During the very first Nominet office move in 1999, we moved the entire .uk database and hardware on the backseat of a car. This was the quickest and cheapest way and also the Oxford ring road was usually quiet on a Sunday. It was only later, when I saw the rather decrepit car and the driver’s skills, that I realised how lucky we had been not to have any disasters!
I have though seen several IT disasters during my long career. Of those that I can talk about, one of the most memorable was when Microsoft failed to renew their hotmail.co.uk domain name, due to a simple error by a junior member of staff. All UK Hotmail users were understandably very unhappy to lose their email service for days.
So when cyber security, risk and resilience appears on a Board agenda, you’ll get my attention, empathy and the benefit of my own experience. However, when talking to my network of Board members about how cyber security and resilience is dealt with on their own boards, I frequently hear two main problems with the most common approaches used.
Firstly, why is the ‘scaremongering’ technique so often used to attempt to command both attention and resources for cyber security and resilience? Typically, this takes the form of a slide presentation that begins with scary tabloid newspaper headlines from the most recent breaches. Whilst not all Board members will read tabloids, it rather assumes a lack of current affairs awareness and is a very blunt and naive way of seeking Board attention not used by other Board presenters. The latest variation to this technique is the addition of potential GDPR fines (£ signs with lots of 0’s).
Secondly, I hear complaints that many IT related Board presentations include far too many acronyms, excessive use of IT jargon and technical detail. Whilst we are a long way from having IT savvy Board members on all Boards, my experience has been that increasingly Board members are much more IT and cyber aware than ever before and that you should not need to blind a Board with IT science and jargon.
So, how do you get a Board’s attention and support for cyber security and resilience?
I particularly like the thinking of Dr Jessica Barker on the need to train IT and information security teams in sociology, psychology and communications – “the need to train not just ‘users’ in technology, but also technologists in ‘users”.
Applying this to a Board presentation means firstly thinking about the psychology of Board decision making and understanding what thinking processes take place at this level.
Rather than scaremongering, getting a Board’s attention can often be achieved more effectively in other ways. For example, by benchmarking against competitors, by reference to industry norms or by referencing an existing business strategy or ambition.
Then getting Board support is more than making a good case on the day. Good communications can have a huge positive impact. This might mean, for example, offering pre-briefing to Board members, especially if the subject is complex. It can also mean seeking feedback on draft presentations from both likely supporters and opponents. A very experienced Non-Executive I know calls this “pre-wiring”, so that a Board is warmed up to the subject and proposition, rather than coming to it cold.
Board members also report that propositions fail to hit the mark because they are poorly presented. Presenters should allow time for practice and dry runs with Q&A before the big day, so that they can present with confidence and also at the right speed and tone. Inexperience and nerves can undermine an otherwise good proposition.
Finally, the content of a Board paper needs careful thought. Ideally, it should be as acronym and jargon free as possible. If a simple diagram or picture can be used to convey thinking as well as break up dense text, then that is helpful. Getting input from executive team colleagues that IT would not usually work with, particularly finance and marketing can be very effective.
Lesley Cowley is Chair of DVLA and Companies House, Lead Non Executive Board Member of the National Archives and a Non Executive Director of aql. This article draws upon her personal experiences as an executive and non-executive and those of her extensive network. It does not infer that improvements are needed at her current organisations!