How do you get the Board on-board for cyber defence?
Cyber Security should really be a Board level discussion item.
With the state of cyber-risk, and the position of the businesses to resist and recover from an attack, must at least have upper/executive management representation. In reality, this is not always the case. Consequently, the first time the board gets interested is when they become a victim. I personally have witnessed many initiatives led by operational staff to do more to improve cyber defence that fail due to upper management just not getting it!
Not all is lost though, the UK Governments National Cyber Security Centre (NCSC) have published this recent guidance for executive management:
….. of course you can take the horse to water, but..….
I do have a simple analogy for upper management though that may help them to understand why an organisation needs to adapt, just let me know.