The National Cyber Security Centre (NCSC) is working with businesses to recognise and resolve gaps in boards’ knowledge through the production of a free toolkit. So NCSC Chief Executive Officer Ciaran Martin told the Times CEO Summit 2018.
The NCSC, which dates from October 2016, says that it has been working with boards as focus groups to see what support is needed for board members and staff who report to them are able to recognise threats, enable discussions and implement appropriate measures. Among feedback from those focus groups was that existing guidance on cyber security is too dense to grasp.
Ciaran Martin said: “The toolkit will deliver the expert guidance boards tell us they need to ensure cyber security is on their agenda. The consultations so far have included several major companies, and we would encourage any businesses to send their thoughts on how the toolkit could best help them. Questions over cyber vulnerabilities should be as robustly discussed at a board level as physical security or financial risks. We are committed to working with boards to ensure this happens.
“Once the toolkit is published later this year, we hope it produces a common set of guidance that will act as a core reference library and ensure there are no barriers preventing UK boards from preparing for cyber threats.”
Any businesses who want to have their voices heard can give their feedback to the NCSC by email to [email protected].
While primarily aimed at large companies, smaller businesses will be able to tailor it for their particular sector, the UK official cyber centre says. The NCSC has already published a cyber security Small Business Guide. The toolkit will be regularly updated, and will be published for free on the NCSC website.
The NCSC is also collaborating with the Research Institute in Science of Cyber Security (RISCS) on two-year research to understand more about how to support boards in managing cyber risk. The outcomes of this research will inform the NCSC’s future work in this space.
Ciaran Martin added: “This is not about dictating how boards should implement cyber security – we want to help companies implement the best approach for their specific organisation. We also want our toolkit to be useful to those feeding into the board, such as IT workers. By putting the risks in the same language and framework as broader business risks, we hope to help them have more effective discussions with the board members at their companies.”
More from Ciaran Martin at the NCSC website.
