Cyber security is a core business risk that can impact the entire organisation. Boards must understand how cyber threats impact financial performance, reputation, and regulatory obligations. Boards must also build awareness of their organisation’s cyber security posture, protection measures, and incident response protocols.
In this podcast, Dr Sabine Dembkowski, Founder and Managing Partner, is joined by Beatrice Devillon-Cohen. Beatrice has over 25 years of investment banking experience, having led traders’ teams across the UK, Europe, Asia, and the US. She has now developed a portfolio of non-executive positions, having recently served on the Audit Committee of the European Investment Bank and the Finance Committee at King’s College, London. She is currently Senior Independent Director and Chair of the Risk Committee at Mitsubishi UFJ Securities EMEA.
“The Rule of Three is important when it comes to cyber security.”
As Boards seek to manage and survive cyber threats, the Rule of Three comes into play. On average, in a cyber event, there are three days of chaos, three weeks of systems rebuilding, and three months of constant IT problems.
“What has been changing over time is the cyber-criminal groups. They are now running their operation as a business, selling cyber attacks as a service.”
The criminal ecosystem has gone professional. While there will always be bored teenagers or disgruntled employees, the more serious players run their operations like business ventures. They sell cyber attacks as a service with deep resources, skilled talent, and vast networks.
“You need to work on mitigation, responding to an attack, and recovering. That’s your battleground.”
While cyber threats can’t be entirely avoided, Beatrice counsels Boards not to despair. There is plenty that can be done. It begins by understanding how threats work.
A main attack path is through links in emails that sound very realistic, especially with modern AI. One click installs malware hackers can use for access. Caution and education can help prevent this.
Another major attack path is third-party providers. External suppliers are compromised and used as a bridge into your own internal system. It’s why so many companies now emphasize third-party risk management.
“Never hope for the best when it comes to cybersecurity, because hope will not be a strategy.”
Boards are accountable for cyber risk oversight (see the UK Cyber Governance Code of Practice). They need to make it a strategic priority. Build relationships with IT heads, show curiosity, and build trust.
Get a strong dialogue going. Educate within the organization and with third-party partners. Make a no-blame culture, so that if something happens, it is escalated immediately, which can limit impact.
She also encourages Boards to remember the psychological side. The Rule of Three will be in play. Helping executives manage the mental strain, get rest, and keep a clear head is critical for survival.
“It’s our own duty to upskill, stay current, and think around the corner on that subject, like any other subject in the boardroom.”
Cyber culture starts at the top. It is not “too complicated” to pick up basic cyber safety skills or understand risk. Plus, with AI and quantum computing ahead, any actions Boards can take – and lead their companies to take – will help prepare for future risks.
The three top takeaways from our conversation are:
- Cyber risk is a business risk. Own it as such.
- Don’t hide, as a Board member, behind “it’s too technical and not for me”. Upskill, be curious, and engage with executives.
- Prepare for it. Run exercises and test regularly.
Come Join The Better Boards Community
We’d love to get to know you! If you’d like to become part of the Better Boards community, discover our unique approach, and explore ways to work with us or share your ideas on The Better Boards Podcast series, drop us a line at [email protected].
