The National Cyber Security Centre (NCSC) has published a toolkit to encourage discussions on cyber security between organisations’ board members and their technical experts.
Named the Board Toolkit, it can be used by anyone accountable for an organisation in any sector, and has been designed around three questions: What should the board do? What should the organisation do? What does good look like?
Its sections focus on an introduction to cyber security for board members, embedding it into the structure of an organisation, growing expertise, developing a positive culture, establishing a baseline and identifying priorities, understanding threats, risk management for cyber, implementing effective measures, collaborating with suppliers and partners, and planning the response to incidents.
In addition, an appendix summarises the legal and regulatory aspects of cyber.
The toolkit also emphasises the good security is about managing risks and that it is important to make well information decisions on these.
The move has won the support of IT industry association techUK, whose president Jacqueline de Rojas said: “A common issue in the UK boardroom has been that cyber is delegated to the IT department and does not rise to the surface as a priority until a breach has occurred. Given that a cyber attack is no longer an 'if' but more likely a 'when', board members need help with guidance on what to protect and how to go about it.
“Put together with input from a selection of boards from diverse sectors, this NCSC toolkit is a practical resource for board members and their CISOs. To help identify best practice and better understand how to articulate and discuss cyber investment decisions in the boardroom.”
The publication comes soon after the NCSC launched a new website in beta format with the aim of extending its use beyond security experts and large organisations.
Image from iStock, Matej Moderjc