E23- Corporate Governance in the Cyber Age

Show Notes

In this episode, Michala Liavaag talks with Clare McGill Sharpe, about the current challenges facing corporate governance and cybersecurity in a global charity context.

 Clare works as the Corporate Governance Manager at the charity Sightsavers, and volunteers as a trustee at the Brighton Yoga Foundation.

 Clare’s LinkedIn: https://www.linkedin.com/in/clare-mcgill-532869199/

 

👉 Cited in this episode: 

 Civil society news:   https://bit.ly/Cybility2CivSocNews

Directory of social change:  https://bit.ly/Cybility2DSocChange

NCVO: https://bit.ly/Cybility2NCVO

Getting on board:  https://bit.ly/Cybility2gob

Charity commission:  https://bit.ly/Cybility2CharityCom

Brighton Yoga Foundation: https://bit.ly/Cybility2BrightonYoga

Book: boards that make a difference https://bit.ly/Cybility2Clarebk2

Book: The charity’s trustees handbook https://bit.ly/Cybility2Clarebk1 

-----

⭐Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions

🤝Connect with Michala and Cybility Savvy:

✅ LinkedIn ✅ Twitter ✅ Youtube ✅ Instagram

---

✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner

Chapters

• 0:00: Intro
• 1:15: What challenges are you seeing at the moment?
• 5:05: How are cybersecurity risks playing out?
• 7:30: Security friction
• 8:06: What is different about corporate governance in different countries?
• 11:13: What is a difference between the Data Protection Act, GDPR, and the NGDPR?
• 13:40: What is different for Board Member responsibilities across the world?
• 15:33: Is choosing the strictest requirements excessive?
• 17:30: Is there an uptake of boards interest in cybersecurity?
• 19:27: What questions are top of mind for board members?
• 21:30: What changes have you seen in information security training for board members?
• 23:05: What internal communication methods are effective to support board members?
• 25:29: Should there be one board member that champions cybersecurity?
• 27:52: How do you translate what you do in your day job to being a trustee?
• 30:23: An ambassador for cybersecurity
• 33:45: What advice would you give for aspiring trustees?
• 36:00: Claire's suggestions
• 37:28: How to get people to think about security?

Transcript

(automatic transcription)
00:00:00:06 
Michala Liavaag
Hello and welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders
 
I'm your host Michala Liavaag and today we're going to talk with Clare McGill sharp corporate governance manager of Sightsavers about her journey to becoming a cyber Savvy executive and trustee 

Cybility Savvy the quickest way to go from cyber confused to cyber savvy 

Welcome Clare great to have you on the show 

00:00:29:12 
Clare McGill
Thank you, Michala. Great to be here. Thank you for having me. 

00:00:32:13 
Michala Liavaag
would you like to tell the audience a little bit about yourself 

00:00:34:07 
Clare McGill
I am as you said corporate governance manager for site Savers and for those of you who don't know Sightsavers is a NGO  Global NGOs so we work  advancing Eye Health Care and disability rights in across Africa and some of Asia as well  I've been there for four years now which seems quite long I started off as a compliance executive and have moved my way up to corporate governance manager in addition to that I'm also a charity trustee secretary for a small charity and based in Brighton which is called Brighton Yoga Foundation 

00:01:10:08 - 00:01:28:11
Michala Liavaag
excellent thank you very much  it's interesting you just mentioned about the four years there because uh from cyber security point of view quite a lot of change over that period so I'll be interested to hear how Corporate governance has sort of changed over that period as well so what sort of challenges you see being at the moment?

00:01:28:14 
Clare McGill
some of the main challenges which I think is happening across every sector are the challenges coming from the pandemic you know how we can address risks and how we can keep up to date with those changing needs and requirements which are changing really drastically  as a result of the pandemic and you know we're trying to make sure that everyone can still communicate on the online worlds which we have to address many different issues and from a governance perspective there's some quite nuanced risks that people haven't exactly thought through so there's quite a funny one I find in terms of recording meetings so if it's not in your Constitution that you can have online meetings you actually can't have them so under common law but that common law was established back in the 1800s so therefore obviously if that was tested today that would look very different but the issue is it hasn't yet been tested today so we're having quite a few issues like that you know can we do this meeting online will that be okay and you know a lot of people assume that you can and you know why wouldn't you we've got Zoom things are easy to use so you know you think that you can just get everyone on that call but there's a lot to think about and obviously again as well just thinking about accessibility so we've got  with side Savers we've got some people on our board with site and disabilities so therefore we need to take that into account if they can't see people voting you know we say use the voting button but if you can't see that or indeed if there's someone maybe with a lack of hearing who can't hear that then of course we need to take that into account English might not be everyone's first language  but it's the dominant language that is spoken at most of our meetings because of the global nature so there's lots of different really nuanced risks and concerns that have come into it and yeah we're just trying to keep up trying to change process really quickly and keep up with that changing environment

