Back in March 2019, the National Cyber Security Centre released its Board Toolkit. A comprehensive guide designed to help board members manage cyber risk.
As the NCSC says:
Boards are pivotal in improving the cyber security of their organisations. The Board Toolkit has been created to encourage essential discussions about cyber security to take place between the Board and their technical experts.
The guidance is extensive and applies to firms of all sizes. The guide breaks the advice down into three sections:
Each of the sections contains subsections on how to approach each step. By following the guide any organisation will be able to implement information protection controls that work for them. There is no single good approach to cyber security. Each organisation will need to evaluate its own risks, technologies and ways of working. This guide sets out a series of questions a board could ask its self, technical staff and suppliers. These questions will a firm better understand its own cyber risk and the controls it has in place.
One major international professional services firm took the Board Toolkit and extracted from it five questions they considered to be key to their organisation. The firm is happy to share the questions to help others get started.
These questions are taken from the section, What does good look like? on page 32 (PDF).
An agenda item was added to their regular board meeting and the questions extensively discussed. The resulting discussions did not always reveal clear and simple answers. However, it allowed the organisation to consider ways in which cyber risk could be better managed. This could be by implementing new ways of working, better training or extending the use of technology.
Subsequent board meetings will revisit these questions and hear updates from those responsible for addressing each area. In the future further questions taken from the Toolkit and will be added to the agenda of meetings.
The advice contained in the Board Toolkit is written in a way that is easy to follow, digest and to implement. It is highly recommended that firms consider using this guide to manage cyber risk.