. Certification to ISO 27001 serves as a proof of independent verification that the information security management system meets the Standard’s rigorous requirements.

Cyber resilience

The board should also be informed of what will happen in the event of a successful data breach, how the company will recover, and how the incident is to be communicated to those affected.

Start with ISO27001

ISO27001 implementation should be a project the board not only supports, but also demands. Moreover, certification to the Standard is proof of effective cyber security, and can also facilitate the reporting and reviewing process.

To get started with ISO 27001, take advantage of IT Governance’s fixed-price ISO 27001 Get A Lot Of Help package.

The ISO 27001 Get A Lot Of Help package provides guidance from an ISO 27001 implementation specialist throughout the entire project, without the associated expenses of hiring a consultant to do all the work. This unique approach to ISO27001 implementation empowers organisations to quickly and cost-effectively assimilate and deploy critical knowledge in a way that enables them to achieve certification and maintain it in the future, all at a fixed, cost-effective price

Find out more about IT Governance’s ISO 27001 Get A Lot Of Help package today and protect your data.