00:03:37:20 - 00:03:55:17
Michala Liavaag
goodness I'm really surprised to actually hear what you're saying about the remote meetings because you know I think about sort of local government and their shift over the years towards doing remote meetings has never occurred to me but for a charity that actually you might need to change the Constitution to allow that so that's a new one on me thank you 

00:03:56:00 
Clare McGill
yeah and it's I think as well because every charity because they're set up so differently and kind of local government are quite lucky actually in terms of how they're sort of governed in terms of the Constitution they're able to make those changes whereas with Charities the importance of that governing document it's really you know it really needs to be followed to the letter and again if it's not in there then you have to look at well where does to come from and it might come from a case as they say it might be common law or it might come from something that's in the Charities act but then you have to sift through that and if you don't already know it but you could be falling foul of something that you're just not aware of and as they say you know if it was tested today I wouldn't mind it being tested today  because then it would set a new precedent and I think it would look very very different to what they had in the 1800s 

00:04:53:12 - 00:05:01:02
Michala Liavaag
absolutely yes they wouldn't even begin to imagine I think you know technology we have nowadays over it will be like magic 

00:05:01:12 - 00:05:02:07
Clare McGill
Exactly.

00:05:03:13 - 00:05:17:24
Michala Liavaag
so  with all those risks that you've just sort of mentioned there's obviously quite a lot of practical things that you've talked about so being psychology Savvy we're obviously interested in cyber security and information security how are you seeing those sorts of risks play into your   organisation?

00:05:18:03 - 00:05:39:18
Clare McGill
very similar actually because again we have to think about what applications we're using again because we're on a global scale we have people in different countries trees we've got board members that might be you know at home we have board members that might be at an airport in Ghana taking a meeting which we have had  you know we've got that to think about we've got the fact that not only is there you know the device itself that might be vulnerable in that time it's open it's got you know uh data on there that if it was swooped out of someone's hand while they're desperately trying to you know be official and take this meeting and not miss it but then also again those vulnerabilities  of using you know certain applications which have been more vulnerable I know they are improving  especially as incidents have happened however we do have that reality we also have expectations to meet  because we've got so many board members as well Senior Management you know want to make things as easy as possible for them so there's things like you know we'll we don't really want to have passwords because you know if we have this password what if they don't have access to it and you know these people are busy and they're important and they might not have time to go through their email and find your password that you sent them one month ago when you gave them notice or the password needs to remain the same  every time and it's like trying to explain that that's not possible uh is definitely a challenge that you need to you know give examples just make it clear really that you're not being difficult and explaining what those vulnerabilities are to make sure that you know everyone's on board and that it's not just as simple as setting up a quick meeting with no password 


00:07:06:14 
Michala Liavaag
yeah I was just thinking back to uh you know start the pandemic when everyone's suddenly like rushing online uh that you had those wonderful examples of Zoom bombing and if I think somebody's in bond uh cabinet meeting of the UK government didn't they I think if I recall correctly so right so there's definitely something that uh people should be mindful of just thinking about with the examples you've given about the passwords I know that but it sounds like you're describing that sort of security friction that we sometimes see when we're trying to keep things secure but it's balancing it with usability and I know that recently there's been a big push from Microsoft around going past worthless say you know maybe one day you know we'll get there but  yeah it definitely does take a lot of consideration and thinking about you know the risks of your own environment as to what's appropriate as well because what works for some in some countries may not work for others most of the people we've spoken to on somebody to say we tend to be UK based we've had a couple who work globally  but no one who's actually done corporate governance from your angle globally so could perhaps tell us a bit about the differences you see there 

