Cybersecurity Training for Board Members

Every time I host a session on Cybersecurity, it still never fails to amaze me and learn new things. This time, here's what I learnt. Cybersecurity is now a war of proxies. So many actors, each with different motives, make it extremely difficult attribute and manage. Yet, it's precisely because of this, Cybersecurity is not a tech problem. It’s a leadership one. QED just wrapped up an intense, no-holds-barred leadership session co-hosted with our friends from Ensign InfoSecurity to explore “Leadership in the Age of Cyber Risks and Opportunities.” Instead of just another tech talk, we made it a strategic dialogue at the Board-level. So here are my key takeaways... I did say I'm learning, right? 😉 1. When sh*t happens, who decides? Clear ownership is critical when a breach happens. If everyone’s responsible, no one is. 2. Assume you’re already breached. Incident response plans are 3-parters what should cover before, during and after a breach/attack. 3. Boards must prioritise the top 3 cyber risks. Not everything can be defended equally—focus on protecting your critical assets and ask how can you recover... if at all? 4. Metrics that matter. Boards should ask the right questions, not just more questions. Assess resilience with clear indicators. Watch out for vanity metrics that feel good, but does absolutely... nothing! 😅 5. Cyber hygiene is culture, not compliance. Regular simulations. Employee training. Strong passwords. Make it a daily habit and not something tedious nor optional. Ensign also shared their 2025 Threat Report which focuses more of the situation across APAC rather than elsewhere. Top three points: – Ransomware is still king – GenAI poses new challenges/complexities – Geopolitical tensions are reshaping the attack surface A huge thank you to Charles Ng and the great team at Ensign for the comprehensive deep dive and to all the leaders who shared, questioned, and connected with the purpose of being safer and better guarded together. Special thanks to our amazing panelists Lily Low, Audrey Ong, and Charles + our wonderful QED Fellow and moderator Ramakrishna Purushotaman for cutting through the noise. Your various vantage points help us all see a more complete picture of the challenges! 🙏🏼 Here's something for you to ponder: 📣 If you're a Board Director, but haven’t discussed cyber in the last 90 days, it’s overdue. Do you know what are the right questions to ask your management? 🤔

WSJ article today about how Board Directors are the weakest link in cybersecurity is click bait and FUD, but it's useful if you zoom out. What the article should have said is that board directors should get personalized, hands on training because, without it, many will struggle to understand what it is, how it actually works, and why it needs appropriate (and usually additional) funding. Just like everything, life is complicated, people are busy, and many security teams struggle to effectively make the Board a security champion. The best way to get the engagement and buy-in from the Board is to make it personal -- the world looks different thru the lens of your data, your family, and your personal exposure. This doesn't mean that Board's don't care -- on the contrary -- they do (and it's their fiduciary obligation to protect your org!). WSJ recommendations are below: #4 should be #1 >> make it personal! 1. Cybersecurity education-and-training programs aimed at rank-and-file employee could be customized for directors. [My take: there is plenty of evidence at this point that training is ineffective. If you are going to offer training, make it in-person and have it led by someone who is an objective badass in their respective field.] 2. Customized tabletop exercises, in which board members are exposed to a hypothetical cyber incident and asked to respond, could be especially effective in terms of getting board members to recognize and prepare for direct attacks. [My take: this can be interesting, but framing them more around the idea of wargaming will be more relevant (and more real) for you board.] 3. Organizations might want to include board members in phishing simulations, in which they send fake emails to employees to gauge how many will react and to develop training tools to mitigate the effectiveness of such attacks. The fake attacks and follow-up could be customized specifically for board members. [My take: don't do this. Just like training, these have been shown to be counterproductive and can erode trust with your board. The whole point of getting them involved is to build trust...] 4. [Start here!] One-on-one consulting, where security experts are assigned to work with individual directors, might be the most effective training approach. This gives directors the tutoring they need at a time, and in a manner, most suited to them. [My take: this is your best avenue to build trust and real awareness with your board. Make it personal. Bring in an outside firm that is expert in demonstrating how your board's exposure could be materialized to attack them, their families, and the company. Expand from there. Once they "get it" for themselves, they will get it more broadly.] https://lnkd.in/e4rBKX8Y #boardofdirectors #humanattacksurface

