With the UK triggering Article 50 last month and the General Data Protection Regulation (GDPR) coming into play in just over a year many companies will need to evaluate their current cyber security policies, a task usually given to the Head of Technology or CTO/CIO.
Yet despite the increasing importance of understanding cyber risks, and the significant bad press a cyber attack can bring to an organisation, many companies do not include someone in this role on the Board of Directors.
Below we speak to experts in the technology and cyber security fields to see their opinion on Brexit, GDPR and Board-level cyber security understanding.
Brexit and GDPR
With the UK triggering Article 50, many companies are left wondering how this will affect their requirements under GDPR, and if this will shift their cyber security priorities
Fundamentally, Brexit will not change the requirements of GDPR. We will still be in the EU when GDPR comes into play, and whatever policies the government puts in place following Brexit will closely mirror, if not be exact replicas, of GDPR. The UK will need to set their laws to be equivalent and adequate so your priorities as a business should not change.
If you have evaluated your security programme and are complying with GDPR, or making efforts to comply before it starts, then you should not be affected by Brexit and in fact will be ahead of national UK-only companies who will see changes to regulations post-Brexit for non-global companies.
Andy Hague, an independent cyber security expert and consultant, stated “The difference between a directive and a regulation is that directives are an ‘ask’, and guidance, rather than a requirement. But with GDPR, the ownership has changed and now people are now making more effort because they don’t want to be held responsible and have to explain how a breach happened. Brexit will not change this.”
Cyber security at a Board level
Yet, despite cyber security becoming more high profile, and ownership shifting, there is still a struggle within many businesses to address the importance at Board level.
The majority of UK organisations don’t have a cyber security professional sitting on the Board. Due to this, many professionals struggle to green light projects or sign off budgets at the necessary level.
The lack of understanding at a Board level then trickles down to the lack of strategy at an operational level.
Haroon Malik, Principal Consultant for NCC Group explained one of the reasons, “Many companies consider cyber security to be micro-level and compliance based. They do not see the value of changing to a risk-based macro-level strategy inclusive of a metrics framework.”
He expands, “Boards and executive teams need to change their focus and start asking different questions so they can fully understand the long-term strategic value of cyber security.”
Questions Board of Directors should ask include:
- Is our cyber security programme ready to meet the challenges of today’s and tomorrow’s cyber threat landscape? Are we receiving the right KPIs?
- What are we doing to improve cultural awareness in relation to cyber threats?
- How are we protecting our high-value assets?
Where do we need to prioritise our investment efforts?
- If we had a cyber breach/attack, how soon would we know?
Another reason is that frequently the top-tier of cyber security management becomes the scapegoat if there is a cyber attack. If the Board is unaware of all of the risks, or operational specifics, and there is an attack they are able to point the finger away from themselves for responsibility, therefor adding a layer of protection. Despite cyber security becoming more high profile, and ownership shifting, there is still a struggle within many businesses to address the importance at Board level
The problem with this now, is that consumers don’t care who the individual in charge was, rather that the business they use had an attack. So the attack can cost the company far more in lost customer trust, bad press, and revenue than just an employees job, so the Board does need to have a full understanding of their cyber security protection.
You would not see a Board of Directors who didn’t fully understand the long term legal or financial strategy of an organisation, [the same] should be the case for cyber security.
Changing cyber security communication
One way professionals can help promote awareness and change Board involvement, is to change the way they talk about security measures, risks, attacks and strategy.
Haroon expanded, “Change the [discourse] so that the information is relevant to the audience.”
If you are speaking to a technical savvy audience you can talk more about the strategy and the technical aspects, if you are speaking to a Board without information technology experience, or limited knowledge, talk more about the financial risks of attacks or the PR surrounding the type of attacks you are at risk for.
By giving the Board something they can relate to, you will increase the importance of cyber security on their agenda.
The Robert Walters' Cyber Security Breakfast Seminar featured a panel including Alban Tramard - Head of Information Security at The Hut Group, Andy Hague - independent cyber security consultant, Haroon Malik - Principal Consultant at NCC Group, Lee Newcombe - Senior Manager of Cyber Security at KPMG and Rhiannon Jones - Associate Director at Deloitte LLP.
Learn more about GDPR and cyber security here.
Thinking about a career move? See what roles we have available now.
For further career advise, read the latest career advise articles here.