00:08:19:23 
Clare McGill
Tthere's a lot of similarities and a lot of differences as you can imagine so I'm responsible for six boards so I'll give an example of maybe Nigeria so Nigeria is your typical setup and the same as a board would be in the UK you know we have a president  who chairs most meetings we have the vice president we've got a secretary we have a Treasurer you know we have an AGM where the accounts are done every year and we have quarterly board meetings where strategy is discussed and risks and so forth but some of the big differences are when it comes to things like the law and regulation that you have to take into consideration and actually you know you can just come in back to information security they have an ndpr  which came out I think I want to say 2019 and it's modelled pretty much on the GDPR so you think of you know our what we do in the UK can translate easily to Nigeria but actually if you read the ngpr you realize that there are differences there so it's modelled on it but it's almost  it's almost slightly better in a way and because what they've done is they've taken the GDPR but then they've also may be taken some other laws and they've sandwiched them and then what we're seeing is not just in Nigeria but some other countries as well but then what we're seeing is this really enhanced version that you have to meet and then you have to think about those additional risks and addressing those with our boards going through those differences making sure that our policies you know if they say that they're a global policy which we have a lot of  it's making sure that that actually does translate globally and then if you do have to have maybe a separate policy and an example of that would actually be in Nigeria we have a separate process for CCTV because of the ndpr I found out that our security team were putting in place some CCTV which was going to be monitored by us as an   organisation not from an external source so therefore we had to think about well what laws are we going to have to meet when it comes to security when it comes to ndpr and not just thinking that you know there's a catch-all so there's just some yeah some quite differences when it comes to that you know you really do have to look into it and do the research and not just assume that everything's the same and that can be one of the challenges but it's also one of the most interesting areas and it's what I enjoy the most kind of getting stuck into a new piece of Regulation or law or  you know standard code of practice and you can really see those similarities and then learn the differences and actually apply them it's really an interesting area to work in 


00:11:13:02 
Michala Liavaag
yeah but that's really  it kind of parallels  when things that I like about cyber security that it's always changing the rules are different and so there's always something you'd sort of get your teeth in and researched and I think it's particularly interesting actually that you highlight but in some ways the ndpr is better than the GDPR because I think certainly in the UK there's this kind of thought that well the GDPR is the gold standard when it comes to looking after personal data when that's not necessarily true and obviously we're outside of the legislation now anyway having our own DPA anyway now so could you perhaps just give some example of one of those differences that you think is particularly stronger in the NDPR 

00:11:56:19 
Clare McGill
one of the differences would be on the collection of data so it's not just thinking about the categories of data it's actually thinking about all data so it's very difficult because you have to think in all data context so you know when you're doing maybe a data protection impact assessment where you're assessing those risks and the data that you're Gathering it goes beyond the personal data and those very specific definitions that we have here and those definitions of sensitive data and it extends it to all data so therefore we can just really you know anonymize data and say oh well it's anonymized it's okay because actually it won't matter under the ndpr  so that's one of the biggest and one of the most complicated not very practical as you can imagine so yeah so whenever we're going out to the field perhaps and we're taking a lot of medical information of our beneficiaries then you know we don't just we can't just look at anonymizing that we have to look at further we have to look at the data in itself and we have to treat that data almost as if it's always sensitive data even when it isn't so if we anonymize it we take out all that sensitive information it's still data under the ndpr and we still have to be careful there's also  under the ndpr there's also much more criminal penalties that you have to think about as an   organisation as well and obviously again taking that back to the board and letting them know what those penalties are and making sure that they're aware that those safeguards are in place and that we're handling everything as we should in terms of the data that we're collecting and processing 

00:13:41:02 - 00:14:11:19
Michala Liavaag
so just thinking about that point and sort of taking a step further I'm thinking so if I'm a board member in you know one of these countries presumably then there might be different responsibilities for me and obligations for me in terms of thinking about sort of information security again are there any key differences across the world that you see there  are there any that are particularly kind of like yes you as a board member have a specific responsibility for this 

00:14:11:22 
Clare McGill
we think you know not that not that I can think of honestly obviously there's different laws in different countries that board members should be aware of and should be thinking of and should be questioning the   organisation and saying are these safeguards in place there's also different Regulators in different countries what kind of closest to what different obligations of the board member there would be would be as well in terms of our donors  and our contractual obligations to our donors so  you know we've got the foreign Commonwealth Development Office order Aid we've got  USaid we've got Irish age a lot of those donors will be funding projects in a lot of our different  countries including Nigeria so we've got a lot to think about there obviously Irish Aid they'll be using GDPR USaid will have something very different in place that they will be expecting you to meet so it's really that that would be where that comes from you know are they Meeting those individual obligations it can be a challenge again however if you're a meeting one you're usually meeting the rest and you know if you're meeting the one let's say with the highest amount of obligations you're usually meeting all the others as well 

