Fearless

Managing Cyber Risk can be challenging for a board, but it doesn't have to be daunting. With Cyber threats intensifying, Cyber Resilience has become a boardroom priority. In the past, this responsibility was often relegated to the technology team, with discussions dominated by complex jargon. However, the Board can approach Cyber Risk management with confidence by taking specific, actionable steps.

There are different pathways to encouraging a Board to engage more actively with Cyber Risk. We will be exploring two in this article: (1) ramping up the pressure by emphasising the threats and dangers and (2) making Cyber Risk management more relatable to board directors and provide them with actionable steps to proceed. Some Cyber advocates suggest that the best pathway to getting a swift reaction in the boardroom is achieved by using language that intimidates. This approach often relies on fear, using imagery and language that evokes a sense of danger—think of grim, hooded figures and terms like "attack," "virus," and "intruder." While fear will indeed spur action, it also has significant drawbacks.

Why Fear Isn’t the Solution

While fear may prompt a board to act, it also narrows focus, stifles learning, and undermines trust[1]. A fear-driven approach can lead to hasty decisions and a myopic focus on immediate threats, preventing the board from developing a sound, long-term Cyber Risk management strategy. Instead, the board should aim for a more measured, collaborative approach.

Adopt a collaborative approach to Cyber Risk Management

Making Cyber Risk management less daunting is the more effective route. By fostering trust and promoting a culture of learning, the board can work collaboratively with the executive team to manage Cyber Risks effectively. Cyber Risk is a constantly evolving category, and continuous assessment is essential. To make Cyber Risk management less intimidating:

1.     Integrate Cyber Risk into Your Broader Risk Management Strategy: Cyber Risk should be treated as one of your core risk categories and be part of your Enterprise Risk Management process. An incident response plan should be a key element of your risk mitigation measures, and it provides an excellent example for the importance of working collaboratively: A good incidence response plan requires seamless collaboration between your business and the technology team.

2.     Use Familiar Language: Apply the same terminology you use for other risks. Consider your risk appetite, model potential Cyber Risks, and determine what information and metrics you need from the executive team to stay informed. A proven Cyber Risk framework can help with finding a common language between the board and the executive team. An example is the National Institute for Standards and Technology (NIST) Cybersecurity Framework[2].

3.     Leverage Existing Resources: Identify and utilize sources that can help you enhance your Cyber Risk management approach. The National Cyber Security Centre (NCSC) has developed a Board Toolkit[3], which is an excellent starting point.

By following these steps, the board can effectively manage Cyber Risks and overcome the dauting jungle of technology jargon, ensuring a comprehensive, strategic, and confident approach to one of today’s most critical boardroom challenges.

[1] The Fearless Organization: Creating Psychological Safety in the Workplace for Learning, Innovation, and Growth, Amy C. Edmondson, 2018

[2] NIST Cybersecurity Framework, National Institute of Standards and Technology at the U.S. Department of Commerce, 2024, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

[3] National Cyber Security Centre, Cyber Security Toolkit for Boards, 2023, https://www.ncsc.gov.uk/collection/board-toolkit