Your Board's Perspective On Cyber

Um, so I'm a non-exec director at the University of Westminster. Um, I've been on various boards over the past nine years, including the UK Cyber Security Council. And, um, a few years ago I co-founded a nonprofit called Cyber Governance for Boards. um because what I was seeing um at board level or rather what I wasn't seeing at board level was kind of engagement with cyber security. So I just want you to know that today I'm here talking to you guys about the board but I spend most of my time talking to them about why they should listen to you. So I'm on your side. That's why I'm here. Right. So, put your hands up if you think your organization

is doing enough of all the right things to keep itself secure. Okay. Optimistic. Thank you. Okay. So, a lot of us spend a lot of time being frustrated with the organizations we work for or with. They don't listen to cyber professionals. You guys often know the better the business way better than anyone else. They often fail to put the investment needed. Slow change, loads of bad decisions, loads of unnecessary risks. So we often end up kind of bashing our head against the wall and asking, you know, who do we complain to around here? Who is actually the decision maker here? And that's why increasingly like the role of the board is is really coming under scrutiny now in cyber security.

And we feel like if we can only get these guys to listen to us, it's what going to make the difference. Um so we're not the only ones who think that. Um government also thinks that if only can it can kind of reach boards might be able to unlock some positive change. So after the um JLR attack um the um government actually took quite an unprecedented step of writing directly to the chair of the board at the Footsie 350 um with a letter explaining why they should actually give a [ __ ] about cyber security. So that was good. Um so you know it's absolutely rising up the agenda and regulators do as well. So this is

from the cyber assessment framework which gets used in the UK by uh public sector critical national infrastructure. It's being rolled out to more and more um organizations and there's there's sort of similar similar things in other frameworks as well. So what's interesting about the calf uh section A1A board direction is it envisages um a board that is really engaged with cyber security. This is a board which is having frequent very serious very well-informed discussions on relevant topics. It's making good decisions. It's taking responsibility. This board is removing all the barriers for the infosc teams. You know, it's really supporting them. It's doing its job. You got other frameworks like NIST, CSF, which isn't quite so specific about the

board's role, but then a new governance tier and that certainly touches on a lot of this. Okay. So, there is definitely a a kind of view out there of what um you know, decent cyber governance looks like. Um so final piece in the puzzle most recently government has also gone further and issued a cyber governance code of practice. Um so my organization was involved a bit in this. Um this was released in April this year and this is really specific about the role of the board. Um you know it speaks to the board's responsibilities. I'll talk a bit about it later. It's not mandatory for anyone anywhere yet, but I certainly hope it will help.

So, here's the challenge. We've been talking about this kind of ideal board, um, you know, kind of council of wise men and wise women who are there to take away all the barriers, who are there to make great decisions about important things. Now the problem is is that your average board just doesn't really work in that way. It's actually it's not a council of wise men and wise women who are there to make decisions about important things. I think we often um have this view of the board as basically just kind of sitting there waiting for us to take our important problems to them and if those guys guys are doing their job well they're going to kind of

listen, take it seriously and hopefully say yes, I agree. But that's not really what it does. So board directors have got very specific duties which are set out in legislation. The board has got his own job to do. It's it's it's a function in itself. It's got its own job to do which is unique. No one else in the organization can do it. Um so these are unique responsibilities of a board which means no one else in the organization is allowed to take these decisions. It approves the high level corporate strategy and the budget. It approves significant transactions and strategic decisions. By that, by the way, I mean things like mergers and acquisitions, really significant financial

transactions. It signs off the accounts. It oversees strategic risk and financial management. Not all risk, strategic risk. and it has to regulations various regulations demand that it approves other stuff. So for example in the higher education sector um which University of Westminster is in um our regulator decides that there is an absolutely massive stack of things that we need to approve. Um, arguably to my mind the most important thing a board actually does is it hires the CEO and fires them if necessary. And and that is because the really really key thing you need to understand about a board is it delegates executive powers to its CEO and through them to the wider organization. Okay. So the irony is here is that you

could go to the board present all the stuff you wanted to do. You know, you might tell them, "This organization really sucks. It's doing all the wrong things, none of the right things. We need to make a change out here." And the thing is, they might even agree with you, but ultimately they have delegated to the CEO and the senior staff. Um and so it's relatively common you know that boards might have a few doubts but you know the logic of delegation goes they have to kind of trust the CEO and their senior staff to to get on with it and that tends to go until something goes really really horribly wrong. So important to keep that in mind because

