Cyber resilience needs clear accountability from the top
In January 2024, the UK government launched a consultation around a proposed “Cyber Governance Code of Conduct”, the design of it, how to drive its eventual uptake and the need for some form of assurance process against it.
Cybersecurity governance is a topic on which I have written at length over the years, and while it is a good thing to see the UK government throwing some weight behind the topic, for me, the approach raises a number of questions.
First, does the industry really need another checklist of some sort at this level?
The proposed “Code of Conduct” openly acknowledges that it draws on existing good practice, and indeed, it offers a good and comprehensive summary of it.
But fundamentally, this is a body of good practice that has been evolving for the best part of the last two decades, so the question remains of why Boards that have failed, or be reluctant, to engage with it in the past, would, all of sudden, feel more compelled, in particular in a context that remains essentially “voluntary” – at least for now.
The “call for views” argues that, even if cyber threats are more prominent than ever, it is the complexity and fragmentation of those frameworks that have, in the past, been the main blocking factors, ignoring cultural issues and cognitive biases, not to mention concerns around the costs involved, internal politics, personal rivalries, or shameless window-dressing around compliance, not to mention plain incompetence.
In all cases, any top-level executive expecting a significant simplification in the proposed “Code of Conduct” may be up for a surprise, as the “Code” consists of 21 specific and substantial tasks (“actions”) grouped in 5 sections.
None of those “actions” is simple in itself and each appears to assume a certain level of maturity in the underlying organization that simply may not be there.
For example, gaining assurance “that the organisation is resilient against cyber security risks associated with suppliers, stakeholders and business partners” (only one half of action A.5) implies the presence of a specific supply chain management practice across the firm, able to collect the necessary data and report accordingly.
This problem is common to most “actions”: At best, compliance would place a significant reporting burden on the organization; at worst, it would simply be impossible because the underlying organizational structures would be incapable to ensure it (or would have to be substantially transformed to meet the requirements of the “Code” effectively and efficiently).
In fact, each organization is likely to be at various levels of maturity in respects of the different aspects mentioned in the “Code”, and it is this complex pattern that the Board has to capture, understand and manage, to govern appropriately cyber resilience across the firm.
In essence, in a manner absolutely typical of the way cybersecurity has been approached for over two decades, the “Code” focuses on the “what” of cyber governance and not on the “how”: “What” needs to be done, and not “How” to make it happen in real life.
In real life, large organizations are siloed, political and territorial. They need clear and unambiguous leadership from the top to be successful with any transversal matter. Cyber resilience embodies that type of challenge.
The “Code” does acknowledge the need for clear roles, responsibilities and ownership at all levels, but action E.1 carefully avoids the use of the word “accountability”, and it is unclear how those aspects would be articulated, and in particular, how remedial actions will be effectively driven through in the event the reporting highlights failures or shortcomings – beyond the “mitigations” mentioned in action E.2.
To me, the issue of clear and unambiguous ownership and accountability at the top of the organization remains key here: Key to the acceptance of the “Code of Conduct” as a necessary instrument and key to its uptake across any firm.
I am not just talking about ownership of the various “actions” and their outcome, but more importantly the fact that ownership of, and accountability for cybersecurity at Board level cannot be just matter of collective responsibility but needs to be a matter of individual responsibility for one Board member.
It is a topic we have been arguing about in these columns for several years. More than ever, I think this is essential now.
I understand that excessive accountabilities – potentially leading to personal liabilities – have already driven a number of people away from director roles and will continue to do so.
In my view, directorships already carry significant fiduciary responsibilities in current legislations, so I do not think this suggestion represents a major change compared to the burden already associated with Board memberships.
The proposed “Code” is a good step forward, but action E.1 is its real cornerstone. Without a sound and accepted distribution of accountabilities across the firm, visibly embodied by one credible Board member at the top, compliance with it will invariably descend into box-checking and window-dressing, like all previous attempts in that space.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.