Produced by Julie Garland-McLellan, Consultant at AltoPartners Australia and non-executive director and board consultant based in Sydney, Australia.

Contribution by Ralf Nejedl, Partner Alto Consultants GmbH / AltoPartners Germany, is a former Managing Director of T-Systems International GMbH, Vice President and leader of B2B business for Deutsche Telekom AG Europe

This edition of the newsletter was first published on The Director’s Dilemma website and the full newsletter is available for viewing here. To subscribe to future editions of the newsletter, click here

The Director’s Dilemma - May 2023

This month we join a not for profit board that is struggling to comprehend, let alone discharge, its duty around cyber security.

Chloe is a teacher and recently joined the board of a not-for-profit that provides education and sporting opportunities to adults with disabilities. She is enthusiastic and has been reading some old Company Director magazines that were given to her by a friend.

The board members are predominantly teaching and fitness professionals although the treasurer is an accountant. None of them have business backgrounds and none are particularly into IT.

The magazines have a lot of articles about cyber security and Chloe is intrigued; she hadn’t realised that she could be liable if the organisation got hacked or that there were standards of cyber security that the company should reach and maintain.

Chloe asked the Chair if they could perhaps have a short discussion of cyber security at the next meeting as she thinks it could be important.

The Chair said it wasn’t worth an agenda item but that she would ask the CEO to cover it in her report.

When the board papers arrived, Chloe was underwhelmed to read that the IT was provided by a contractor, all staff had signed the ethical use of IT policy, and there was little likelihood of any hacker targeting the company because it was only small.

The CEO noted that all activities were funded with government grants and there wasn’t any money to conduct cyber-awareness training or to investigate matters further.

Now the board is worried, and Chloe feels that they are blaming her for making them feel uncomfortable.

Given the lack of skills or funds, how can Chloe help her board to discharge their duties?

Ralf’s Answer

When I was a board member for European telecom companies, security was always a top priority due to the critical nature of telecom infrastructure.

However, some may question whether cyber security is also relevant for non-profit organizations. In reality cyber security is a significant threat to any organization, and small companies are often targets as their security systems may be more vulnerable; any personal and business information needs to be protected, both offline and online.

Ensuring the health and continuity of any business, regardless of size, income, or number of clients, is of the highest importance.

In this case study, Chloe did the right thing in mentioning the topic of cybersecurity to the board - all board members need to understand their roles and responsibilities.

They need to improve their cyber defence, designing, and implementing a cyber security governance and a technical concept. The responsibility cannot be delegated to any IT support freelancer outside the company. Instead, the CEO needs to take ownership of the cyber security policy immediately, conduct an assessment with a specialist and provide recommendations for improvements back to the board.

The board must then approve the implementations of the new cyber security policies, continuously oversee cyber-risk management, and verify regulatory compliance: A robust governance for cyber security must be put in place, and competent individuals must be responsible for the ongoing cyber security management.

In summary: As a board member, it is essential to prioritize cyber security among other crucial topics like strategy, executive appointments, and finance to ensure business continuity. The board must approve cybersecurity governance and policies, oversee cyber-risk management, and verify regulatory compliance. But ultimately, the CEO must take ownership of cyber security.

Julie’s Answer

No director ever likes to be reminded of the risks attached to their board or company or the possibility of an unplanned-for adverse outcome. Professional company directors have been reading about cyber-security for years and we are getting used to the idea that it is up to us to show leadership and help management to protect the company. A board of people who have had no preparation for this responsibility, and who suddenly have it thrust into their consciousness, will almost inevitably react with denial and then anger.

Chloe’s job, as a director, is to positively influence the way her board thinks and acts to serve the best interests of the company. She needs to communicate with skill and consistency. This is an important area for her board and also for the government that provides much of their funding.

The CEO is now aware of a risk that the company has no funding to address. Chloe should continue to discuss the topic with the CEO. She can suggest that the CEO start by asking their contracted IT provider to explain what level of cyber protection the company has and how that compares to the protections at other similar companies. Understanding what current good practice is, and what it might cost, are useful steps for the CEO in moving to a better level of preparedness. Then the CEO can start to talk with the funding government and find out what help is available.

Chloe should keep up with the task of focusing the board on cyber issues and helping them to move from denial and anger into exploration and, hopefully, a well-protected future.