you know you've got that middle layer which you're always having to work through and that is a bit of a challenge. Um, so the board's got its own unique job to do. A board meets maybe once a month at absolute best. Um, often less frequently. There might be committee meetings, but still maybe once a month at best. The the only time when there's an exception to that is times of crisis. Um, when that happens, boards tend to become quite active. Um, sometimes in a really kind of troubled situation, you might even be having daily board meetings, weekly board meetings. I certainly did that through through COVID, for example. Um, another thing to know about the board is that

it's its job is is getting bigger really really quickly. Um, it's it's kind of like what's happening in in the security field as well and boards are really struggling to keep up. So with the amount of regulation coming in now, for example, um the amount of scrutiny, amount of media focus, um way that things can just blow up, geopolitical instability, all of this stuff contributes to a much more kind of feverish atmosphere. Your average board is not a calm place of considered decision making. It is a messy, confused place. Um boards are ultimately accountable for everything important that happens but obviously they can't be over everything. It's really really important. So you know we think the

board should be spending a lot more time thinking about cyber security. But do you know what that guy over there who's in charge of whatever it is facilities or HR or you know anything he thinks exactly the same. Okay. and you know she wants the board to be focusing on uh you know investment plans in a completely different area and you know what some of those guys are also think that you know you're blockers you're part of the problem you're not helping them do their job okay so and the thing is about a board I guess another thing to know about them is that all the questions the tradeoffs the conflicts you get in your

average organization the board is where they end up if they were easy enough to be resolved lower down then that's where they would happen. So the stuff that ends up on the board table is is often kind of intractable and difficult. Um so it's absolutely impossible for a board to be over absolutely everything. Um and you know you get all sorts of information asymmetries. Some boards have got very formal kind of really wellestablished governance. You find this particular in listed companies, in the public sector, in charities as well. Um, so these boards have got lots of structure. They often function quite well, quite well organized, but they are also very often totally swamped in paperwork. These kind

of board directors have stacks of paper like as long as you're armed to read for each board meeting. Um, and because of that, you know, cuz they don't have any more time than anybody else, there's lots of kind of tickbox approvals by default. A lot of stuff just doesn't get discussed. Much less strategic discussion than you might expect. Other boards are the other end of the spectrum. Other boards are like really chaotic and have much less formal governance if at all. You tend to find this in smaller organizations, private sector. Um these organizations boards are typically really really driven by income. So short-term financial considerations and they can be really political as well. Um lots and lots of

uh director shenanigans. Okay. So all boards are different to each other. It's worth having a think about what kind of board yours is. But you know the common factors they're all really really strapped for time and they're not paying a huge amount of attention to the details. Okay. So, what does your average board member think about cyber security? I mean, I don't want to generalize too much, but um it is fair that your average board member in the UK is um older, not from a technical profession, probably got financial background, accounting background, sales background, that sort of thing. Um, and you know, they've absolutely noticed the headlines. Of course they have. They read the papers like anybody else. Um,

the headlines have been have been helping recently, haven't they, sadly. So, they've definitely noticed, but that does not necessarily mean your average board member is a place to be very helpful. Because what we're dealing with is, you know, natural for a group of people who are not technical specialists. um is ignorance and fear. Um it's exactly the same as any any normal human being who is not really deeply sort of immersed in cyber security. And someone who's been really driven by ignorance of fear, well, how do they how do they behave? There's typically a few paths they can take to deal with that to deal with that discomfort. Um they could take the high road. They could say, "Well, this feels

pretty uncomfortable right now. Maybe I should get curious and just learn some more and, you know, overcome my reticence in asking questions. You know, loads of normal people hate asking questions. They think it's going to be a stupid question. They're going to be laughed at or snapped at. Someone's going to make them feel stupid. This has happened to senior people loads and loads of times when just trying to get to grips with technical subjects like cyber security. It's worth bearing that in mind. So, you know, yeah, shall I shall I kind of push myself out of my comfort zone, get curious and learn more? So, we we hope that board members will take the high road and do that.

