Cyber Security Awareness Essential for every Business Leader
Globally, there is a critical need to address the lack of Cyber Security and Information Assurance awareness and capability.
The UK Cabinet Office recently commented, “As a Government, we want to do everything we can to boost the UK Cyber Security sector, domestically and across the globe (and) we need to ensure we have the right people with the right skills coming into the workforce.”
Every business leader needs an understanding of holistic Cyber Security – incorporating people, processes and policy as well as Information and Communications Technology (ICT) – to ensure they foster a culture that protects, values and safeguards information. It is essential for organisations to ensure Cyber Security is incorporated in business strategy, establishing appropriate leadership and governance structures with key roles and responsibilities. This is not just about having Cyber Security and Information Assurance specialists.
The Board Agenda
As much as any other key business driver, to facilitate informed decision making, Cyber Security needs to be on the Board agenda and seen as ‘business as usual’. Complacency and ignorance are no longer acceptable and it is imperative that executives are allocating time in their busy schedules to address this training need. It should be a collective responsibility for Boards, and indeed NEDs, to raise proactively their knowledge and skills in this area. With the right subject matter experts and coaching, de-mystifying Cyber Security can be achieved through some simple and effective steps.
Training and awareness
Core to this is proportionate Cyber Security training and awareness for all employees; and training and development for key roles such as the Senior Information Risk Owner (SIRO) or Chief Risk Officer (CRO) at Board level, responsible for delivering this strategy throughout the business. It is critical that SIROs/CROs are equipped with the right training and development in order to carry out their role in an increasing dynamic and complex environment to make appropriate commercial decisions to meet business outcomes, and ensure the business continues to operate within the law and industry regulations.
The SIRO/CRO will also need to work with the business to identify those who are responsible for key information and provide terms of references with accountabilities, i.e. Information Assets Owners, owners of information of value to the business.
Similarly, other relevant specialist roles, such as the Chief Information Security Officer, (CISO) will also need training to develop their capabilities. It is important to get the right training, delivered by acknowledged experts; a way of ensuring leaders receive appropriate material is to use CESG-certified training (CESG is the Information Security arm of GCHQ), as the Government has been keen to ensure the quality of Cyber Security training.
Information security specialists
In addition to the senior specialist roles, there will also be a need for technical Cyber Security specialists to support the business to enable informed decision making; this is an area identified by both the Government and by Industry as representing a skills gap. The technical Cyber Security specialists need to build and maintain a professional skills base, to ensure they communicate in a clear and concise fashion with the business and vice-versa. The specialist roles detailed above, from the Board level to senior managers and beyond, are not additional duties but a reflection of how business leaders need to change and embrace Cyber Security as part of their everyday roles.
Rekha Babber Director, Cyber Academy