00:15:33:00 - 00:15:59:06
Michala Liavaag
yeah do you out of Interest I've seen some   organisations will sort of take the view that okay we'll take the highest standard from all of them and then yes we'll be delivering for everybody but then you get the counter argument of but actually that's excessive for quite a lot  and so they want to sort of downgrade how do you sort of deal with those sorts of conversations?

00:15:59:12 
Clare McGill
yeah it's true I mean and those conversations have been had because obviously you're looking at Resource as well  you know and you don't want to overburden colleagues with different requirements that they don't have to  commit to so there is that element we tend to go mostly off the highest you know requirement or regulation unless there's something else that kind of that they can go with if there's a law in Ghana for example even if that law didn't necessarily supersede the law of the head office in the UK we would still go with that law so we wouldn't you know replace it with the UK law we would continue with following law  however if there was nothing then we would go with the overarching and you know highest or  country of head office so you know the main country of operation which is the UK 

00:17:01:20 - 00:17:06:13
Michala Liavaag
Okay, a lot of to think about that to keep it really, really bad for you.okay an awful lot to think about there that was to keep it really really varied for you 
00:17:06:19 - 00:17:07:12
Clare McGill
Definitely.

00:17:07:14 
Michala Liavaag
yeah and just thinking about those safeguards as well from a cyber security point of view right across the world there's huge changes that's been happening over the past few years in this space and certainly a lot more should we say co-working if you like I'm just thinking about with  the boards and their specific responsibilities again for sort of cyber security have you seen an uptake in the interest in the discussions around cyber security risk in the board meetings across the world  or does it sort of focus mainly in certain countries I'm just curious about that 

00:17:44:13 
Clare McGill
I think all of them actually  again I think it's partly uh the evolving world of cyber security and you know it being spoken about a lot more and when there's something in the news that has happened and people read it and they go oh you know what if that happens to us what would we do and you know so then they're in these questions back and they're saying well I was reading this article and I was had concerns so yeah I think there's definitely more  conversation about it at board level and there's more awareness of our obligations and I think as well you know we're starting to get past that idea of oh we're a charity I think there's you know there used to be a kind of we're a charity why would anyone steal our data and it's good we're actually probably one of the most vulnerable    organisations one of the most vulnerable sectors for uh yeah attack so I think that is becoming more known now across the board and yeah more questions are definitely being asked of what the   organisation is doing to protect  everyone's data and also not just our beneficiaries or our external stakeholders but there's the questions while internal data of employees just making sure that that information is com held in a confidential way and that it is being protected I would say even just in the last two years it's definitely at the top of  people's minds  when it comes to asking what the   organisation is doing on a day-to-day basis 

00:19:26:06 - 00:19:44:16
Michala Liavaag
okay that's really great and in terms of you know asking what the   organisation is doing and challenging the organisation perhaps in some of his decision making and things  what sort of questions do you find that your board members are asking that really sort of get to the nub of things? 

00:19:44:16 
Clare McGill
well they're asking you to see the policies which I think is you know it's good they're asking you know when are these policies been updated  obviously some of the policies do go back to the board anyway for approval but some don't some go to management team  so therefore they might not see all of them so they are challenging  Us in that way making sure that those policies are processes are in existence and then they're also you know making sure that they understand the processes that were put in in place so I think it's not just the questions are much more detailed and they're not just you know do you have a policy are you protecting data yes we are okay let's move on they're actually asking well how are you doing that you know if you if you are going to take information of 600 villagers in Malawi how are you collecting that information and where is it going and they think they really want to understand more about how we're actually doing it and where we're storing it so they can safely put their mind to these and say okay you know they've explained how they're taking it what consents they have in place where that's being stored where it's transferred to now I know that we are actually collecting that data appropriately whereas I think in the past sometimes it was just a case of do you have mandatory training and do you have a policy which you know even if you have those two things there's definitely no guarantee that you're  storing collecting processing that information  appropriately 

00:21:19:19 
Michala Liavaag
yeah that's really interesting to hear that  they are you know sort of really wanting that level of detail actually that's really encouraging from my perspective you touched on training a moment there and I was just wondering uh what have you seen in terms of changes for information security training for board members I suppose over the years and around the world you know any differences?