However, there are two um the two other kind of classic bits of human behavior when faced with a a threat and when one is ignorance, some people will will rush in. They'll want to kind of bridge that gap gap by taking charge personally. Um and that leads to micromanagement. boards can be really really unhelpful when they're anxious. I'll talk a bit about this later. Um, and they c they can really move into micromanagement mode. Um, and you can have the situation where every board me uh every board meeting um they're giving you the latest things they've heard from their board director mates and they're giving you the latest pitch they've had from some opportunistic vendor and they're asking

you if you've implemented whatever it is. Um it's not not not helpful. um or the most common one um often when we're really uncomfortable about saying we just try and forget about it and this would I say be the probably most common uh approach certainly up until now anyway and this is really driving why so many boards have just been not been engaged at all um you know it's sounds slightly scary they don't know anything about it they're happy to let you get on with it which is fine as far as it goes So there are structural issues as well why boards are often um not very helpful. Um so there's two sets of issues here.

One is about um how board risk oversight works and another is about the kind of people issues and the cultural issues. Um so take those first. So as I said um your board works by delegating executive power to the CEO and through them their wider team. Um, so the board is saying, "Well, look, here's some here's some guide rails." The CEO, um, we've we've established the strategy, we've established our strategic goals, we've set the budget. Um, okay, we've got all those good things in place, and now within that, you go and get on with it, CEO. So, here's the problem. Um, when it comes to issues where you have this asymmetry of information, where the

board just has much less information about what's going on in the organization, the CEO, um, there can be real issues in boards actually being able to manage a CEO at all. And this is really, really common. So, um, you know, in theory, the non-executive directors are there specifically to kind of keep the organization safe and on the straight and narrow. that there's especially for kind of risk oversight, but it is really really difficult because they can ask what the best will in the world. They can ask really great questions and it's always kind of hard for them really to get plain unvarnished truth. And then I think the other really underrated factor is looking a layer down now. Um, so you

know, if we have a bit of an issue between the board and the CEO, how good is the CEO at managing the CTO? Okay, so I'm guessing that probably quite a lot of you come up with this problem because you're reporting up into senior technical people who then have a kind of job of work to do to manage up themselves and you've got lots of intermediaries in between you and they may or may not be helpful. they may or may not be prioritizing cyber security and again your average CEO is often certainly outside of the tech sector um is often not technical and there is a huge amount of um uh there's lots of CEOs are just not

confident about managing technical people so you've got a basic kind of layer of supervision missing there then of course we get the u the big one which I know all of you have seen which is the concealed tradeoffs. So this is where you're having to fight with um service delivery teams who want to push their crappy product out to market next week and you'd much rather they actually didn't. Thank you. Um and this kind of thing happens all the time. Um the organization has decided it wants to make an acquisition. You're like sorry has anyone done any like due diligence? Should we just have a look under the bonnet and see what's going on? I'd like

to hear your stories after afterwards. Um, so we get these all the time where the um the the dynamics of business are really really pulling pushing against the dynamics of security and it's the business itself and what it wants to achieve. There's a fundamental conflict there, a trade-off. There are two good things we want. You know, the business wants to grow and you also want to be secure. And too often when it comes up against it, security goes out the window. And I mean, it's natural, isn't it? It's because until very recently, you know, business leaders weren't seeing examples all around the place of massive established organizations just falling flat on their faces. They weren't seeing that. That was why they

felt comfortable to depprioritize security. Um, but what happens with this stuff, these concealed tradeoffs, what happens? they get resolved way below the board level. Okay. Now that to me, take the acquisition one for example. If the organization has said the board has said our growth strategy is to acquire lots of other companies in our sector, if they hadn't thought about security, which I kind of guarantee they won't have done. Um, you know, they they've said, well, this is our strategy. This is what we're doing. And so when you come up with that issue, you come up against that issue, the question gets asked many layers below board level. What what are we doing about assurance

here? Um it gets resolved in fights between middle managers or senior managers. It's that is it's not making it to the board. Now to me that is a strategic issue. The board should be taking responsibility for that. They should be taking responsibility for the consequences of their decision. It's not appropriate for that sort of stuff to be handled, you know, below. But there you go. That's what happens. And then our good old friend blame culture, which is still such a shockingly common thing. You know, something happens and then we all just wait for the CESO to be fired, right? It's um I find it really quite upsetting. This is still a massive thing. Okay, so all of that bad stuff

