A note from RiskLens: In 2020, the NACD cybersecurity handbook was updated to include and endorse cyber risk quantification and the FAIR™ model. You can read about it here. We’ve opted to keep this blog up on our website because it outlines the thought process that led to the update and the reasoning behind it.
On January 12th, 2017, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) published an update to the NACD Director’s Handbook on Cyber-Risk Oversight (The Handbook). The Handbook was first issued in 2014 and received the endorsement of both the Department of Homeland Security and Department of Justice.
The Handbook was written to help boards of directors at large and small organizations improve their understanding of the possible impact of cybersecurity events on their operations and of their governance and oversight roles. A survey by the NACD of more than 600 board directors and professionals uncovered that only 19% believed their directors to have a high-level understanding of cybersecurity risks and that 59% founnd cyber risk oversight challenging.
The Handbook identifies five principles board of directors should consider as they seek to improve their oversight of cyber risks:
- Boards need to understand cybersecurity as a risk management issue, not just an IT issue.
- Directors need to understand the legal implications of cyber risk, as it relates to their specific organization.
- Boards must allocate dedicated time to discuss cyber risk management on board meeting agendas.
- Boards shall expect management to establish a risk management program with adequate resources.
- Boards shall oversee the management of cyber risk, including plans to mitigate, transfer and tolerate risk.
I commend the NACD for the guidance provided in the Handbook, as it provides directors with concrete actions to ensure that cyber risk is given the same attention as other forms of business risks, such as market risk and credit risk. Yet, while the authors affirm that the five principles are presented in a "relatively generalized form", several of the methods provided on how to implement them fail to fully enable organizations to manage cybersecurity from the business perspective and enable well-informed decision making.
Enabling effective business decision-making is where the Handbook falls short
The Handbook puts great emphasis on the significant impact cybersecurity events have on businesses and government organizations. If severe enough, these events have the ability to cripple operations or bring them to a halt. The financial impact on organizations is often highlighted, yet the examples provided throughout the Handbook and in the Appendices are all based on qualitative measures that cannot form the basis of effective business decision making (more on this here.)
Measuring cyber risk in qualitative scales such as 'High, Medium, Low', '1-5' or 'Red, Yellow, Green', can provide a high-level distinction between 'High' risks and 'Low' risks, but cannot help answer many fundamental business questions that directors must ask as part of their oversight roles, such as:
- How much risk do we have?
- Are we spending too much or too little on cybersecurity?
- Are we spending our cybersecurity budget on the right things?
- How much risk can we tolerate as an organization?
- Are we driving risk down to the board-approved level?
A qualitative approach to measuring cybersecurity will not allow directors to fulfill their governance and oversight roles. Unless cyber risk is understood and articulated in quantitative terms as probable (financial) loss exposure, organizations — even if they are making more time to listen to the cyber security experts — will continue to make decisions that are IT-driven instead of business-driven.
For example, budgeting proposals cannot be properly evaluated unless boards understand in monetary terms:
- The probable loss exposure caused by cyber events.
- The probable reduction in loss exposure driven by a risk mitigation initiative (new tool, process improvement, training, etc.).
- The cost of a risk mitigation initiative.
Cyber Risk Economics is here
Standard cyber risk quantification models such as FAIR, and FAIR-based quantification software such as the RiskLens platform, have been around for a while now, and many organizations in a variety of industries have moved from a qualitative approach to cybersecurity to a quantitative one. This enables them to:
- Utilize a common language that all stakeholders (board of directors, operations, and IT) can understand: Dollars and cents.
- Help them understand the organization's exposure to cyber risk in financial terms.
- Provide a decision-making framework for prioritizing risk mitigation, optimizing security investments, and transferring risk.
Directors that want to fulfill their cyber risk oversight responsibilities and enable cost-effective decision making as it relates to the management of cyber risks should expect their organizations to integrate the five principles outlined in the Handbook with proven cyber risk quantification methodologies. Corporate directors should aim to achieve both an NACD certification and an active understanding of how to quantify cyber risk in order to best serve their businesses.
The RiskLens platform presents a robust way to quantify cybersecurity threats to make better informed decisions around cybersecurity oversight. Contact us to schedule a demo today.