The UK’s National Cyber Security Centre (NCSC) has launched a fresh package of expert support aimed at CEOs and other senior business leaders, with the aim of encouraging them to take a more pivotal role in boosting their organisations’ cyber resilience, make informed decisions, and adopt a systematic and practical approach to security issues.
First launched nearly five years ago, its Board Toolkit has now been enhanced specifically to improve board members’ and senior leaders’ confidence in raising cyber security issues and discussing them with stakeholders, including IT and security teams.
“Cyber incidents can have severe impacts on organisations of all sizes, both in the short and longer term, from causing reputational damage to grinding operations to a halt,” said NCSC CEO Lindy Cameron.
“That’s why I am delighted to announce the launch of the NCSC’s refreshed cyber security Board Toolkit to help ensure cyber resilience is rightly put at the top of the agenda for all senior leaders. I’d encourage all CEOs, board members and senior leaders to read through the toolkit and use it to drive forward the cyber security conversations needed to keep their organisation secure online,” she said.
The revised toolkit emphasises how board members should treat cyber risks with the same prominence as financial or legal risks, and includes a range of new tools, including enhanced information on the benefits of appropriate cyber posture, essential activities for organisations and indicators of success. Much of this is broken down into a number of new content options, including bite-sized informational videos, executive summaries, and a podcast featuring contributions from industry voices.
Lindy Cameron, NCSC
It outlines some of the basic safeguards that may reduce the likelihood and impact of a cyber attack, covering a range of issues across three core topics: creating an environment where best practice can flourish; getting the right information to support decision-making; and taking steps to better manage risk.
It also includes real-life case studies from organisations that have already gone through a cyber security makeover, and others that experienced the sharp end of a cyber security incident.
Mark Sedman, cyber security and vendor manager at charity WaterAid, which features as a case study in the updated toolkit, said the service had proved immensely useful to his organisation.
“Our board of directors is made up of CEOs from other organisations, and the Board Toolkit has been key in driving the cyber strategy and engaging other parts of the organisation,” he said. “Following the Board Toolkit proved to be a real enabler for us in receiving support from key stakeholders and has really strengthened our thinking.”
WaterAid’s senior internal auditor, Natasha Scott, added: “As very much a non-IT person, I found it an incredibly helpful framework for designing a high-level internal audit review of our cyber security arrangements. I used the toolkit’s questions for board members and management as the basis of the audit working paper.
“Going through these questions with a member of our board and colleagues from IT and other teams helped me develop a better understanding of where our cyber security is strong and where there might be risks we had not previously considered. The audit delivered a number of recommendations, which management is now actioning to make improvements,” she added.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), welcomed the revised package: “The global companies that reside in the US and the UK understand that cyber security is a borderless issue. This toolkit will be another valuable resource in helping them take accountability for cyber security decisions, ultimately raising the collective cyber security baseline for us all.
“With corporate reputations and revenue on the line – and broader implications for our global security – we must continue to evolve how businesses are prioritising cyber security,” added Easterly. “Together, we need to catalyse a new model of sustainable cyber security that starts with a commitment at the board level to incentivise a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance.”