NACD - National Association of Corporate Directors

Cybersecurity: What does the board want?

Here is a summary of the 2017 NACD Cyber-risk Handbook and its recommendations for directors as well as action items for CISOs

Boards of Director are taking an increasingly active role in cybersecurity governance.  The question is: what are they looking for and how should you manage your security program to meet their needs? 

This topic has been addressed in the “Cyber-Risk Oversight” handbook, published last month by the National Association of Corporate Directors. This is an update to the first NACD handbook, published in 2014. The handbook is just that, a set of recommended practices for directors. You can expect that your directors will be asking you these questions, now or in the near future. 

Five key principles are outlined and I will highlight the recommendations in those principles that seem to be novel or not commonly in practice. For more information, you can download the free content from the NACD website.

Principle 1: Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue

If cyber-risks permeate all business processes, why shouldn’t this approach be a no-brainer? The biggest reason is that information security has been the domain of the CIO for many years. CISOs, often reporting to the CIO, have been charged with information security risk management. But today, this reporting structure may not facilitate risk management across third-party collaboration, or IoT-based services, to name just two expanding risk areas. One good suggestion in the NACD handbook is to organize a cross functional cyber-risk team, led by an officer with well-established cross-functional responsibility. Examples are CFO, CRO or COO, but not CISO.  This will amplify the CISO’s expertise.

Principle 2:  Understand the legal implications of cyber risks

Every security breach will result in legal action. This is pretty much a given today. In some cases, security breaches will affect the organization as a whole. A perfect example is the Yahoo-Verizon deal, where the newly reported breaches may cost Yahoo shareholders $250-$350 million. I suspect a significant chunk of this money is in reserve to cover lawsuits in progress. Was the Yahoo board kept up to date with the state of the Yahoo security program? That’s not known. An interesting recommendation in the NACD handbook is to get board members involved with table top exercises around incident response. That way, they will be part of the breach reporting conversation.

Principle 3: Boards should have adequate access to cybersecurity expertise; cyber-risk management should be given adequate time on board agendas

Many boards of director are reviewing cyber-risks on a regular basis.  Cisco reports that boards and the CEO are taking the lead role in cyber-risk management at 39% of the organizations they surveyed. However, the NACD reports that only 15% of boards are very satisfied with the information they are getting from management. So you need to carefully understand the strategic information they are looking for and refrain from operational statistics like percent systems patched, etc.

Principle 4: Directors should set expectations that management will establish an enterprise cyber-risk management framework

The handbook highlights the NIST Cybersecurity Framework (CSF) as a useful approach to risk management. Many people are already using this risk-based framework. Principle 4 also recommends doing a “forward-looking” risk assessment. I don’t know how many people are attempting to do that. Most are satisfied with a current state risk assessment to satisfy compliance requirements. You really need to understand potential threats one to two years out, given that it will take you that long to implement new controls.

Principle 5:  Boards need to discuss details of cyber risk management and risk treatment

These details include: risk mitigation, risk transfer, risk avoidance and risk acceptance. Today, no one can mitigate all risks across the enterprise. Boards and management need to understand where the crown jewels are, what attacks are most likely and then defend against those. Security risk management has always been about prioritization and still is. Also important is to understand your organization’s risk appetite. You need to know what the maximum risk your organization is willing to accept in pursuit of strategic objectives and what risks will be outside the bounds of corporate values? These risks must be mitigated whatever their priority values.