The BCSF is often asked ‘what does good look like?’ The simple answer is ‘whatever protects the things you care about’. This means that, while there is some good practice that applies in most situations, ‘good’ cyber security for one organization may not be ‘good’ for another. ‘Good’ cyber security has to work for you; it has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept.

• Embedding cyber security into your structure and objectives Cyber security is not just ‘good IT’ - it must enable your organization’s digital activity to flourish. The role of cyber security is to enable the organization’s objectives and, increasingly, enable competitive advantage. It should be adding value to your organization rather than hindering progress. This requires a positive cyber security culture and appropriate investment and management of cyber security.

• Growing cyber security expertise As the demand for cyber security professionals grows, you need to plan ahead to ensure your organization can draw upon expertise. Cyber skills are already in high demand, and the Global Information Security Workforce study estimates that by 2022 there will a shortfall of 350,000 appropriately trained and experienced individuals in Europe. Organizations must take steps now to ensure they can draw on cyber security expertise in the future.

• Developing a positive cyber security culture Board members should lead by example to help promote a healthy cyber security culture. Without a healthy security culture staff won’t engage with cyber security so you won’t know about these workarounds or unofficial approaches. So not only will you have an inaccurate picture of your organization’s cyber security, but you will also miss the opportunity for valuable staff input into how policies or processes could be improved.

• Establishing your baseline and identifying what you care about most Understanding what technical assets you have, and how they’re critical to your organization’s objectives, are both key to effective risk management. Your crown jewels are the things most valuable to your organization. They could be valuable because you simply couldn’t function without them, or because their compromise would cause reputation damage, or it would incur financial loss.

• Understanding the cyber security threat Organizations face different types of threat, so each Board’s approach to cyber security will vary hugely. Understanding the threats faced by your organization, either in its own right or because of who you work with, will enable you to tailor your organization’s approach to cyber security investment accordingly. You need to consciously make the decision about what threat you are trying to defend against, otherwise you risk trying to defend against everything, and doing so ineffectively.

• Risk management for cyber security Good risk management will help you to make better, more informed decisions about your cyber security. Compliance and security are not the same thing. They may overlap, but compliance with common security standards can coexist with, and mask, very weak security practices. Good risk management should go beyond just compliance. Good risk management should give insight into the health of your organization and identify opportunities and potential issues.

• Implementing effective cyber security measures Put in place defenses that will protect your critical assets against the biggest threats. Implementing good cyber security measures is not only a key part of meeting your regulatory requirements but will also help reduce the likelihood of a significant incident. Implementing even very basic cyber security controls will help reduce the chance of an incident.

• Collaborating with suppliers and partners Cyber attacks on your suppliers can be just as damaging as an attack on your own networks. All organizations will have a relationship with at least one other organization, be that the provider of your email service, or the developers of the accounting software you use, through to your traditional procurement supply chain. Most organizations will be reliant on multiple relationships. Each of these relationships will have a level of trust associated with them, normally some form of access to your systems, networks or data.

• Planning your response to cyber incidents Good incident management will help reduce the financial and operational impact when they do occur. Incidents can have a huge impact on an organization in terms of cost, productivity and reputation. Being prepared to detect and quickly respond to incidents will help to prevent the attacker from inflicting further damage, so reducing the financial and operational impact. Handling the incident effectively while in the media spotlight will help to reduce the impact on your reputation.

• Board toolkit: five questions for your board’s agenda A range of questions that the BCSF team believes will help generate constructive cyber security discussions between board members and their CISOs.