00:21:43:05 
Clare McGill
 the training definitely has increased and the awareness has increased across the board and what I've noticed from certain websites and things that I follow such as civil society news and directory of social change NCVO and they're all sort of more UK based  but there's definitely a lot more in terms of blog posts free training awareness campaigns leading Charities know that they are vulnerable and to cyber security incidents letting them know how what they can put in place to sort of protect their Charities  and you know professionals that they can go to and for that support globally I'm not too sure to be honest how much has been done  certainly across Africa and Asia anyway what I have noticed is that across Africa and the countries that we work in such as Ghana Malawi they've all been putting in a lot more  in terms of regulation in the last few years and therefore I think with that will come a little bit more campaigning in terms of awareness and building that as time moves on but at the moment that that still isn't exactly there for everyone so there is still a lot of internal  Communications that need to happen in that regard 

00:23:04:08 - 00:23:27:03
Michala Liavaag
okay and how do you deal with that internal communication piece in relation to board members I've certainly seen in some   organisations they'll sort of take a drip feed approach little by little with emails others will sort of do a whole say half day event yeah I'm just wondering what you found effective 

00:23:27:08 
Clare McGill
what we've heard a lot of in the last couple of years is kind of information overload and a lot of you know information fatigue so we have initially I would say you know sort of around 2018-19 we probably went through that bombardment of information and this is what you need to know and you know constantly and feed in information however I think we have softened that approach  again just because I think there has been there's been a lot of evolvement in a lot of areas and therefore we just need to be careful we need to make sure that people are actually taking that information in so being much more targeted much more focused in the information we do of course have mandatory training but we also have newsletters different posters and flyers  we also have things  during induction processes for trustees and for staff and we also asked our CEO if she could  share our data protection and information security awareness along with  modern slavery and some other quite important areas  during her CEO update which are much more sporadic but they are you know to be listened to if you're a CEO send you in an email it's important so we tried to make a part of that to make sure that people understand the importance  and they understand what they have to do  in terms of  you know taking part in that training making sure that their information is up to date making sure that they understand what they need to do and if an incident happens and to avoid an incident happening now

00:25:12:06 
Michala Liavaag
That's really good to hear  I've also taken the approach of encouraging CEO to uh maybe do a video or whatever to get the message out because it always comes much better from them so one of the things you just mentioned there that  I wanted to sort of it reminds me of something is that over the years I've kind of toyed with the idea of having a specific member of the board that is responsible for information assurance  I was speaking with a trustee a few months ago who felt that actually that wasn't the way to go but it was you know that that would detract from the fact that it was every single board member of the board's responsibility to be sort of looking at that and I know that you've got you're very lucky with the board aren't you I think you've actually got somebody who works in the field and just tell us a little bit about that do they because I guess they sort of fly the flag 

00:26:13:18 
Clare McGill
I guess this is for a Brighton yoga Foundation where I'm secretary and trustee for the board we do have an information security professional who is wonderful and you know we're really really lucky she does that as her day job she's from the Ukraine so she she's also  you know in the Ukrainian Army  in the risk their information security army at the moment  as a volunteer to you know really try and prevent any  incidents there so she's really great  and yes she does indeed fly the flag very high and for that so she's undertaking a risk assessment for us at the moment and making sure that we understand that she builds an asset register for us and we understand where all of our information is so that you know if there is an incident we're able to deal with it which is great because  you know it's a small charity so we obviously are lacking in resources uh so just having someone on the board who's who can come in with that expertise  and experience and really deliver and make sure that we're doing what we can because we don't have you know obviously an external I.T or an internal or an external I.T Department to you are able to do that for us so you know those vulnerabilities are probably higher because we you know we're relying on volunteers we've got a lot of information on a lot of personal devices and so therefore having her there to really just make sure that we're able to address those risks and mitigate against them it's really really crucial and we're very very fortunate 

00:27:53:07 - 00:28:20:01
Michala Liavaag
yeah no that sounds amazing actually who does to her in terms of the work she's doing right now thinking about what you just alluded to there in terms of the difference between a large charity that has resources and a small charity where as trustees you know you are how to sort of pick up and do doing yourselves do you find that you're able to sort of bring some of what you do in your day job from the large charity to the small? 