happens. Um but then you know you kind of look outside the the people issues and there are like lots of things around the way that risk committees and risk committee risk oversight at board level works which are really unhelpful. Um so risk committees often don't have technical expertise. Um increasingly like the big ones the good organizations are starting to get it which is really helpful. Um but then you get the really big one is nobody has quantified cyber risk. So you know you probably have a strategic risk register. Very often cyber security is one entrance in the risk register. Not helpful. Um very often an organization won't have thought seriously about risk appetite or risk risk tolerance. Um I hear this so

often by board directors. They say, "Oh, we've got zero appetite for cyber risk." I'm like, "Switch the computers off then." Um, and then, you know, then you get um I mean, the landscape is changing so quickly anyway. So, how do you do um board level risk management when when the threat landscape is changing so quickly? Um so, board risk management, risk oversight tools are designed for a world of, you know, quarterly committee meetings right? uh not where the the the situation can change dramatically from kind of one month or one day to the next. So how do we deal with that? And then you get the kind of classic optimism bias. Um I mean rag rag ratings to me just absolutely

suck. But I mean we're you know we're stuck with it. This is how boards do it there. So you know again it goes back to that risk quantification piece. Um it's one particular area, one kind of professional discipline I think really really needs to seriously take off in maturity, you know, and very soon cuz we're it's it's it's causing a lot of damage. The fact that we just don't have that cuz if you can't say how much a cyber risk is going to cost the organization, you're just giving them a total free pass to just, you know, oh, we're spending quite a lot of money, aren't we? That's fine. Yeah. But you can't put a figure on it.

Okay. So, um, right. So, lots of bad things. I'm sorry for being so negative. Why should you care? Um, well, okay. The board sets priorities. Um, so all of those tradeoffs, those conflicts we talked about, the board should be able to unlock that stuff. The board has to take take responsibility for these and frankly make your job a lot easier. The board obviously can unlock investment. uh they can sign off funds to uh give you a more fun job and let you do more of the stuff you wanted to do. On the on the negative side as well, the board can get you fired. Um or rather they can set a culture in which it is seen to be

culturally acceptable to make technical professionals uh responsible when things go wrong. Okay, that is not acceptable. But there you go. You you do get it in some organizations. So what can you do about it? Well, so your first priority is to make it matter. Um, I cannot tell you just how little detail of of of how little of the your your kind of day-to-day jobs and what you're actually doing actually gets it up to the board level as as much to kind of get them to notice. You might get um on occasion the ability to put one slide into a board pack, which is not going to be discussed by the way. It will be slide uh 49 in a in a pack of

like I don't know 300 or something um at best. So you've got one slide. What do you say? Um well the first thing is um it's it's always tempting isn't it to use fear uh to kind of grab attention and there's plenty of scary headlines around at the moment. Um lots of scary statistics. It only goes so far and it stops working after a while. And these guys are already scared. You know, they already read this stuff in the press. They might be ignorant, but that doesn't mean they're necessarily stupid. Um, you know, remember these guys also their job is, especially the non-executives, their job is to be kind of professional skeptics. Their job is to actually kick

the tires on stuff and uh question the CEO and say, "How do we know this is true?" Um, and that they they will also apply that to you if they think that you're exaggerating. So focus on, you know, what do you need them to do for you? That's really important. Know what you need them to do for you. And a useful test for any information you put in front of a board is this. So what? So what? Who cares? Here's some information about the number of vulnerabilities we patched. So And then what? um you know here's their number of attempted attacks again so what what you know it was this number what number should it have been who

cares what does it mean to us um here's some activities that we're planning to do it on doing great why why are you doing this why are you doing this and not that okay so whatever you want to tell them stop yourself and say so what what does this mean for them okay priority two make them take responsibility this is really really important. Um you know this better than I do. Um risk acceptance by default. Um no one's talked about it. No one's kind of put the risk on the table, said here are the consequences. So it's kind of accepted by default, isn't it? Nobody has ever said, "Okay, yeah, we see this bad thing is going to

happen. We could choose to address it. We're choosing not to, and that's fine. We're accepting that risk." That so rarely happens. And unfortunately the other thing that's wrong but always happens is is blame as we know. So um it's a it's a classic one isn't it? The organization will be carrying all sorts of risk which again you guys are all over and somehow those guys at the top who are responsible never quite never quite aware. So make them take responsibility. Um and this is where documenting stuff is so important. You need to identify the bad business decisions. So the decisions not to act on something. The decision to allow that business unit over there to get away

