Article by NCSC
NCSC’s cyber security Board Toolkit draws on industry expertise in a major update to the guidance.
Originally published in 2019, the NCSC’s cyber security Board Toolkit helps boards ensure that cyber resilience and risk management are embedded throughout their organisations. The guidance is aimed at medium/large organisations of all sectors, ranging from charities and schools to law firms and retail.
It proved very popular with industry, and it’s their feedback, together with input from non-executive directors and our i100 industry team, that has prompted an update. This is to ensure the guidance remains up-to-date, relevant, and framed in language that boards are familiar with.
When I was tasked with updating the Board Toolkit, I really wanted to draw on the knowledge and expertise of the various industry sectors to reflect the real-life challenges that boards face. Using staff from within the i100 initiative, designed to embed industry staff into NCSC teams, seemed like a great place to start.
The working group
My plan was to form a small working group to review the current guidance and to help write and shape the updated guidance. I was delighted to receive responses from willing contributors across a range of sectors, some of who shared initial drafts with board members which gave us invaluable feedback. With a working group now established and meeting weekly, I collated the feedback and the following themes emerged:
- Personas: Who is this for and what do they need? Is the guidance expressed in the appropriate language?
- Whole Organisation: The focus should be wider than the board and technical experts.
- Scope/scale: How should the toolkit speak to its varied audience and how can it be scaled down into digestible chunks?
- Cyber as BAU (business as usual): Cyber security to form part of organisational processes and procedures.
- Promoting cyber security: Highlight the benefits of cyber.
The working group proved a success! Working collaboratively with this cross-section of industry and SMEs has demonstrated how shared knowledge and experience can help influence and shape NCSC’s guidance.
Professor Matt S, from the University of Warwick’s Centre for Interdisciplinary Methodologies, was instrumental to shaping the guidance. He said “It was great to be involved in bringing the new Board Toolkit together. The collaboration between specialists from across several sectors, drawing on insights from industry, academia and policy communities, has ensured this refreshed guidance is applicable for a whole range of organisations.”
Colin Topping, Cyber Incident Director at Rolls Royce, was another key contributor to the guidance refresh. He said “It is so important to have a diversity of thought. Partnering with the cohort of i100, NCSC, and broader government specialists allowed me to appreciate different perspectives and requirements; this was instrumental in creating a product that works for organisations in different sectors and of various sizes and is something I can use when working with our business units and supply chain.”
I’d like to thank all those involved in the refresh of this guidance, including the non-executive directors, industry experts, DSIT and the NCSC Digital Communications team.