The UK’s National Cyber Security Centre (NCSC) has updated its toolkit for boards in an effort to improve help organisations embed cyber resilience and risk management throughout their organisations.
NCSC said that boards must view cyber security as a strategic issue. “Cyber security risk should have the same prominence as financial or legal risks in board discussions. Crucially, cyber security is not just ‘good IT,’” Lindy Cameron, NCSC’s chief executive officer said in the report, “it underpins operational resilience and when done well, enables your organisation’s digital activity to flourish.”
Not a compliance activity
While organisations have spent significant time and money addressing cyber risk, regulatory rules threaten to encourage some organisations to see cybersecurity as another compliance risk. “Carrying out cyber risk management solely for ‘compliance’ purposes can lead to risk being managed in a ‘tick-box’ fashion and can prevent organisations questioning whether they have ticked the right boxes, leading to overconfidence in how well risks have been managed,” the report said.
Important elements to cyber defence processes include having a method or framework for managing the risk, embedding cyber security throughout the business – rather than treating the risk as a stand-alone problem – and setting a risk appetite to aid decision-making.
Watch the metrics
“Don’t make reducing risk levels the measure of success,” the report warned. While risk levels and impact levels can be useful, viewed in isolation they can be misleading. “It is important that parties collaborate to understand and agree the meaning and context of the risk management information provided,” it said.
In particular, individual cyber incidents should not be considered as isolated from one another. For example, while a business may tolerate its email going offline for a day, or its website being down for a couple of hours – sometimes multiple cyber threats materialise all at the same time. Those connections need to be considered together.
The report also advised boards to collaborate with supply chains and partners. “Understanding the cyber security of partners is essential if you are to gain assurance that threats from the supply chain are understood, and risks mitigated,” it said. The NCSC’s supply chain cyber security advice can be found here.
This website uses cookies to ensure you get the best experience on our website.
Read our Privacy Statement & Cookie Policy