with some insecure practice they've been warned about. The decision to wait until next FY before patching this thing or whatever it is. Um and you know document these things because most of the time they're they're not documented. They're decisions by default. Nobody's ever talked about them. They were decisions all the same. So, so identify them, pin them down, spell out the consequences. So, I say because of this decision, um this is what might happen. So, um I hate to use British Library as an example, uh because actually they've been great and they've been so transparent, haven't they, about what happened there. But the thing is about the British Library, you know, was that they um I think they they

were really well aware of the vulnerability and um they had actually identified there was a mitigation project uh needed to be done. Uh budget was put aside. They decided to start work next FY in May and they were attacked the previous October. That's just totally gutting. Um now during that period um between let's say the previous August and May um had anybody said to the board um did you know that during this period we're exposed to um you know x y and zed happening until we patched this thing. I'm sure they hadn't, you know, it would have been uh probably reported as a positive thing. Actually, we've decided to um to to patch up this

old infrastructure. It's great. You know, it's part of our transformation pro project was never spelled out to the board that they were actually responsible for whatever it was 9 months of being wide open to attacks. So, spell out the consequences. Cover your ass. It's really important. Okay. Priority three, you need a strategy. Um, so the thing is about a board, right, is they really hate to see a vacuum. And I say this as a board member myself. Um, I remember so many times over the years when I've just had a sense we've we've asked lots of questions about something that seemed important to us as board members and we get kind of flannel back or we get nothing or we get blank looks.

CEO just doesn't seem interested. um or even worse the CEO is interested but the team below is not particularly and the thing is about board members is when we see a kind of vacuum we see that something needs to be done but there's no plan what happens is that's when we step in and start micromanaging we start being really really annoying we start to make helpful suggestions okay so if you don't have a strategy I mean you should expect somebody to to make one for you and it won't be a strategy. It will just be a load of really really annoying demands like different ones every month depending on what's in the headlines. Okay? So, a strategy does not have to be

anything um super duper exciting. All it does is it just sets out what activities you're going to prioritize. So, what's your program look like? Very importantly, why why these things, not those. Okay? Um how you going to do it? when you're going to do it, what you need to do. That's that's it really. You know, if you could write it on a page if you had to. Um, but have a strategy. Um, this is a little snippet from the cyber governance code of practice which is really useful. So, these four actions here are actually for for for members. So, here they are asked to gain assurance the organization has a cyber strategy. So you know they should be

asking you've got a strategy and you know as you see here also it asks them to make sure that that strategy is actually aligned with the wider organizational strategy. So again this goes back to that piece now about conflicts doesn't it? Um if our strategy is to grow by acquisition well our cyber strategy has got to be aligned with that. So it's it's going to have to include a lot of those um sort of risk assurance um elements. Um there's a piece here about cyber risk appetite which is great. Um honestly show me the organization which has done really really great board level work on this and I will buy them a drink. Um there's this piece about effective

resource allocation. So this is, you know, there's any number of things we could spend money on, right? We could buy more kits. We could get more people. We could do this. We could do that. So we're going to focus. We have to focus. There's always going to be limited budget. So why this and not that? So resource allocation that's important. And finally, can are we actually delivering it effectively? Um and you know, this is another piece which is really important. I mean, every board I'm on, um, I ask these questions. I say, is our team actually capable of doing this? Do we have enough people? Are we paying them enough? Right? Do we have the right mix

of roles or, you know, have we got three guys who are absolutely run ragged, always firefighting, you know, can't see the wood for the trees? Are we actually supporting um our teams well enough? Okay, so um last priority, uh you need a translator. Um, so I see there's there's so many talks now I think on how to talk to the board and I do think there is a bit of a tendency to kind of assume that talking to the board means like adopting this kind of bland corporate [ __ ] you know and um it's not that at all you don't need to suddenly start talking like a chat GPT you know it's there there are sort of specific disciplines I

think in cyber security that really really help with this translation thing. Um, and number one, like I said, is risk quantification. That is so important. Um, because if you can if you can cost up um some of these specific risks, then that that is the language the board speaks, you know, they can start then to um to kind of work out if the plan you're suggesting is is worth it. you know, um, if they if you haven't put a figure on your cyber risk, but you're you're asking for, you know,5 million pound investment plans, I mean, they're going to start sucking their teeth and going, "Well, how bad can it be? It doesn't sound too serious to me." Um,

