Cybersecurity Training for Boards

Cybersecurity Training for Boards

By Sean Gowing
on July 4, 2023

We’ve all seen the increased headlines around cybersecurity incidents and data breaches and now there are meta-headlines about those headlines. Within cybersecurity circles, we always discuss cybersecurity culture being driven for an organization right from the top, yet the board of directors for our organizations are woefully lagging in awareness. Combining the increased headlines as a rising threat indicator and culture cascading down from the boardroom, the need for cybersecurity training at the board level has become paramount. For example, in the US the SEC is finalizing regulations that aim to significantly increase the requirements for organizational transparency of cybersecurity issues along with disclosing cybersecurity expertise of board directors. Boards are responsible for making strategic decisions that impact the organization’s security posture, financial stability, and reputation. One way to increase the security posture of the organization is to provide appropriate training at the board level. The issue is that the strategy for cybersecurity training generally follows one specific pattern, and that pattern may not be appropriate at the board level.

Presently, many cybersecurity training programs aimed at board members focus on highlighting the worst-case scenarios, potential financial losses, and reputational damage resulting from successful cyberattacks. This Fear, Uncertainty, and Doubt (FUD) approach leverages negative emotions to stress the gravity of cybersecurity risks. Examples of FUD used in training sessions may include:

Fear: Presenting statistics of cyberattacks and data breaches to create anxiety about the inevitability of an attack on the organization.
Uncertainty: Discussing the unpredictable nature of cyber threats, implying that it is impossible to completely protect against them.
Doubt: Raising concerns about the organizations’ ability to understand and effectively address cybersecurity issues, leading to a lack of confidence.

While the FUD approach may prompt some degree of awareness and vigilance, it has several shortcomings:

Negative Focus: The FUD approach centers on the potential negative consequences, which can create a defensive mindset and inhibit innovation.
Complacency: Board members may become overwhelmed by the constant fear of cyber threats and, paradoxically, fail to take proactive actions due to a sense of helplessness.
Short-term Perspective: FUD often prioritizes immediate risks rather than fostering a long-term strategic commitment to cybersecurity.

Importantly, the use of FUD in cyber security training is often counterproductive, as it tends to reinforce organizations’ inclination to do the minimal amount necessary to allow business to continue. Human nature dictates that individuals and organizations often prioritize managing negative risks over investing in proactive security measures. By instilling fear and uncertainty, the FUD approach can inadvertently perpetuate a reactive and compliance-driven mindset, where organizations focus on meeting minimal requirements rather than actively embracing comprehensive cyber security strategies. This minimalistic approach fails to adequately address emerging threats, adapt to evolving attack vectors, and foster a culture of continuous improvement.

The Keep Secure Approach

To evolve cybersecurity training for board members, we need to shift the focus from solely emphasizing risks to recognizing the opportunities and benefits of a robust cybersecurity posture. By highlighting the positive aspects, organizations can:

Establish Trust: In the real world, trust is established through transparent communication, accountability, and reliability. Similarly, a strong cybersecurity practice helps build trust with customers, partners, and investors. Assuring stakeholders that their data is secure strengthens relationships and enhances the organization’s reputation.
Activate New Markets: Many industries, particularly those handling sensitive data, face regulatory requirements concerning cybersecurity. Compliance with these regulations opens up new markets and attracts clients who prioritize data protection.
Increase Speed of “End-Product” Delivery: Integrating security measures throughout the development lifecycle leads to more robust and reliable products. A secure software or service reduces the chances of vulnerabilities and accelerates the time-to-market.

Effective cyber security training for boards should empower them with the knowledge and tools to foster trust and establish a strong position in the business landscape. Rather than solely focusing on technical aspects, the training should emphasize the positive outcomes of robust cyber security practices in relation to their organization’s goals. Boards should be equipped to ask the right questions that highlight the organization’s commitment to protecting sensitive data, ensuring customer privacy, and maintaining operational continuity.

One important aspect of board training in cyber security could revolve around security maturity models, which provide organizations with a structured framework to determine the right level of security aligned with their goals, principles, and ethics. Maturity models offer a roadmap for organizations to assess their current security posture, identify gaps and areas for improvement, and define their desired target state. By evaluating various dimensions of security, such as governance, risk management, technology, and incident response, organizations can gain a comprehensive understanding of their strengths and weaknesses. Through board training, members can learn to leverage maturity models to assess their organization’s risk appetite, industry-specific requirements, and ethical considerations. This knowledge enables boards to make informed decisions on resource allocation, prioritize security investments, and establish a clear vision for enhancing security maturity.

At Keep Secure, we strive to increase cybersecurity knowledge at every organization that we interact with as it is a core value and the foundation of everything we do. We would love to hear from anyone that thinks board level cybersecurity training is an important area or maybe is a concern in their current organizations. We are going to have additional articles coming up in the next few weeks diving deeper into some of the areas mentioned in this article, so be sure to watch out for those and continue to learn how cybersecurity could be strengthened at the board level of your organization.

Contact us to learn more on how we help organizations get their board of directors up to speed on cybersecurity without all of the FUD.

About Sean Gowing

Sean Gowing, a distinguished cyber security professional, has an impressive track record as a CISO at various high-growth companies. Sean brings extensive industry experience and a deep understanding of the global regulation landscape, both current and upcoming. He has successfully worked with numerous companies through M&A activities and funding rounds, providing invaluable expertise in ensuring cyber security readiness during such critical business transitions. Known for his innovative mindset and proactive approach, Sean continually pushes the boundaries of cyber security, establishing robust security frameworks that safeguard sensitive information while driving growth and innovation within organizations. With his comprehensive knowledge and strategic guidance, Sean enables companies to navigate regulatory complexities, achieve rapid time-to-market, and confidently navigate the ever-evolving cyber landscape.