A board director’s role in overseeing cyber security risk

The importance of effectively integrating the governance of cyber security into a company's overall governance framework is a key board role. A key concern for businesses in every sector for many years, the need to be vigilant in the face of ever-more sophisticated risks is increasingly vital thanks to the acceleration in AI technology. While experts in cyber security are clearly needed to combat risks of attack, it’s essential that at a board level, there is enough understanding to be able to ask the right questions in order to understand any potential risks..

This is the aim of a short programme offered by the Institute of Directors (IoD) Ireland. Led by Chief Information Technology Officer expert Bill McCluggage and featuring several prominent industry expert guest speakers, including; Joseph Stephens, Director of Resilience, National Cyber Security Centre, Ireland (NCSC-IE); Colin Rooney, Partner, Technology and Data Privacy, Arthur Cox LLP; Dr. Valerie Lyons, Company Director and Chief Operations Officer, BH Consulting; and Elaine Hanley, Partner, IBM Cybersecurity Services Ireland and UK.

Cyber security governance

With cyber security such a vital concern for businesses, it’s safe to say that board directors are aware of, and concerned about, the risks, but are boards in general equipped with enough knowledge to really manage the issue? “Cyber security can be quite a complex working environment to understand the nuances of it,” explained McCluggage. “We, as technologists, don’t help this situation by not explaining it very well. Cyber security is shrouded in this tech speak and acronyms. We need to make this much more straightforward as a business risk. Directors coming on this programme will learn a lot more about cyber security in relation to the areas they already know about, for instance, governance. The technology and the language might be daunting, but good governance is good governance; there’s nothing unusual about governance when we’re talking about cyber security.”

The four programme modules

The programme takes place over four ‘live online’ morning sessions and features an impressive line-up of guest speakers alongside McCluggage. The first session covers Governance, Technology and Cyber Risk, and discusses key business drivers and how to obtain senior management support for a robust technology and cyber security programme. The guest speaker is Joseph Stephens, Director of Resilience, National Cyber Security Centre (NCSC).

The second session looks at Regulatory, Legal and Compliance Matters for Boards, and aims to help participants understand the responsibility of boards to ensure their organisations comply with various regulatory regimes. This session’s guest speaker is Colin Rooney, Partner, Technology and Data Privacy, Arthur Cox LLP.

Capability and Cyber Culture is the focus of the third session, and features Dr Valerie Lyons, Company Director and Chief Operations Officer, BH Consulting, as guest speaker. This session discusses the role of the board in building organisational capability and growing a positive cyber security culture designed for business defence.

Like all short programmes and workshops offered by the Institute of Directors Ireland, the programme offers real world insights for participants and finishes with a practical fourth session, Planning and Incident Response – Board Actions. Featuring Elaine Hanley, Partner, IBM Cybersecurity Services Ireland and UK, as guest speaker, this session aims to create an action plan, helping directors equip themselves with the tools they need to plan for a potential cyber security incident.

Each session is led by McCluggage, an experienced Managing Director, IT Director, Chief Information Officer (CIO) and Chief Technology Officer (CTO), who in the past has worked as Head of Information Security at Open Banking and Irish Government CIO within the Department of Public Expenditure and Reform. He is currently Chair of the Northern Ireland Fraud Forum and Chair of the Audit Committee at the University of East Anglia.

“Our aim is to enhance a director’s expertise and knowledge of cyber security, and specifically to their own organisation,” McCluggage added. “We want directors to be able to ask the right questions to their executive teams to be able to assess the risk and threats of any cyber security incident to the organisation’s business resilience, operations/performance and long-term brand and reputation. And, bearing in mind that cyber risks are no longer an ‘if’, they’re a ‘when’, we want them to plan incident responses and identify their own priority systems, and how you can cope if these were attacked.”

IoD Ireland CPD Framework

As the foremost voice in the debate on improving governance standards, IoD Ireland is dedicated to developing and improving the effectiveness and performance of directors and boards throughout Ireland. In October 2023, the organisation launched a new CPD framework for directors, c-suite and senior executives, and boards to drive higher standards in corporate governance in response to the ever-evolving policy, regulatory, macro-economic and governance environment in Ireland.

The CPD framework includes four key dimensions: Governance Framework, Technical Knowledge and Skills, Creative Strategy Formulation, and Psychology of the Boardroom. This cyber programme is part of the technical knowledge and skills dimension, and is eligible for 12 hours of Chartered Director CPD. This programme may also be eligible for other professional body CPD. Check with your relevant professional body.

Learn more

Cyber Security Fundamentals for Directors is a four-session short programme offered by the Institute of Directors Ireland. Book now via the IoD Ireland website.