so, you know, show them show them the path to to lose 50 million pounds. You know what I mean? It's it's it's so so important. Um and then the the other ones which um which we don't talk about enough I think are audit insurance. So this code of practice I think it's got like 16 actions something like that and um 14 of those start with the word gain assurance that so that's really important. So boards don't do anything but they're supposed to ask a lot of questions and this piece about assurance is really really important for boards. So a decent board is always going to be asking for assurance for evidence, independent evidence that something is the case. Um,

and this is what really sets apart a high functioning board. Uh, you may not have a high functioning board. You can still support them to do their job with assurance. So you know, think about how are you going to use things like external specialists. What kind of evidence is actually useful for a board? Um I once sat on a board where one of the directors um was part of a massive organization. So they donated a pen test to the charity which was um very kind. Um and four years later the charity was still working its way through the list of uh suggested actions which was you know great but um so go and talk to your

board about what kind of um external expertise there is out there there is this whole kind of cottage industry. Um a lot of larger organizations use internal auditors um and these are you know they started off as accounting firms really um but have kind of branched into all sorts of area including cyber security um can be great can mean that you get someone who's kind of a generalist writing these reports marking your homework. So, you know, get involved, find out who the board is talking to. Um, get involved in all in in assurance and the same is true for audit as well. Um, okay. Well, that is basically it from me. Um, good luck. So, um, a bit

about the CXB. So, uh, we're there to help your board me members be better partners for cyber resilience. This is me and my co-founders. So um if you have any board members who could do with support or being told the ways of wisdom uh just point them our ways free to join happy to help.

>> Thank you Jessica that was great very informative and insightful session and talk. I'm sure people have some questions. So I would like to to raise your hands a little bit. Michael,

thank you very much for that. That was really interesting. Actually the code of conduct paper I had to do a gap analysis against recently in our team. Um I am interested in the opinion of middle managers who get in the way. So the ones who have done their own castle building, who have pushed their own agenda and when you talk about cyber risk, they're actually the ones running the fear and they're trying to control the narrative with their own seauite and their own departments. Uh and because they are more money driven and more uh in the ear of the CEO and so forth, what can we do about the middle managers apart from push them off the building?

Yeah, they're the absolute worst. Um, yeah, so this is where um it's really good to try to build relationships sort of um horizontally across the business, right? So if your your boss or your boss's boss is a blocker, then um maybe your peers have a boss that's a bit more helpful. Um so I was chatting with a CISO recently um who's yeah who's who's reported into the CTO exactly those issues just um uh he was building a good relationship with the CFO in that case um who was sort of sympathetic might not be the CFO just anybody anybody within touching distance of the board is good um if you have opportunities to talk to other um

line of business leaders through your work. So for example, the people who are working on cyber awareness often have those opportunities which are good. Um if you have opportunities to run workshops for example for the wider business, they can be really useful. Um and you know if you're if you're kind of talking in terms that are really really specific to your company. So you are linking your activities to the strategy and the activities of the company. um that will help other senior people in the business to hopefully, you know, start to get interested. Um and then what you what you really want is pressure to start to be applied on that unhelpful manage middle manager from

their peers and from up above. >> Good luck. >> I'd love to hear some war stories as well. Oh, we got another one. Okay. Yeah, we some war stories. >> I'm just Well, it's it's really interesting to see what you've got up there. um in terms of how it affects board board culture. Um I'm working on an Innovate UK project called Cyber Cake. Uh the name is intentional. Um and and we found a lot of the same things. I I was playing bingo with our own research over here. Just like fear, accountability, blame, uh ineffective risk perception, um uh where's that one gone? Resources, time pressure. Everyone's under time pressure. And finally at the top uh we

got like social influence and cultural norms in that basically those are things that people don't really understand. But we were looking at this not from a board level but from a public perception and actually what we're seeing is that it's not just senior leaders the public at large don't get the risks and don't have the time to address it. One of our major things and I'm getting to the question one of the major things that we found was that also training is ineffective. So with that kind of like clear present need for training, how do we train board and public to be ready for cyber threats? >> Right. Oh my god. Are you a plant? Cuz

actually yes. Right. Because one of the things I didn't mention here is um CXB is also um working on an innovate UK funded project. Is it cyber local? Is it by any chance? Cyber local. There you go. Yay. So uh yeah. So, we're actually developing a training course board. So, we're starting to pilot it after Christmas. We're going to be like rolling it out with a whole bunch of actual real life boards. So, we're going to Yeah, we're going to find out and evaluate it. Um, but yeah, we think it's really important. I mean, this is why we set up CXB. It's because it's like buy Neds for Neds cuz, you know, we we are

Neds ourselves. We get it, you know. Um, but yeah, we're also we're also batting for the other side. >> Yeah, let's let's chat. Yeah. Yeah. Right. Has anyone got any really good war stories? I'd like to hear some. >> Yeah.

