How can boards of directors influence cyber security culture?

Caroline Rivett is non-executive director and cyber security advisor. She is currently Audit Chair at NHS Sussex, and the Royal College of Nursing, and a board trustee at a number of other healthcare and legal services organisations. Formerly Caroline was a Big Four cyber security consulting partner with 25 years' experience.  Whilst at KPMG she was the global cyber security lead for life sciences and accountable for data privacy services. She is continuing to consult in cyber security. 

The human side of the board

Jessica Figueras, CEO of CxB, and I recently discussed boards’ influence on cyber security culture and how, as non-executive directors (NEDs), we influence our boards. This was one of CxB’s regular webinars for board members based on the Cyber Governance Code of Practice, focused on the role of people and culture in cyber governance.

I first learnt about the role of the board of directors as part of my MBA, including their significant influence on organisational culture. They would structurally shape culture through hiring decisions, setting financial incentives, determining organisational structure, and making strategic responses to customers, suppliers and competitors. A ‘tone at the top’ would be shaped by directors’ behaviours, together with defined values and expected behaviours.

A few years on, now as a board member myself, I see the human side to this, with a group of people in a meeting, soon to be assisted by an AI tool, discussing and agreeing on matters summarised in the board papers.

The Chair orchestrates the meeting, agreeing the agenda and managing the discussion. You can see how board culture starts to get shaped, when the Chair encourages more questions on a topic, pulling in questions from across the board members, or conversely is focused on getting through the agenda as efficiently as possible.

NEDs will have reviewed often lengthy papers in advance, and may ask questions, aiming to choose topics and questions wisely, in the time allowed, to gain better assurance over strategic risks. For those of us in the public sector, these meetings will often take place in public and be recorded, and so, although board discussion is encouraged, it needs to be done carefully and wisely.

Gaining assurance as a NED

To fulfil our roles as non-executive directors we need to gain assurance. This is likely to be done in board committees, such as the Audit & Risk Committee, where there is more time available to explore and review the evidence.  For example, we can gain better assurance over employees’ cyber security awareness by reviewing internal audit reports, looking at security learning metrics, reviewing numbers and types of incidents, reflecting on our knowledge of organisational structure and culture, in addition to reviewing the contents of the board assurance framework.

Definition of organisational risk appetite helps guide employees in decision-making, especially in difficult situations. Personally, I feel that the discussion on risk appetite at board can sometimes feel a little esoteric and can get overly theoretical. As a way of keeping it real, I think it helps to be a guided discussion with relevant use cases.

So, for example, in one of the charities I work with, they’ve stated that they have a highly risk-averse attitude towards patient health, and a more entrepreneurial focus on fund-raising. We were guided through this discussion by our Head of Governance and an experienced charity audit partner to focus on how we would act in certain financial scenarios. Previously as a consultant, I led a board exercise on cyber security risk appetite with a university board where we took board members through different scenarios as the first stage in building the case for increased cyber security programme funding.

Questions that NEDs could ask about people and culture

As non-executive directors, our perspective on organisational culture and specifically cyber security culture is likely to build up over time. It will be based on information gained from many conversations, board papers, and other evidence including staff surveys, speak-up reports, metrics, and breaches.

To gain better knowledge about the cyber security culture, whether at the main board or in board committees, our questioning could cover aspects such as:

• The policies which support cyber security. Are they practical, fair and transparent. What are the metrics which measure cyber security effectiveness?

• Clarity of people’s roles and responsibilities. Do people know what to do in an incident? Do they know who to talk to? Are those in charge of cyber security viewed as being helpful and easy to talk with?

• Existence and the extent of training programmes which enhance employees' understanding of cyber security. How is their effectiveness evaluated?

• Cyber expertise in the organisation. How are the resources allocated, how mature is the organisation, and technical is the team?

• Organisational culture. Does it encourage responsible behaviours, taking accountability and reporting of risks? Do people can take ownership of their cyber security practices and report concerns without a fear of any adverse consequences. As board members we may see the ‘Speak Up’ metrics and this will give an added dimension to our knowledge of the culture.  Does the organisation have a blame culture which reacts badly to bad news? How do we ourselves as board directors react to the executive directors telling us bad news?

Establishing a positive security culture from the top

Accountability is critical to cyber security culture, in both protecting information and sharing it securely. As non-executive board members we have considerable influence, not least through our own behaviour.

Boards set the tone for a positive cyber security culture through our constructive challenge, and also the ‘shadow we cast’ - our compliance with organisational policies, and acting consistently with the rest of the organisation. In my discussion with Jessica we discussed the impact of directors completing their cyber security mandatory training and their reaction to phishing spoofs.

Conversely, what does a negative security culture look like? The staff survey and speak-up metrics tell us a lot, as well as listening to what people say and how they say it. I’d argue that an organisational culture which deprioritises employee empowerment, communication, and collaboration, is likely to have a less than positive security culture. In addition, the types of breaches which take place and their causes can also tell us a lot about communication, learning, roles, and collaboration.

The NCSC’s view on cyber security culture is a perspective on how to improve cyber security. Their training packs are comprehensive and helpful to a NED discussion on cyber security and helping to improve it (you can access NCSC's guidance here).

As board members we have a key role in shaping organisational culture, and building a culture focused on learning, collaboration, strong role definition, and taking accountability. These cultural attributes, as well as improving employees’ working lives, should also help to enable improved cyber security.