Vol #1 Leadership & Cyber Resilience

A Board’s Guide to Navigating Security Challenges

In today’s digital landscape, cyber security is no longer just a technical concern – it’s a critical business imperative. Board members, irrespective of their technical expertise, must ensure their organizations are adequately prepared to defend against cyber threats. Yet, for those without a background in IT or cyber security, understanding how to gain assurance on these risks can be daunting.

In this inaugural article of a thought leadership series, Nihon Cyber Defence (NCD) Board member, John Noble, offers a framework of non-technical questions to help Board members engage meaningfully with cyber security topics. These questions reflect the key challenges and solutions we often discuss with clients across Japan. This is not an exhaustive checklist but an accessible starting point for Board members looking to elevate their cyber leadership.

Understanding the Problem

Before addressing cyber security, Board members must grasp the broader context of their organization’s IT environment:

Legacy Systems: How much of our IT infrastructure relies on unsupported, outdated systems? These legacy systems often present significant vulnerabilities.
Operational Ownership: Is our IT managed in-house or outsourced to a Managed Service Provider (MSP)?
Infrastructure Location: Are our systems hosted on physical, on-premise servers, or are they cloud-based?

Recognizing Threats

Not all cyber threats are created equal. Boards need to understand who might target their organization and why:

Threat Actors: Are we most at risk from hostile states, hacktivists, or cybercriminals?
Critical Assets: What are our most important IT systems and data?
Key Risks: What do we consider to be the primary cyber risks to those assets?

Assessing Technical Controls

Effective cyber security relies on robust technical and procedural defences. Board members should explore the following areas:

Access Management: Are sensitive systems protected by Two-Factor (2FA) or Multi-Factor Authentication (MFA)?
Privileged Access: How do we secure administrative or privileged accounts?
Network Design: Is our network segmented to contain potential breaches?
Phishing Defences: What measures are in place to prevent phishing attacks?
Legacy Mitigation: How do we safeguard legacy (out of support) systems, ensuring they’re isolated from internet exposure?
Software updates. How quickly can we apply critical updates?
System Configuration: Do we regularly verify that our systems are correctly configured?

Fostering a People-Centric Security Culture

Technology alone cannot secure an organization; people are equally critical:

- Internal Expertise: Do we employ cyber security specialists, such as a Chief Information Security Officer (CISO)?
- Workforce Training: What cyber security and data governance training do staff receive?
- Insider Threats: How do we mitigate risks posed by insiders, whether intentional or accidental?
- Cultural Alignment: How do we embed a culture of security throughout the organization?

Responding to an Attack

Preparation and resilience are key to minimizing the impact of a cyber-attack:

Detection & Response: Do we use automated monitoring or employ Managed Security Service Providers (MSSPs) to detect and respond to incidents?
AI Assistance: Are artificial intelligence tools leveraged to enhance detection and response capabilities?
Recovery Readiness: Have we recently practiced recovery drills to ensure readiness?

Securing Assurance and Managing Risks

Boards must establish confidence in their cyber security strategies through oversight and external validation:

Audits: When was our last external audit, and what were its findings?
Third-Party Risks: How do we ensure outsourced IT functions and vendors meet our cyber security standards?
Governance: What structures are in place to provide ongoing oversight of cyber risks?

Building Resilience

Cyber resilience is about ensuring continuity, even under attack:

Backup Strategies: Are robust data backup and recovery systems in place?
Incident Exercises: When did we last conduct a simulated cyber-attack recovery?
Insurance: Do we have cyber insurance, and what does it cover?

Empowering the Board Through Continuous Engagement

Cyber security is a dynamic challenge, and Boards must evolve their understanding in tandem. Regular discussions, ongoing training, and scenario planning can strengthen an organization’s ability to face cyber threats with confidence.

Stay tuned for the next article in this series, where we’ll dive deeper into operationalizing cyber security strategies and measuring their effectiveness.

John Noble

Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence

John Noble

Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence

With 40 years in UK Government, Noble co-founded the UK NCSC, now advises organizations globally on cyber security and strategic transformation.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.