Cybersecurity has long since ceased to be exclusively an IT issue, it’s a boardroom imperative. The potentially existential nature of the threat posed by a cyber breach means that directors and senior leaders must understand the governance frameworks that underpin effective cybersecurity, risk management and resilience. For this reason, the Institute of Directors (IoD) Ireland has created a new workshop (cybersecurity and data protection) dedicated to meeting this need for directors and members of the C-suite.
Led by renowned cybersecurity expert, bestselling author and IoD Ireland faculty lead Dr Valerie Lyons, the workshop addresses the key governance responsibilities that underpin effective cyber risk management and resilience that a director needs to be mindful of such as the Network and Information Security Directive 2022/2555 (NIS2) directive.
The workshop is particularly timely in light of a recent IoD survey revealing that 73 per cent of respondents are aware of their personal liability as directors in the event of serious non-compliance with the NIS2 directive. This EU directive, which is due to be implemented in Ireland later this year, introduces strengthened obligations and extends its scope to additional sectors. Notably, it places explicit responsibility for cybersecurity at board level.
Even entities not directly in scope of the directive may be affected through supply chain obligations. NIS2 requires organisations to establish and implement supply chain security policies governing relationships with suppliers and service providers.
RM Block
The new IoD Ireland workshop also explores the key questions that directors should be asking regarding their organisation’s cybersecurity and data protection risk posture.
Information security experience
Lyons brings a wealth of information security experience to her role as faculty lead having graduated with a degree in information systems from Trinity College Dublin in the mid-1990s. She built a foundation in various technology roles before moving into IT audit at KBC Bank (then IIB Bank) in 1999.
After 14 years with the bank, leading the information security risk management team, she decided to take some time out and embarked on a PhD in information privacy at DCU.
While working on her PhD she took up a part-time role with cybersecurity and data protection advisory specialist BH Consulting and is currently chief operating officer of the company and a member of its board.
She is also the author of bestselling book The Privacy Leader Compass, which draws together insights from 60 privacy leaders around the world to help others build, lead and sustain successful privacy programmes in their organisations.
Alongside her industry leadership, Lyons has contributed to academia, lecturing at DCU, Northwestern University in the US, and several other institutions, and was the first Irish woman to speak at RSA, the largest cybersecurity conference in the world.
Cybersecurity is now a critically important issue for boards, she believes. This is partly due to regulation. “It really brings accountability back to boards and places their necks on the block. When organisations implement cyber governance frameworks, reporting mechanisms are required to relay cyber risks in the organisation to the board. It lands firmly on the boardroom table and that’s something that didn’t happen in the past.”
Proper cyber governance is a competitive advantage
But it’s more than just a question of regulatory compliance. “Effective cyber governance delivers tangible business value – from safeguarding reputation to sustaining profitability,” Lyons points out. “From a reputational perspective, you do not want to be on the board of an organisation that has repeated cyber breaches.
“Organisations that consistently demonstrate effective overarching data governance frameworks and how they maintain the integrity of that data enjoy increased consumer trust. If your consumers trust your organisation more, they’re likely to buy more from you. It is a competitive differentiator.”
When considering digital risk governance, boards need to be mindful of three pillars: data protection, cybersecurity, and AI governance. Lyons continues, “You’ve got to ask yourself as a board member, how much do I know about these three pillars? Do I know what data loss prevention tools are and what risks they protect against? Do I know what the AI Act says regarding board responsibilities and accountabilities? Do I know the difference between high risk and low risk systems? In my view, these are some of the fundamentals that board members need to understand.
“I’m not saying directors need to know how to configure a firewall,” she says. “But they do need a strategic grasp of the fundamentals – the why, not the how. For example, directors don’t need to memorise technical password policies, but they must understand how weak identity and access controls expose organisations to systemic risk, regulatory scrutiny, and reputational damage. That level of literacy is essential to ensure informed oversight of management’s cyber governance frameworks.”
What should a director be asking of their CIO?
One of the key elements of the new cybersecurity and data protection workshop, which takes place in November, is to equip directors and business leaders with the knowledge and tools to oversee cybersecurity strategy, data protection risk and compliance at the highest level. It covers the 10 essential questions directors should be asking of their management teams in relation to those key pillars. The aim is to ensure that the board has what it needs to make an informed decision on the issue.
“Ultimately, it’s about directors assuring themselves that the organisation’s systems and controls are not only designed appropriately, but also implemented effectively, tested rigorously, and subject to independent validation,” she says. “In the past, boards could rely on management’s assurance that controls were in place. But too many breaches have revealed gaps between what was reported and what existed in reality. The era of deferring accountability to middle management is over – responsibility now sits squarely with the board.”
Asking these questions is just part of the requirement. Directors also need to have at least a basic understanding of related legislation as well. “Directors also need to understand their obligations under a range of context specific legislation, such as NIS2, DORA and the AI Act,” she says.
“Remember, if you don’t do this right your organisation could be fined and/or reputation damaged.”
Director and board accountability
Lyons welcomes the shift in accountability to senior leaders and boards. “There’s no point transferring accountability to employees – that would be like placing responsibility for fraud on consumers. The real responsibility lies with leadership to ensure that employees are properly supported through education, culture, and resilient systems. Boards must also recognise the pace at which threats evolve. For example, deepfakes are already being weaponised in phishing scams. It is the board’s role to challenge management on how such emerging risks are being anticipated.”
She notes that mitigating these risks doesn’t always require cutting-edge technology. Often, it’s about embedding robust governance processes around critical business functions, particularly financial authorisations, to ensure that identity verification and escalation protocols cannot be bypassed.
Fortunately, she believes Irish organisations are giving the cyber agenda due attention. “I do believe Irish companies take cybersecurity and data protection seriously and that’s very comforting to me because we have so many tech companies based in Ireland.”
And her own learning journey continues. “I started the IoD chartered director programme in September,” she says. “I love learning, it is central to effective leadership, and I enjoy engaging with other senior leaders and sharing perspectives. The biggest learning is somebody else saying how they approached something differently.”
IoD Ireland’s role is to support directors reach the highest standards of corporate governance. Learn more about our cyber security workshop here.