>> Hello. Um, I'm on a small public sectorish organization that's currently attacking the calf. It was more of a question about, so I'm kind of juniorish, but I'm kind of the cyber person who's also attacking the calf. How would you go from like my perspective about proposing a re like almost organization restructure because the one at the moment doesn't seem to be working for us? Sounds like quite a tough ask perhaps. >> Um well I mean I suppose it depends whose ear you have doesn't it? Um so who you can reasonably influence in the organization. Um and then what do they have the power to do? >> Yeah. I mean I'm I'm into head of IT.

Who's into CFO? >> Yeah. Okay. The CFO. All right. Well that's good. I mean I mean Yeah. Well okay double-edged sword, right? CFOs. Yeah, their CFOs are really annoying, but they do tend to be very powerful and if you can if you can convince them to follow the money. Um, yeah, so have a think about see if you can document um the the outcomes of your current organizational failings. Um and and I think the um the temptation here is when you're someone who has spent a while seeing the consequences of failure, it's often really really easy just to totally go for it and just lay it all out there in a way which apparently senior

managers often find threatening. You know, no idea why. Yeah. Um so so you point to sort of specific tangible things that have happened or not happened you know and maybe kind of root cause it like that. Um and if you can suggest kind of better ways of doing things um I think as soon as you start touching on um recommending restructures might not necessarily go down well. Um if you can say well it would be very useful if the organization was to be able to do this and then you know what does the CFO think can can you miss CFO see a way to a future in which the organization could do that what could we

do that would make that happen let them draw their own conclusions there might be solutions also like that are not visible to you as well so yeah but good luck Okay, we'll take one more last question.

>> Uh, you wanted a war story. >> Yeah, go on. So this was so I work in instant response but prior to this I was working instant response for a on a retainer basis and this was working for a large government organization um under an attack and um effectively it been going on for a while. It was effectively sort of trying to SMS fish kind of through um social um identity accounts getting it's like welfare all that kind of fun stuff. Um and we managed to sort of mitigate contain put in a few you know put um uh sort of a few defenses to make it all kind of work out. Um and then a while later we ended up talking

to someone of kind of board level sort of seniority within um this government entity. Um and we sort of going through what happened and everything that had been going on and um she sort of turned around and said, "But I just don't understand why are they doing this?" And in that moment I kind of realized that her reaction was one of fear. It was not understanding something. And in that moment what she needed was actually not a a response in terms of um like numbers or that sort of thing. It was a human request for I don't understand this. M >> and so it's like it's okay that cuz we don't understand it either. But what we

have done is we've mitigated, we've contained and we put in a strategy to make sure this doesn't ever happen again and that was what they need to say and it's remembering the person on the other side of that board is also a human being who is frightened and doesn't understand and doesn't have time to understand but they want to. I think that's sometimes really important as well is that when you're dealing with this sort of thing is that yes, they are responsible and they have duties of care and diligence and all the rest of it, but they also somebody who needs to go home at night and know that they actually did a good job that day.

>> Yeah, that's a lovely story. Thank you. And it's it's so true, isn't it? Um you see other other professions, right, that have been around a lot longer than ours like so accounting is the classic one. um you know accounting is I don't know how old it is 500 years old or something as a profession and as that profession has sort of developed you know kind of technical skills hasn't it as well but the other thing it's also developed is the knowledge that you have to have what's called a good bedside manner. Yeah that's that's the sort of thing to work on when you're dealing with senior people and it's exactly that it's based on empathy. you're right and uh try and

sort of see it through their through their eyes and and they'll love you for it honestly. They really really will. Um because so many nontechnical people have had a experience sometime of being really talked down to by some [ __ ] So it's don't be that person. Yeah. Right. I think um any questions anyone? No. Okay. Let's give a round of applause. Thank you.