🎤Lianhe Zaobao 联合早报 interviewed me about the new #Cybersecurity training session, launched by the Singapore Institute of Directors and Ensign InfoSecurity yesterday. Through a 90-min training, #directors and #board members were brought through real-world #cyberattack simulation to test out our crisis response and decision-making.   *** 🎤Lianhe Zaobao 联合早报 asked: 1️⃣❓𝘏𝘰𝘸 𝘸𝘢𝘴 𝘵𝘩𝘦 𝘤𝘰𝘶𝘳𝘴𝘦, 𝘢𝘯𝘥 𝘩𝘰𝘸 𝘪𝘴 𝘪𝘵 𝘥𝘪𝘧𝘧𝘦𝘳𝘦𝘯𝘵 𝘧𝘳𝘰𝘮 𝘢𝘭𝘭 𝘰𝘵𝘩𝘦𝘳 𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘤𝘰𝘶𝘳𝘴𝘦𝘴 𝘰𝘶𝘵 𝘵𝘩𝘦𝘳𝘦? ✅ The session was interesting and I was impressed by the capabilities of Ensign InfoSecurity.  I particularly enjoyed the demo they did, including the sneak peek into their operations. ✅I chose this course precisely because it was organised by Singapore Institute of Directors.  It was 𝗽𝗶𝘁𝗰𝗵𝗲𝗱 𝗮𝘁 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝗹𝗲𝘃𝗲𝗹, 𝗰𝘂𝘁𝘀 𝗼𝘂𝘁 𝘁𝗵𝗲 𝘁𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗷𝗮𝗿𝗴𝗼𝗻, 𝗮𝗻𝗱 𝗮𝗱𝗱𝗿𝗲𝘀𝘀𝗲𝘀 𝘁𝗵𝗲 𝗰𝗼𝗻𝗰𝗲𝗿𝗻𝘀 𝗼𝗳 𝗱𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘀 𝗮𝘁 𝗯𝗼𝗮𝗿𝗱 𝗹𝗲𝘃𝗲𝗹. ✅ The session focuses on what Directors need to know: • awareness and knowledge of #cyber issues and challenges • support of the management team • clear decision-making. This was a very good way of making sure cybersecurity and cyberresilience continue to be prioritised on the board agenda.  *** 2️⃣❓𝘞𝘩𝘢𝘵 𝘸𝘢𝘴 𝘰𝘯𝘦 𝘵𝘩𝘪𝘯𝘨 𝘵𝘩𝘢𝘵 𝘴𝘶𝘳𝘱𝘳𝘪𝘴𝘦𝘥 𝘺𝘰𝘶 𝘪𝘯 𝘵𝘩𝘦 𝘴𝘦𝘴𝘴𝘪𝘰𝘯? That directors react differently from each other in a crisis situation.  During the simulation exercise, when asked what the first Board response should be when faced with a cyberattack, directors were equally divided between: 🅰️Contain and recover operations; and 🅱️Call for emergency board meeting to align decisions. It goes to show that we can't assume that directors would react the same.  The best thing would be for board members to discuss 𝘯𝘰𝘸, 𝘱𝘳𝘦-𝘦𝘮𝘱𝘵𝘪𝘷𝘦𝘭𝘺, what their cybersecurities protocols and priorities should be, so that when the cybercrises hit, there will be no fog. *** 📰Back to the article, I was also personally chuffed that Lianhe Zaobao 联合早报 also intereviewed Ivan Ng - it's not everyday that you get to be featured with a good friend on the same news article! 😄🙌 👏Well done to the SID and Ensign teams on a great training! #cybersecurity #cyberresilience #technology #directorship #corporategovernance #risk Oon Jin YEOH Pauline Goh Joy Tan Dhirendra Shantilal Terence Quek Yang Wai Wai Minhan Lim Sherin Y Lee Chong Jin (CJ) Li 李宗仁 Jennifer Bao, MSCS Varsha Bipinchandra 📸 🔗 https://lnkd.in/gnAESPeW