
CxB co-founder Martyn Croft outlines options for organisations too small for cyber staff
If you’re a non-exec director with a special interest in cyber, you may be wondering who to turn to if you need assurance that all the bases are covered. And if a cybersecurity incident should befall your business, who are you going to call? Probably not Ghostbusters!
When the board discusses cybersecurity, is there a member of staff who can explain the ins and outs of how your organisation ensures its cyber security? Or are all things cyber left to the best endeavours of the generalists in your IT department?
That’s likely to be the case for around half of larger businesses, whilst smaller organisations won’t even have that luxury – with responsibility likely to rest with management or even the chief executive. And in a third of charities, the responsibility for cyber security rests with a trustee. (Cyber Security Breaches Survey - NCSC 2024).
For smaller organisations and charities, having a dedicated Chief Information Security Officer (CISO) on the staff is a rare occurrence and can be an expensive luxury. Even finding one person responsible for cybersecurity can prove to be a bit of a challenge.
Unsurprisingly, any good cybersecurity governance framework (such as Cyber Essentials), will look to identify the individuals responsible for cyber security, and will likely seek to ensure that the adopted framework is supported and endorsed by the boss.
But at a practical level the board will want to see numbers, measures, and actions that demonstrate an adherence to the framework. Leaving aside the vexed question of cybersecurity KPIs, regular monitoring and reporting will be an additional burden on staff who don’t see cyber as their main focus.
For some organisations, engaging a fractional CISO could be a cost-effective solution to augmenting the cybersecurity skillset, with an experienced practitioner providing part-time input to the security requirements needed to keep your company safe and secure.
And there are many vendors who will offer outsourced cybersecurity solutions; indeed your external auditors may be first out of the blocks with that particular proposition. However, you should consider the potential conflict of interest, since the same company should be including your cybersecurity stance in their audit findings. And remember: whilst they may take care of the nuts and bolts, you can’t outsource the responsibility.
There’s no escaping the fact that the cybersecurity basics need board oversight in order to ensure good governance. We suggest the NCSC’s Ten Steps to Cyber Security as a potential starting point. Although pitched at security professionals, this guidance, along with knowledge of the assets you are trying to protect, can help non-execs structure an outline to lead board discussions, and help to formulate questions for your cybersecurity lead.
The ‘at-a-glance’ infographic is a useful summary of the key points that you and your board should be addressing. Based around a risk management approach, the ten steps cover an easy-to-understand cycle of understanding the risks, implementing appropriate mitigations, and preparing for incidents.
In short, pretty much the same approach that the board should be taking to managing any risk, not just cyber.