00:28:20:04 
Clare McGill
yeah yeah definitely I mean what I have to remember is obviously we don't have all the same resources in a small charity as we do in the large one and it's very easy to try and think oh you know we should definitely do that and we should do this and it's trying to yeah it's trying to make sure that we're doing what we can with the resources that we do have and trying to prioritize what those are and trying to understand  what will be most effective so you know what can I take from side Savers to Brighton yoga Foundation which is the most effective  but that will you know really work for them there is that element of we have an information security manager a tight Savers we have great Department we have an internal I.T Department whereas with Brighton yoga Foundation as I said we're relying on volunteers we all have our personal devices it's also what capabilities those devices have so it might not just be knowledge and giving people the knowledge of what they can and can do to secure data but also yeah what capabilities do they have at home at their own office and so it's really exploring that and trying to find out what is in place and them working again with what you have trying not to  put too high expectations on a very small   organisation 

00:29:43:15 
Michala Liavaag
yeah but that's something that you know hands up I have to catch myself on uh because it is so easy I think when uh you've worked in large   organisations to sort of think well yes it'd be great if all this were in place but it's just not practical in small   organisations and so I think inevitably as you mentioned you know small   organisations are going to carry a higher level of risk because of that and I think one of the things that people often use sight of is that just because they're small it doesn't mean that they're not dealing with huge volumes of really sensitive data just thinking about your experience of you know having somebody on the board who does have that skill set do you think that could also work going the other way into a big   organisation and having somebody like that on that board or do you think that actually there is Merit in everybody having you know some experience and knowledge and skill around that topic 

00:30:47:05 
Clare McGill
I think I think a bit of both actually I think there's a balance there I think everyone having the experience and knowledge it being communicated it being a boardroom discussion is definitely something that should happen but actually if you have a representative on the board then that conversation is more likely to happen I think there's room for both what we do have on our board is a safeguarding lead trustee having that doesn't take away from the rest of the board needing to understand that safeguarding is hugely important and a huge risk so therefore I don't see why  data information security data security can be exactly the same you know if you have someone who's an ambassador and who's saying Hang on we're talking about going out to this new program we're talking about collecting this info information we're talking about moving into a new country have we explored the implications from an information security perspective and then the board need to have that discussion as a whole so actually I think that both I think that we could you could have  someone to remind the entire Board of their responsibilities you know which is something that I have to do all the time as a secretary you know I'm constantly reminding them of our responsibilities in governance you know that our responsibilities you know sometimes people can get carried away you know they think oh we could do this and we could raise money for this and that would be wonderful and you know it's all with great intentions but then I have to be the you know the annoying one who says we can't really do that it's not really in line with our constitution or it might not be in the best interest of our beneficiaries and that doesn't mean that the whole board shouldn't understand that but it might need someone there to give them that reminder  so yeah I think that an information security professional would definitely be needed especially in the environment at the moment  where again we've spoken a lot today about how fast changing it is and my board because we're dealing with  we have a global board and then we have you know individual boards so we're dealing with so many different areas you know just having someone to say have we taken everything into consideration 

00:33:08:03 
Michala Liavaag
no that's really really helpful thank you Clare there's a gentleman  he works in the charity sector who posts on LinkedIn and posts the most wonderfully funny how many profiles if you like of board members one of those is that you've got you know the person who sort of knows it all and speaks up about stuff but then everyone else just shuts up and leaves it to them it sounds from what you're saying that yes it's good to have that Ambassador there but it doesn't mean that people should sort of relegate their responsibility they still need to participate in those discussions 

00:33:41:09 - 00:33:43:14
Clare McGill
you know that's the role of a board member 

00:33:43:14 - 00:34:05:09
Michala Liavaag
I was just wondering if there's any sort of things that you'd like to share with people about you know specifically key messages for board members who are perhaps new to doing this or aspiring to become a board member what key messages would you sort of an advice would you give them around corporate governance and security 

00:34:05:10 
Clare McGill
I think for anyone aspiring to be  go for it I would say you know there's a lot of really helpful information out there you know there's a lot of websites there's  is it get on board and getting on board and there's the NCVO which I've mentioned there's the charity commission which have really great I'm going to geek out here but they have really great uh five minute guides for trustees which I think are really handy because no one wants to read 20 Pages before they even consider being a trustee so you know those five minute guides are really useful and just talking  to other board members having a look through your contacts seeing if there's anyone who you can chat to about being a board member and what that means and yes there are risks having to make sure that you are always thinking about the charity and putting you know your beneficiaries objectives first however it's so rewarding you know to know that you are there for that community of people that you've chosen to be there for and that you are you know making sure that everything works in the background because you know it can be very easy to lose sight especially when you are in the background constantly in roles like ours it can be easy to lose sight of the person at the other end and I think really coming back to that and reminding yourself why you're there that's really really key and I think just making sure that you know you constantly asking yourself are we doing the right thing do we have the correct mitigation member measures in place or are we taking the time to look at the evolving areas of law regulation governance information security and are we making sure that they fit in with our charity and what we're doing 

00:35:54:05 - 00:36:13:04
Michala Liavaag
that's brilliant thank you uh we'll definitely put those resources that you've mentioned in the show notes below so do take a look at those now one of the questions I like to ask people before we sign off is to recommend and it might be three books or it might be podcasts have you had a chance to think but what you'd like to recommend?

00:36:13:14 
Clare McGill
I have  I have two copies so I've got two books so I've got one which  you can probably put a link on but it's called boards that make a difference  and it's John Carver who I suppose is the father of corporate governance and it's specifically designed for non-profit and public   organisations so it's really good now it is it is big but it's one of those you know you're not going to read it front to back cover you're going to dip in and out of it and get lots of useful information so I really recommend that there's obviously you know the person who sort of founded Corporal governance is kind of key and then I've got uh the charity trustees handbook which is actually much thinner and that's from the directory of social change but that's a really useful one as well again because it's small and you can dip into it  and it's also maybe a good one to have again if you're thinking about being a trustee and you want to pick up a book and have a look through it and just get some nice idea is and encourage you to make that decision 

00:37:14:17 - 00:37:21:20
Michala Liavaag
That's pretty lovely. Thank you very much. What's one question that you wish I'd asked you but I didn't?

00:37:21:20 
Clare McGill
I think it how I get people to think about information security as part of their role when it's so far away from information security so especially  you know my line of work a lot of people do some really great you know creative campaigns and projects and they're so creative I can't even begin to think where they get this great ideas from but how do I get them to think about information security how I do that really is simplifying it so I always start a conversation when someone comes to me for advice and they say so we're going out to do this campaign we're going to get all this data we're going to do this what do we do and I always explain to them that I go to the extreme of what could happen so I go to the highest highest level like ridiculous extreme dream of what could happen and then I bring it back down then I say okay where do we find the compromises where do we mitigate against this where can we make this work for you where you can still keep that information secure and I think explaining that to people has been really effective yeah just keeping that in mind that if you just explain to people  where you're coming from it really helps them and it helps them think about it in their next project as well 

00:38:40:20 - 00:39:01:08
Michala Liavaag
yeah that's a really key point you've missed thank you so much for picking that as your question because it is all about you know changing that mindset and getting people to just be sort of risk aware uh constantly in what they're doing so that's great one thank you well where can people find you online if they'd like to chat to you more about these topics

00:39:01:12 - 00:39:12:05
Clare McGill
I'm on LinkedIn under Clare McGill you should see me under SightSavers and the charity governance governance Institute of UK and Ireland and yeah do feel free to get in touch if you have any questions 

00:39:12:16 - 00:39:16:06
Michala Liavaag
And that's brilliant. Thank you so much Clare. I really enjoyed the conversation today.

00:39:16:17 - 00:39:19:06
Clare McGill
Thank you so much. Thank you for your time.

00:39:19:20 - 00:39:41:18
Michala Liavaag
That's it for now. Thanks for listening. For more resources on this topic and to learn how our services can help your organization to be more cyber resilient. Visit website at Cybernetic Consulting BBC.co.uk. If you found this useful, please subscribe and share on Twitter and LinkedIn. I would also appreciate it if you could take a moment to write and leave a review.

00:39:41:22 - 00:39:58:05
Michala Liavaag
You can contribute to future episodes by visiting our website to share your cybersecurity concerns and questions. This show was written and produced by me, Michela Levorg, and co-produced and edited by Ana Ghana. Music by CFA Ghana. I hope join us next time.