The board of directors inside any organisation is responsible for setting the direction for a business. To do this is needs to understand the business it is running along with the risks and challenges facing that business. It must also deal with issues that are affecting the business now and, at the same time, make decisions that will have medium to long-term impacts.
It is for that reason that boards use experts to provide advice to both executive and non-executive directors. But what is the board expecting from its experts? It’s an interesting question and comes at a time when the board is inundated with so-called experts. The rise in experts has come about as the importance of areas such as cyber security and GDPR grow.
At the recent CYBERUK 2018 conference in Manchester, England, Joanna Place, the Deputy Governor and Chief Operating Officer of the Bank of England gave her view on how a cyber expert should engage with the board. It was extremely informative and her advice is just as applicable to any cyber expert dealing with any board.
What does the board want to hear?
As a key stakeholder for cyber security at the BoE, Place has to talk to the board about what is happening. When addressing the board Place says: “The board want to know how much I’m spending, why, what the risks are, are our actions proportionate, have we got the right skills, what’s the context, et cetera; and above all, they don’t want jargon. If they don’t understand what you’re saying, they may think you can’t communicate very well but they may think that you don’t understand your subject and that will give them cause for concern.”
“So the role of the cyber expert, in my view, is two-fold. First, to be the expert, to understand the threats and to mitigate against them but also to communicate in a language that is understood because your responsibility as cyber experts, is to tell the board what they need to know, not just to answer the questions that they have.”
One of the challenges of cyber security, indeed of any technical discipline is dealing with jargon. It can be difficult to avoid jargon when giving an accurate description of some issues. This is where Place believes that the cyber expert needs to become the cyber translator.
Understand the business, ALL of the business
Another area where experts often fall down is in their lack of understanding of the business. Many have spent a considerable amount of time understanding their subject. However, if they cannot place the risks in the context of the business, there is no guarantee the board will understand them. Place said: “cyber experts also need to understand the business. They need to do this in order to help the business understand and mitigate the risks because each business will have different risks, so the cyber response will be different.”
Risk is also proportionate and will determine where resources are deployed. The examples given by Place are: “If our Real Time Gross Settlement system is down, even for a matter of minutes, that can have a big impact on the financial sector. If our internal website, our intranet, is down for five minutes, it is not going to have such a big impact. So, we take a risk based approach to where we’re putting our expertise.”
Place also says that the board will be looking to see how information is shared with the rest of the business. This is another area where the cyber expert needs to become the cyber translator. Business units need to know the risks they face and that can only be done effectively if those risks are explained using their language.
Who is the expert talking to?
Boards are complicated things. There are generally two groups of people. One group is employed by the organisation and is focused on the business and their areas of control. The other group are non-executive directors. These are external individuals who have deep areas of experience in their own businesses and market areas. Both groups need to understand what cyber risk means to the business.
The challenge here for the expert is to know the audience, what each is concerned with and how they want to receive information. Most boards are busy. The larger the organisation the less time the expert will have to make a case.
In terms of the BoE, Place says: “They’ll typically have between five to 10 board meetings a year. Those meetings will be crammed with lots of other decisions, lots of emails, lots of paper, lots of information. So you won’t get much time at the formal board meeting to talk about your security concerns. So think about how you might do that out of the board meetings, what teach-ins do they like? Face to face, written briefings, ad-hoc briefings, responses to incidents, et cetera. And talk to peers in other companies, how do they talk to their board? What do they use in order to give them that context, to give them that reassurance?”
One solution that Place offers is the use of teaching outside of the board meeting. This can be targeted at individuals or groups of individual. It can be focused on specific areas of concern which means the board member(s) will be motivated to learn.
What does this mean
If picking the right expert to advise a board is difficult then picking the right board to advise is doubly so. Just because you have deep knowledge of your subject does not mean you can advise others. There is much more to being an effective expert resource than what you know.
Talking about her own experience Place said: “From my security leaders, I had regular teach-ins, I had floor walks, I had to go out to flash meetings when I need to get up to speed quite quickly. I like face to face briefings but I’m very happy with email. I always say to people to keep it short, no jargon, if I want to ask more questions, I will but don’t give me a 60 page brief to read just before a meeting. Just give me the key points and then have a face to face.”
It was clear from the reaction in the room that Place had hit a nerve. There were a lot of people nodding vigorously as she talked. It would be interesting to know how many went away to rethink the experts they were using. More importantly, how many experts in the room made notes on how to engage better with their clients.
The key message for everyone from Place is: “Know your subject, understand the business concepts and know the audience to who you’re speaking. Get the board and every employee to understand information security and their role in it. By sharing your knowledge, you’re going to reduce the risks that your business faces and therefore, you’re going to become a much more effective cyber expert.”