NACD updates its Cyber Security Handbook
On January 12th, 2017, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) published an update to the NACD Director’s Handbook on Cyber-Risk Oversight (The Handbook).The Handbook was first issued in 2014 and received the endorsement of both the Department of Homeland Security and Department of Justice.
The Handbook was written to help boards of directors of large and small organizations improve their understanding of the possible impact of cyber security events on their operations and of their governance and oversight roles. A recent survey by NACD of more than 600 board directors and professionals uncovered that only 19% believe their directors have a high-level understanding of cyber security risks and that 59% find cyber risk oversight challenging.
The Handbook identifies five principles board of directors should consider as they seek to improve their oversight of cyber risks:
I commend the NACD for the guidance provided in the Handbook, as it provides directors with concrete actions to ensure that cyber risks is dealt with the same attention as other forms of business risks, such as market risk or credit risk. Yet, while the authors affirm that the five principles are presented in a “relatively generalized form”, several of the methods provided on how to implement them fail to fully enable organizations to manage cyber security from the business perspective and enable well-informed decision making.
Enabling effective business decision-making is where the Handbook falls short
The Handbook puts great emphasis on the significant impact cyber security events have on businesses and government organizations. If severe enough, these events have the ability to cripple operations or bring them to a halt. The financial impact on organizations is often highlighted, yet the examples provided throughout the Handbook and in the Appendices are all based on qualitative measures that cannot form the basis of effective business decision making. (More on this here.)
Measuring cyber risk in qualitative scales such as ‘High, Medium, Low’, ‘1-5’ or ‘Red, Yellow, Green’, can provide a high-level distinction between ‘High’ risks and ‘Low’ risks, but cannot help answer many fundamental business questions that directors must ask, as part of their oversight roles:
A qualitative approach to measuring cyber security will not allow directors to fulfill their governance and oversight roles. Unless cyber risk is understood and articulated in quantitative terms as probable (financial) loss exposure, organizations – even if they are making more time to listen to the cyber security experts – will continue to make decisions that are IT-driven versus business-driven.
For example, budgeting proposals cannot be properly evaluated unless boards understand in monetary terms:
Cyber Risk Economics is here
Standard cyber risk quantification models such as FAIR, and FAIR-based quantification software such as RiskLens have been around for a while now, and many organizations in a variety of industries have moved from a qualitative approach to cybersecurity to a quantitative one. This enables them to:
Directors that want to fulfill their cyber risk oversight responsibilities and enable cost-effective decision making as it relates to the management of cyber risks should expect their organizations to integrate the five principles outlined in the Handbook with proven cyber risk quantification methodologies.