“We feel we’re leading the way,” says Peter Gleason, CEO of the (US) National Association of Corporate Directors (NACD) over the phone from Washington about the new “Cyber-Risk Oversight Program” due to launch at the start of February.
Aimed squarely at directors and members of the board, this will provide a 20-hour online course (including testing), which aims to educate senior individuals around the world on “baseline” security issues and what they can do about them.
There are courses aimed at managers but there is nothing specifically focused on the director community, Gleason explains. “We saw a need in the market place.” The increasing volume of public hacks mean “people are more attuned to risk,” he adds.
Delivered in conjunction with the CERT Division of SEI (Software Engineering Institute) – based at Carnegie Mellon University – and Ridge Global this strives to provide the highest quality information to individuals right at the very top of organisations.
“Most of our courses are NACD member exclusive,” says Gleason “but this is such a large topic we decided to extend it beyond our membership.”
As security has become an ever more mainstream issue many industry individuals are calling for basic cyber security training to be mandated for senior individuals within companies. While this is likely to take some time coming – and vary in pace around the world – the provision of relevant courses targeted at this group, may be an important interim step.
NACD recently re-issued its handbook on cyber-risk which Gleason explains which Gleason explains was the first private sector publication to appear on the Department of Homeland Security (DHS) website. DHS has not been actively involved in putting this training together, he clarifies, but both CERT and Ridge Global have had strong government ties (Tom Ridge was the first US Secretary of Homeland Security).
Still, how relevant can this kind of overtly US training be to members of the c-suite around the world? “We’re part of a global network of director institutions,” says Gleason who has been talking to peers from across the globe. He believes the baseline information will be completely applicable internationally, but adds it does have a US focus in regards to specifics like legislation and there may need to be some country specific modifications along the way.
Gleason says once the basic version launches he will begin approaching international colleagues about the various regional iterations needed to fully extend its reach. He also stresses that this will be a long-term ongoing issue and everything will need constantly updating as “the security environment is changing all the time”.
It is impossible to tell how useful or successful it will be until it launches early next month. But Gleason says “anecdotally” interest levels have already been very high. “I’ve done more press interviews for this than anything else,” he says.
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond