Resources

Board-Level Cybersecurity Oversight & Risk Management

Written by: Harrison Weiss

Key Takeaways:

  • Cybersecurity is a strategic enterprise risk requiring board-level oversight.
  • Collective security through industry and government collaboration is essential to combating cyber threats.
  • Empowering your Chief Information Security Officer (CISO) is crucial for effective cybersecurity strategy and execution.
  • Accurate and actionable cyber risk assessments are necessary for informed decision-making.
  • Cyber risk quantification is vital for effective risk assessment.
  • Boards must be prepared to adapt their oversight practices to address evolving cyber threats.

The 2023 Directorโ€™s Handbook on Cyber-Risk Oversight, jointly prepared by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), is a comprehensive guide for board directors navigating the cyber threat landscape. As cyberattacks grow in sophistication and frequency, organizations face risks to their operations, finances, and reputation.

NACD Director’s Handbook on Cyber-Risk Oversight: 6 Core Principles

The handbook underscores the value of board-level oversight in navigating the complexities of cyber threats. The 2023 edition emphasizes the strategic importance of cybersecurity, detailing six core principles for effective oversight. This includes five initial principles from previous editions.

  1. Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.
  2. Directors should understand the legal implications of cyber risks relating to their companyโ€™s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework and reporting structure with adequate staffing and budget.
  5. Board-management discussions about cyber risk should identify and quantify financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance and specific plans associated with each approach.

The 2023 handbook adds a sixth principle, concerned with the growing threats cyber risk poses nationally:

  1. Boards should encourage systemic resilience through collaboration with their industry and government peers and encourage the same from their management teams.

Key Handbook Themes on Cyber Threats

The handbook highlights the evolving cyber threat environment, the necessity of integrating cybersecurity into enterprise risk management, and the critical role of board members in fostering a culture of cyber resilience and collaboration. Major themes prevalent throughout the guide and governance tools include:

Collective Security

The handbook emphasizes the evolution of cyber risk, which is growing from a function of IT to an enterprise-wide strategic consideration. The handbook’s new, sixth principle goes even further and addresses how cyber risk has risen beyond the organization itself and now exists at the industry ecosystem level.

Data breaches and other cyber threats do not just impact the targeted company’s reputation, financials, and operations โ€“ all their customers’ businesses are negatively affected too. Many organizations in a sector rely on the same or similar vendors in their supply chain, so one compromised business allows threat actors to target multiple businesses.

Furthermore, if U.S. companies suffer reputational damage due to cyberattacks, the movement toward foreign investment poses national security risks.

Empowering CISOs

Because cyber risk is now enterprise-wide, rather than a risk relegated to IT, boards must re-imagine the relationship with the Chief Information Security Officer (CISO) function.

CISOs often specialize in information security and associated risk management activities. Appointing this dedicated officer role is an important first step; however, to demonstrate a true commitment to cybersecurity, the CISO needs to be elevated to an enterprise-wide strategic planning role. Incorporating the CISO’s security expertise into corporate strategy facilitates a strong cyber culture that cascades security benefits throughout the business. By increasing the visibility of the CISO and their relationship with the board (i.e., frequent partnership outside of periodic board updates), you demonstrate the prioritization of cybersecurity to stakeholders.

Metrics Reporting

As boards use metrics to track business operations (i.e., marketing efforts and financial performance), similar measures should be used to address and assess cyber risk. The handbook stresses that all metrics about information security and cyber threats should translate into economic terms for the board. This does not mean removing all technical aspects of reports. While the expectation is that board members have some level of cyber and financial literacy, the data presented needs to align with other business functions.

Based on an organization’s size, complexity, and industry, boards must find the proper mix between strategic, benchmark, operational, and cyber-economic metrics. Strategic metrics will demonstrate the overall approach to cybersecurity and progress towards meeting security goals โ€“ addressing whether the cyber programs implemented achieve their purpose. Benchmarking also allows organizations to compare their security posture against industry peers.

Where they excel, cybersecurity can be marketed as a core competency of the business. Operational metrics, day-to-day information about activities such as patching, help-desk tickets, etc., independently are not helpful to board oversight. However, when compiled into trends, the data indicates if the organization is on track to meet its strategic goals.

Lastly, cyber economic data should translate all cyber threats into direct financial impacts to support accurate budgeting and resource allotment.

Cyber Risk Assessments

One of the more dramatic handbook recommendations is to denounce the use of qualitative measures in cyber risk assessments. The handbook argues these do not effectively communicate cyber risk in financial terms. Strict dollar amounts, instead of high, moderate, and low indicators, allow for clearer strategic decisions. However, the costs and time involved with developing a consistent method for cyber risk quantification may not be possible for smaller institutions.

Instead, boards should focus on what their qualitative measures mean โ€“ defining the general extent of financial damage associated with each inherent risk rating. For example, a critical or high rating would indicate a disastrous threat to business functions, a moderate rating would threaten or delay the achievement of key business goals, and a low rating poses no significant impact.

Whatโ€™s Next for Board Directors’ Role in Cybersecurity

The NACD and ISA’s handbook is a testament to the evolving nature of cybersecurity as a critical component of strategic risk management. The sixth principle adds an imperative for boards to foster a collective security approach. Furthermore, it indicates a mature understanding of cyber threat implications. Handbook recommendations such as empowering CISOs, advocating for enhanced metrics reporting, and redefining the communication of cyber risk will help board members take strategic action against cyber threats Boards that wish to sharpen their organization’s tools against cyber threats should work closely with their auditors to implement the oversight techniques recommended throughout the handbook.

If your board needs cybersecurity solutions to address your organizationโ€™s needs, weโ€™re here for you. Reach out to our team of experts today.