NACD, ISA, and World Economic Forum Release Joint Cyber-Risk Principles

The release today by the World Economic Forum, NACD, and the Internet Security Alliance (ISA) of global principles and metrics for cyber-risk oversight is an important turning point in how cyber risk will be understood.

Historically, cybersecurity has been conceived as a technical issue, and by extension, the management of cyber risk is shifted down corporate organizational charts to operations personnel. This has led to an almost exclusively technical or operational approach to addressing cyber risk with the hope that effective cyber-management principles will “bubble up” from the information technology (IT) department.

By almost any measure, that approach has been largely inadequate.
According the Forum, revenues for cyber criminals this year will total about $2.2 trillion—roughly equivalent to the annual revenues of the United Kingdom. Ransomware premiums have risen from the modest five-figure sums of a couple of years ago to up to seven-figure sums now.

Although the recent systemic attacks on SolarWinds Corp. and Microsoft Exchange Server were executed by nation-states (Russia and China), we know from experience that, like most innovations, the techniques used in these attacks will fairly rapidly be diffused among a wide variety of attackers. Things are going from very bad to much, much worse.

Meanwhile, enterprises have been consciously engaged in digital transformation for several years now. In the early stages of digital transformation, the focus was on using the wonders of the digital age purely as a revenue-enhancing tool. As time went on, however, the dark underside of digital transformation—cyber risk—became apparent. This and the increase in frequency and severity of cyberattacks has prompted leading organizations to appreciate cybersecurity as a strategic business issue that is part of the core business mission and intimately correlated with organizations’ need for digital transformation.

In this construction of cyber-risk oversight, cybersecurity flows downward through the business from the board to senior leadership and across a reimagined organization that treats cyber risk as an enterprise-wide issue. The principles and methodologies that the Forum, NACD, and the ISA have produced, in the new paper Principles for Board Governance of Cyber Risk, define a process for how boards and senior managers can implement their respective roles in best addressing growing cyber risks.

The NACD and the ISA have been partnering on cyber-risk oversight handbooks for nearly a decade. Meanwhile, the Forum has been operating its own program through its Centre for Cybersecurity. Happily, the three organizations found that their independent investigations yielded substantially similar conclusions, which have been fairly easily integrated in the below list.

1. Cybersecurity is a strategic business enabler.

2. Boards need to understand the economic drivers and impact of cyber risk.

3. Cyber-risk management needs to be aligned with business needs.

4. Enterprises need to ensure that organizational design supports cybersecurity.

5. Cybersecurity expertise needs to be incorporated into board governance.

6. Systemic resilience and collaboration need to be encouraged.

Although the first five principles largely echo previous publications from the three collaborating sponsors, the sixth principle is relatively new. This principle emphasizes that boards must be concerned with more than simply securing themselves and their businesses; in the digital age, modern organizations must appreciate that they are part of a broad and interdependent digital ecosystem. The size and nature of the risk illustrated by recent attacks such as those mentioned above highlight that not only are individual entities under attack, but supply chains and the system itself are subject to attack, as well. As a result, collaboration and information sharing are not simply wise policies; they are imperatives, just as environmental, social, and governance issues are. Although cyber risk needs to be addressed from an empirical and economic perspective, the needs of the greater enterprise system must also be included in cybersecurity ethics and practices.