Most people become a non-executive director on the strength of a career in finance, operations, law or the business itself. Almost none arrive having ever run a security team. And yet, somewhere in the last few years, cyber quietly became one of the things the board is squarely accountable for — which means it became one of your things, whether the letter of appointment mentioned it or not.

This is written for that person: the cyber security non-executive director who knows they are on the hook for something they were never trained on, and wants to know what "good" actually looks like — without pretending to be a chief information security officer. The reassuring news, which I will come back to, is that the job of a cyber security NED is not to understand the technology. It is to govern it. Those are very different skills, and you already have the second one.

Cyber is a tier-one risk, and the board owns it

Start with the thing every serious framework now says out loud. NHS England's guide for non-executive directors puts it plainly: cyber is "a tier one risk affecting organisations of all shapes and sizes," and boards "have a key role to play." The NCSC's Cyber Security Toolkit for Boards is built on the same premise — that board members are "pivotal" to whether an organisation is resilient. The Non-Executive Directors Association frames it most sharply of all: cyber security is "a matter of corporate governance," not an IT function.

The reason this matters to you specifically is accountability. You can outsource the work of security — to a CISO, an MSSP, a managed service. You cannot outsource the accountability. When a breach happens, the regulator, the customers, the press and increasingly the courts look at the board, not the help desk. And the consequences are no longer abstract: NHS England cites a single incident that caused more than 10,000 deferred outpatient appointments and 1,700 cancelled procedures. That is what a "cyber risk" looks like once it lands — not a technical event, a business and human one.

So the first shift for any non-executive director is to stop filing cyber under IT and start filing it where it belongs: alongside financial risk, safety risk and reputational risk, as a standing board concern with a named owner and a real place on the agenda.

What the cyber security NED is actually for

Here is the distinction that unlocks the whole role. The executive runs security. The non-executive director holds it to account. Your job is independent oversight, scrutiny and strategic challenge — not delivery.

That means the value you add is not a better firewall. It is the awkward, independent question that the people inside the organisation are too close, too invested, or too optimistic to ask. It is noticing that the same "we're on top of it" slide has appeared for three quarters running. It is asking what the green dashboard is actually measuring. It is insisting the board rehearse its own role in an incident before the incident. A good cyber security NED is a professional sceptic with a fiduciary duty, and that is a role you can perform superbly without writing a line of code.

The corollary is that you must not drift into doing the executive's job. A NED who starts specifying security tooling has stopped being a non-executive director and started being an unpaid, unaccountable CISO. Stay in the oversight lane. Ask, probe, challenge, assure — and leave the delivery to the people paid to deliver.

You don't have to be technical. You have to be fluent.

This is the point that frees most directors, and it comes straight from the NCSC and NEDA guidance: you do not need to be a technical expert. You need enough fluency to "have a fluent conversation with your experts and understand the right questions to ask."

Fluency is not expertise. Fluency is being able to follow the conversation, translate it into business impact, and tell the difference between a real answer and a comfortable one. You already do exactly this with the finance function — you cannot audit the ledger yourself, but you can tell when a CFO's answer is solid and when it is evasive. Cyber is the same skill pointed at a different risk. You are not there to know how the encryption works; you are there to know whether the organisation would survive losing it, and to keep asking until you believe the answer.

If you take one practical instruction from this piece, make it that one: aim for fluency, not expertise. The NED who freezes on cyber is almost always the one who thinks the entry fee is a computer-science degree. It isn't. The entry fee is the confidence to keep asking plain questions until you get plain answers.

The questions a non-executive director should be asking

Fluency shows up as questions. The NHS board guidance organises them into four themes, and I have adapted them here into a set any non-executive director can take into a board or audit-committee meeting, regardless of sector. You do not need to fire all of them at once. Pick a few each meeting, and pay as much attention to how they are answered as to what is answered.

On the technology and the basics:

On our suppliers, because someone else's breach is now your breach:

On people and culture:

On resilience, which is where optimism goes to die:

On regulation and accountability:

A pattern worth noticing across that list: almost none of it is about buying more technology. It is about hygiene, ownership, testing and honesty. That is deliberate, and it is the second liberating truth of this role — the questions that matter most are ones you are perfectly qualified to ask.

The frameworks worth knowing (and where to start)

You do not need to read the entire canon. You need one anchor and an awareness of the rest.

Start with the NCSC Cyber Security Toolkit for Boards. It is free, it is written for exactly your role, and it is organised around five principles — risk management, strategy, people, incident response, and assurance and oversight — each with the questions to ask and the answers to expect. If you read one thing, read that.

Around it, know that the sector-specific guidance exists and reach for it if it applies to you. NHS non-executive directors have their own dedicated guide. The NEDA handbook and toolkit material frames cyber as corporate governance and is aimed squarely at the NED community. And if you sit on a board in a regulated or critical-infrastructure sector, you should know the direction of travel of UK regulation — the Cyber Assessment Framework, the Data Protection landscape, and the incoming Cyber Security and Resilience Bill — because the personal and corporate consequences of getting it wrong are hardening, not softening. I have written separately on what that regulatory pressure means for the people who sign the assurance.

Where non-executive directors go wrong

The failure modes are consistent, and they are worth naming so you can catch yourself:

Treating cyber as IT's problem, discussed once a year when the annual report needs a paragraph. Accepting a green dashboard as assurance — a RAG status is a summary of someone's judgement, not independent evidence, and a board that mistakes the colour for the fact is being managed rather than informed. Only turning to cyber after an incident, when the questions should have been asked a year earlier. Never rehearsing the board's own role in a crisis, then discovering during a live ransomware attack that nobody knows who decides whether to pay. And, the most common of all, conflating compliance with security — a Cyber Essentials certificate or an ISO 27001 badge is evidence that a baseline was met on a given day, not proof that the organisation is safe. Certificates are a floor. Do not let anyone present them as a ceiling.

If you see these patterns on your board, that is not a reason for despair. It is your agenda.

The rise of the cyber-NED

There is a reason "cyber security NED" is now a search term and a recognised board archetype rather than a novelty. Boards have worked out that cyber is a tier-one risk they are accountable for, and that having at least one director who can hold the conversation to account — who can tell theatre from substance because they have run the consoles themselves — is worth a great deal. The practitioner-turned-non-executive-director is valuable precisely because they cannot be comforted by a slide.

That said, most boards do not need a full-time security specialist in the room. What every board needs is for cyber to be owned as a governance matter, for at least one person to make it their business to ask the hard questions, and for the whole board to treat it with the seriousness it treats the accounts. Whether that owner is a dedicated cyber NED or a well-briefed generalist matters less than that the role exists and is performed with rigour.

The job, in one line

Cyber security for a non-executive director is not a technical discipline. It is a governance one. Your job is not to secure the organisation — that belongs to the executive. Your job is to make sure someone competent is doing it, to ask the questions that expose the gap between the reassuring dashboard and the real network, and to ensure the board has rehearsed the day it all goes wrong before that day arrives.

Do that, and you do not need to be able to read a firewall rule. You need to be able to read a room, smell an evasive answer, and keep asking until the answer is honest. That is the whole of the role, and it is one you were appointed precisely because you can do.


I sit on the other side of these conversations often — as an operator who has run the incidents and now advises boards on exactly this. If your board wants that voice in the room, the advisory details are on the home page.