- Cyber Security Leadership
- December 18, 2024
Leadership & Cyber Resilience | Vol. l
A Board’s Guide to Navigating Security Challenges
In today’s digital landscape, cyber security is no longer just a technical concern – it’s a critical business imperative. Board members, irrespective of their technical expertise, must ensure their organizations are adequately prepared to defend against cyber threats. Yet, for those without a background in IT or cyber security, understanding how to gain assurance on these risks can be daunting.
In this inaugural article of a thought leadership series, Nihon Cyber Defence (NCD) Board member, John Noble, offers a framework of non-technical questions to help Board members engage meaningfully with cyber security topics. These questions reflect the key challenges and solutions we often discuss with clients across Japan. This is not an exhaustive checklist but an accessible starting point for Board members looking to elevate their cyber leadership.
Understanding the Problem
Before addressing cyber security, Board members must grasp the broader context of their organization’s IT environment:
- Legacy Systems: How much of our IT infrastructure relies on unsupported, outdated systems? These legacy systems often present significant vulnerabilities.
- Operational Ownership: Is our IT managed in-house or outsourced to a Managed Service Provider (MSP)?
- Infrastructure Location: Are our systems hosted on physical, on-premise servers, or are they cloud-based?
Recognizing Threats
Not all cyber threats are created equal. Boards need to understand who might target their organization and why:
- Threat Actors: Are we most at risk from hostile states, hacktivists, or cybercriminals?
- Critical Assets: What are our most important IT systems and data?
- Key Risks: What do we consider to be the primary cyber risks to those assets?
Assessing Technical Controls
Effective cyber security relies on robust technical and procedural defences. Board members should explore the following areas:
- Access Management: Are sensitive systems protected by Two-Factor (2FA) or Multi-Factor Authentication (MFA)?
- Privileged Access: How do we secure administrative or privileged accounts?
- Network Design: Is our network segmented to contain potential breaches?
- Phishing Defences: What measures are in place to prevent phishing attacks?
- Legacy Mitigation: How do we safeguard legacy (out of support) systems, ensuring they’re isolated from internet exposure?
- Software updates. How quickly can we apply critical updates?
- System Configuration: Do we regularly verify that our systems are correctly configured?
Fostering a People-Centric Security Culture
Technology alone cannot secure an organization; people are equally critical:
- Internal Expertise: Do we employ cyber security specialists, such as a Chief Information Security Officer (CISO)?
- Workforce Training: What cyber security and data governance training do staff receive?
- Insider Threats: How do we mitigate risks posed by insiders, whether intentional or accidental?
- Cultural Alignment: How do we embed a culture of security throughout the organization?
Responding to an Attack
Preparation and resilience are key to minimizing the impact of a cyber-attack:
- Detection & Response: Do we use automated monitoring or employ Managed Security Service Providers (MSSPs) to detect and respond to incidents?
- AI Assistance: Are artificial intelligence tools leveraged to enhance detection and response capabilities?
- Recovery Readiness: Have we recently practiced recovery drills to ensure readiness?
Securing Assurance and Managing Risks
Boards must establish confidence in their cyber security strategies through oversight and external validation:
- Audits: When was our last external audit, and what were its findings?
- Third-Party Risks: How do we ensure outsourced IT functions and vendors meet our cyber security standards?
- Governance: What structures are in place to provide ongoing oversight of cyber risks?
Building Resilience
Cyber resilience is about ensuring continuity, even under attack:
- Backup Strategies: Are robust data backup and recovery systems in place?
- Incident Exercises: When did we last conduct a simulated cyber-attack recovery?
- Insurance: Do we have cyber insurance, and what does it cover?
Empowering the Board Through Continuous Engagement
Cyber security is a dynamic challenge, and Boards must evolve their understanding in tandem. Regular discussions, ongoing training, and scenario planning can strengthen an organization’s ability to face cyber threats with confidence.
Commander of the Order of the British Empire (CBE), Non-Executive Director @ Nihon Cyber Defence
With 40 years in UK Government, Noble co-founded the UK NCSC, now advises organizations globally on cyber security and strategic transformation.
Cyber Maturity Assessment
Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.
Cyber Security Framework (NIST)
National Institute of Standards and Technology
Cyber Assessment Framework (CAF)
National Cyber Security Centre
Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management
