New Times,
New Thinking.

Why CEOs and boards must engage with cyber-risk

At board level, cybersecurity should have the same prominence as financial or legal matters.

By Lindy Cameron

At the National Cyber Security Centre (NCSC) a key area of focus is to ensure that board members and senior leaders recognise the importance of cyber-resilience across their organisations.

Any CEO or board member who is still asking why they should concern themselves with cybersecurity need only look at the numerous examples in the media of cyberattacks on organisations, not least those involving ransomware. The potentially devastating impact of such attacks on an organisation’s operations demonstrates why cybersecurity should matter to boards and senior leaders. It’s not just the money the organisation might be asked to pay in a ransomware attack to recover data. It’s also the lost business, the reputational damage and the expense of investigating and recovering from the attack.

The reality is that every year many millions of pounds are lost to opportunistic cybercriminals targeting organisations across all sectors, looking for weaknesses in their defences. This threat cannot simply be ignored or left to technical experts. The vast majority of attacks are still based on well-known techniques, such as phishing emails, which can be defended against.

[See also: Small businesses urged to improve cybersecurity]

Fortunately, organisations are not alone in dealing with these threats, and the NCSC – which is a part of GCHQ – is here to help.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

So what is it exactly we are asking of CEOs and boards? Board members don’t need to be technical experts but they do need to know enough about cybersecurity to have constructive conversations with their key staff and assure themselves that their defences are robust enough to mitigate their organisation’s highest priority risks. These should have the same prominence as financial or legal risks in board discussions. Crucially, cybersecurity is not just “good IT”: it underpins operational resilience and, when done well, enables an organisation’s digital activity to flourish.

At there is an extensive suite of guidance, products and services for technical leaders in medium to large organisations, including the NCSC’s 10 Steps to Cybersecurity, Exercise in a Box and Early Warning. And then there is the NCSC’s newly-refreshed Cybersecurity Board Toolkit, a free online resource designed to encourage productive discussions between the board and key stakeholders across the business.

The toolkit provides a general introduction to cybersecurity and helps boards to ensure that resilience is embedded throughout their organisation and integrated into organisational risk management.

Originally published in 2019, the toolkit proved very popular with boards and their feedback, together with input from non-executive directors and our industry contacts, will ensure it remains up to date, relevant and written in language that boards are familiar with. We have now updated it with new content including bite-sized videos, case studies from real life incidents, an executive summary and a podcast with contributions from industry leading voices – all designed to make it more engaging than ever before.

As all leaders will appreciate, good preparation is vital to success, and this is absolutely the case with cybersecurity: it protects the organisation and its customers and builds resilience. I encourage all board members to take time to read the toolkit, and use it to drive productive cybersecurity discussions between boards and key stakeholders in your organisation.

[See also: How to navigate the modern cybersecurity landscape]

Content from our partners
An innovative approach to regional equity
ADHD in the criminal justice system: a case for change – with Takeda
The power of place in tackling climate change

Topics in this article : ,