The Advanced Cyber Security Center is just out with a study on Leveraging Board Governance for Cybersecurity that makes a strong case, and lays out some specific recommendations, for boards to demand cyber risk analytics—not operational checklists—as a basis for board oversight on cybersecurity.
The study is based on interviews with CISOs and board members at 20 major companies and institutions in Massachusetts, as well as industry research (among the recommended resources: the article Getting the Right Cybersecurity Metrics and Reports for Your Board on the NACD Board Talk Blog by RiskLens Board Members James Lam and Jack Jones).
Here’s the report’s diagnosis of the problem with board governance and cybersecurity:
“Boards’ less than full governance partnership has been exacerbated by the lack of historically tested and sophisticated cyber risk management frameworks of the type that exist for other corporate risks.
“Guidance such as the U.S. government’s National Institute of Standards and Technology (NIST) Risk Management Framework elements now serve as a starting place for management and boards. Executives interviewed, with a few exceptions, use the NIST framework internally and with boards.
"However, they broadly agreed that boards must understand that most existing frameworks, such as NIST, are “operational checklists” focused on inputs, not on performance outcomes, and represent minimum standards—and as such do not provide a robust cyber risk framework.
“Unfortunately, cyber risk hasn’t yet evolved into a standard risk management function in the way financial and audit functions have, and in some cases, board members have not yet recognized that cybersecurity involves making decisions about the relative importance of certain assets and a tolerance for the risk to them.
“’Over the past few years we have seen a fairly dramatic uptick in Board activity around cybersecurity as awareness has grown. But there is a big difference between awareness and understanding. Too many board members still talk about defending the perimeter and mistakenly refer to a zero appetite for cyber risk,’ an executive said.”
Among the report’s recommendations to CISOs and boards:
“Build board confidence in cyber operations and frame strategic discussions around key risk issues and questions.
“Boards should prioritize and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards.”
The ACSC’s statement is one of the strongest we’ve seen in support of the growing movement to re-focus cybersecurity on cyber risk. Here’s another sign: CyberVista, the leading cybersecurity education and workforce development company, has partnered with the FAIR Institute, the leading advocate of quantitative risk analytics, on a cyber risk curriculum for board directors as part of CyberVista’s Resolve Board and Executive Cybersecurity Training.
For a deeper dive into bringing an "outcome-based cyber risk management" approach to your board of directors, take a look at this post from the RiskLens blog:
You Can Have Answers by Your Next Board Meeting
And watch this video of a talk at the recent FAIR Institute Conference by James Lam, who also leads the risk committee for the board of E*TRADE:
A Risk Committee Chair’s View of ERM and Cybersecurity Oversight
RiskLens is the only cyber risk analytics application based on the FAIR model, the international standard for cyber risk quantification.