3 Resources to Help Board Training

Increase the board's cyber savvy with these reads

Blog 3 Resources to Help Board Training

| 4 min read

Contact us

It's high time boards of directors ("boards") of every organization that relies on digital systems increase their knowledge on cybersecurity. Being responsible for overseeing their organizations' cyber risk management, it's only reasonable that they should know what to evaluate and how without depending entirely on the CISOs' or independent advisors' guidance. Accordingly, there have been notable pushes for this from different sources. We shared last year that the U.S. Securities and Exchange Commission (SEC) is proposing a rule requiring public companies to report annually on their board's cybersecurity expertise. And more recently, we shared that the EU's second version of the Network and Information Systems (NIS) security directive ("NIS 2" or "NIS2") will require boards to have training for the identification, approval and supervision of their organizations' cybersecurity risk-management measures. Now, the very NIS 2 Directive website offers some courses, and surely many more courses by different providers are and will be available. But since courses could fall a bit short (e.g., have a duration from one hour to one day), we want to recommend three up-to-date resources that may help boards start learning on their own or expand on what they learn during training.

Cyber Security Toolkit for Boards

The National Cyber Security Centre (NCSC), a major cybersecurity authority in the UK, has developed its "Cyber Security Toolkit for Boards." In our opinion, it makes for a useful resource at the basic-level. From the introduction, it provides a palatable definition of cybersecurity. Moreover, it presents what kind of actors are constantly looking to gain unauthorized access to the organizations' systems and explains concisely why any organization relying on digital technology can be targeted. Also, it engages the board members by informing them briefly how they themselves may be a target of those threat actors.

In this toolkit, the NCSC describes essential activities and indicators of success in risk management processes. In other words, it informs the board what practices should be in place in the organization and what to look at to evaluate its performance. The activities, along with indicators, are put into three categories, which we now summarize:

  • Create the right environment: Activities to establish governance and communication acknowledging cybersecurity as a matter that impacts every aspect of the organization, train employees in good cybersecurity behaviors, and strengthen cybersecurity expertise.

  • Get the right information to support decision making: Activities to learn what the organization's critical assets are, which threats it faces, and how secure it is.

  • Take steps to manage risks: Activities to prevent successful cyberattacks, secure the supply chain, and respond to cyber incidents.

At the end of the document, the NCSC briefly describes some regulations that the board should be aware of, making specifications in some of them for organizations in the UK or that are handling data from people in the UK.

Get started with Fluid Attacks' Vulnerability Management solution right now

Director's Handbook on Cyber-Risk Oversight

Next is a handbook created by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA). The former is a membership organization that has among its objectives to expand board directors' knowledge, whereas the ISA aims to bring economics and public policy to the handling of matters of advanced technology. Their "Director's Handbook on Cyber-Risk Oversight" offers guidance for boards to be a part of the discussions about the current threats to their organizations and the strategy that their organizations' management teams are applying. This handbook offers six core principles for effective board oversight of cybersecurity and a rich toolkit. In the latter, each tool is written by an expert and covers a specific, relevant topic, with guidance and questions that the board can direct to management or to itself.

The six principles detailed in the handbook are related to the following:

  • Treating cyber risk as being entwined with enterprise risk management.

  • Understanding that noncompliant cybersecurity has legal implications.

  • Discussing cyber risks on board meetings and with the help of experts.

  • Requiring of management the establishment of a cyber risk management framework and a reporting structure.

  • Discussing the quantification of financial losses estimated for cyber risks and how the latter are being managed.

  • Encouraging systemic resilience through collaboration with industry and government peers.

Data Driven Approach to Board Cybersecurity Governance

For those who like to dive into research articles, this might be a great resource. It's a paper by researcher Sarv Girn of the University of Technology Sydney. "A Data Driven Approach to Board Cybersecurity Governance" informs readers of how much material (e.g., research, industry sources) has been published targeting senior executives and board directors. The author's assessment is that it's only a limited quantity. Remarkably, the study categorizes the material into six themes, and board members can therefore refer to the listed publications that would best suit the subject on which they wish to be informed or trained. The following are the themes found and our own summarized descriptions:

  • Principles: Includes materials that cover foundational aspects of cybersecurity.

  • Accountability: Includes materials that stress on the accountability and responsibility for the organization's cybersecurity being not just the CISO's, but also the board's and top management's.

  • Reporting: Includes materials that offer security metrics and reporting frameworks.

  • Assets: Includes materials that highlight the need to identify which processes, information and systems need to be protected.

  • Culture: Includes materials that focus on enhancing cybersecurity awareness and evaluating the effectiveness of campaigns pursuing this.

  • Lexicon: Includes materials that seek to help technical and non-technical audiences in the understanding and use of a common terminology.

Those are our recommended reads. If you would like to step up your risk management game by continuously looking for and remediating vulnerabilities in your IT systems, we invite you to enjoy our Continuous Hacking Essential plan for free for 21 days. And take a look at our plans to learn about the options we have for you.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by FlyD on Unsplash

Software supply chain management in financial services

Photo by Robs on Unsplash

Consequential data breaches in the finance sector

Photo by Towfiqu barbhuiya on Unsplash

Data protection in the financial sector, tips and more

Photo by Jasmin Egger on Unsplash

If the essential security layer is flawed, you're toast

Photo by Christian Wiediger on Unsplash

The need to enhance security within the fintech sector

Photo by Claudio Schwarz on Unsplash

Is your financial service as secure as you think?

Photo by mitchell kavan on Unsplash

Bringing the zero trust model to life

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.