Light Dark
January 11, 2018 By Christophe Veltsos 4 min read
Risk Management
CISO

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year.

When it comes to cyber risks, there is a lot of room for improvement: Only 12 percent of respondents in the public governance survey said their boards had a “high level of knowledge” of cyber risks. With those numbers in mind, below are four takeaways for board directors from the report:

1. Get Engaged With Strategy and Risk Oversight

Boards should focus on what matters, and that includes organizational strategy and execution, the way risks are managed and keeping a close eye on cyber risks. Since board meetings are often filled with discussions about board composition, compensation, succession and disclosure-related issues, it can be extremely challenging to make time for anything else. However, businesses today are facing heavy turbulence, often resulting in management going from crisis to crisis. In such an environment, directors, with their varied experiences and backgrounds, are best positioned and prepared to spot trends and ensure that management’s actions not only help the company survive today, but also continue to thrive in the future.

Directors know that the buck stops with them, so it should come as no surprise that 71 percent believe their boards must improve their understanding of the risks and opportunities, as well as their impact on performance in the coming year. However, directors also understand that they need to get involved with the development of strategy (67 percent) and improve the way they monitor management’s ability to execute those strategies successfully (also 67 percent). Instead of “reviewing and concurring” with management’s approach, directors are cautioned to be more engaged with both strategy and risk oversight.

Part of that engagement is to “hold executives accountable for providing better intelligence on cyber risk and delivering better results.” It is reckless and unacceptable for a CISO or CIO to report on cyber risks in ways that are not relevant to the CEO and the board.

Listen to the podcast: If you can’t measure it, you can’t manage it

2. Pay Close Attention to Cyberthreats

One of the key lessons for boards to take away from this report is the need for directors to “implement defense strategies to combat cyberthreats.” Directors are cautioned against continuing a largely passive and disconnected approach to their oversight duties when it comes to cyber risks.

The message appears to have been received: When asked about the top five trends that have the greatest potential impact on their company over the coming year, directors ranked cyberthreats fourth (at 38 percent), below industry changes (58 percent), business model disruptions (46 percent) and global economic changes (46 percent). In fact, cyberthreats ranked well above political uncertainty, technology disruptions, U.S. tax reform and investor activism.

The report noted that cyber risks are likely to remain on board agendas permanently, but also reminded directors of their duty to press for “complete, relevant and timely” assurances on how effective the organization is in identifying, managing and responding to cyber risks. But the days of paying lip service to cyberthreats by reviewing, communicating and doing the bare minimum to avoid fines or pass a yearly compliance audit are long gone. The survival of the organization as a whole is at stake with the current level of threats. If the board isn’t confident in its own ability to fully understand cyber risks, the report urged directors to “add a cyber risk specialist on the board” or employ “outside cybersecurity consultants as board advisors.”

3. Work to Improve Organizational Culture

Directors need to get a clear, unbiased picture of the company’s culture and help shape it appropriately. Since culture is often a key driver of performance, it affects the way the organization interacts with its staff, clients and business partners. As such, it can have a direct impact on the company’s success and the kinds of risks it faces.

Organizational culture is most often perceived as risk-seeking and risk-averse. However, the nature of the organization’s security culture should also be part of the board’s overall dashboard metrics on corporate culture. Without a strong culture of security, the organization’s next breach may well come from one of its own employees instead of an external attacker.

4. Ask the Tough Questions

Board directors have a fiduciary duty to oversee cyber risks. They should be able to clearly document the steps and actions they’ve taken to become engaged. When asked about which practices board directors themselves had used, the top four responses were:

  • Looking at the company’s current strategy for protecting its most critical cyber assets (82 percent);

  • Looking at the company’s IT infrastructure to safeguard data (74 percent);

  • Reviewing management’s reporting of cyber risk information and improving the quality of information used to make cyber risk decisions (69 percent); and

  • Looking at the company’s data breach response plan (61 percent).

Because cyberthreats are constantly evolving, board directors need to help management identify and implement a more effective strategic plan for dealing with cyber risks. The report provided six key questions to assist with this endeavor, three of which are listed below:

  • What people, processes and technologies are we currently using to defend our network?

  • What additional resources are needed in people, processes and technologies to limit risk?

  • Are representatives from the security team included in every business planning meeting?

Improving Executive Engagement

As the report noted, “Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.” NACD’s “2018 Governance Outlook” provides good, actionable advice for boards to improve their engagement around strategic risk management and oversight of cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature