What's Missing in the NACD Director's Cyber Risk Oversight Handbook

January 18, 2019  Nicola (Nick) Sanna

NACD updates its Cyber Security Handbook

On January 12th, 2017, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) published an update to the  NACD Director’s Handbook on Cyber-Risk Oversight (The Handbook). The Handbook was first issued in 2014 and received the endorsement of both the Department of Homeland Security and Department of Justice.

The Handbook was written to help boards of directors of large and small organizations improve their understanding of the possible impact of cyber security events on their operations and of their governance and oversight roles. A recent survey by NACD of more than 600 board directors and professionals uncovered that only 19% believe their directors have a high-level understanding of cyber security risks and that 59% find cyber risk oversight challenging.

The Handbook identifies five principles board of directors should consider as they seek to improve their oversight of cyber risks:

  1. Boards need to understand cybersecurity as a risk management issue, not just an IT issue.
  2. Directors need to understand the legal implications of cyber risk, as it relates to their specific organization.
  3. Boards must allocate dedicated time to discuss cyber risk management on board meeting agendas.
  4. Boards shall expect management to establish a risk management program with adequate resources.
  5. Boards shall oversee the management of cyber risk, including plans to mitigate, transfer and tolerate risk.

I commend the NACD for the guidance provided in the Handbook, as it provides directors with concrete actions to ensure that cyber risks is dealt with the same attention as other forms of business risks, such as market risk or credit risk. Yet, while the authors affirm that the five principles are presented in a "relatively generalized form", several of the methods provided on how to implement them fail to fully enable organizations to manage cyber security from the business perspective and enable well-informed decision making.

Enabling effective business decision-making is where the Handbook falls short 

The Handbook puts great emphasis on the significant impact cyber security events have on businesses and government organizations. If severe enough, these events have the ability to cripple operations or bring them to a halt. The financial impact on organizations is often highlighted, yet the examples provided throughout the Handbook and in the Appendices are all based on qualitative measures that cannot form the basis of effective business decision making. (More on this here.)

Measuring cyber risk in qualitative scales such as 'High, Medium, Low', '1-5' or 'Red, Yellow, Green', can provide a high-level distinction between 'High' risks and 'Low' risks, but cannot help answer many fundamental business questions that directors must ask, as part of their oversight roles:

  • How much risk do we have?
  • Are we spending too much or too little on cyber security?
  • Are we spending our cyber security budget on the right things?
  • How much risk can we tolerate as an organization?
  • Are we driving risk down to the board-approved level?

A qualitative approach to measuring cyber security will not allow directors to fulfill their governance and oversight roles. Unless cyber risk is understood and articulated in quantitative terms as probable (financial) loss exposure, organizations - even if they are making more time to listen to the cyber security experts - will continue to make decisions that are IT-driven versus business-driven.

For example, budgeting proposals cannot be properly evaluated unless boards understand in monetary terms:

  • The probable loss exposure caused by cyber events.
  • The probable reduction in loss exposure driven by a risk mitigation initiative (new tool, process improvement, training, etc.).
  • The cost of the risk mitigation initiative.

Cyber Risk Economics is here

Standard cyber risk quantification models such as FAIR, and FAIR-based quantification software such as RiskLens have been around for a while now, and many organizations in a variety of industries have moved from a qualitative approach to cybersecurity to a quantitative one. This enables them to:

  • Utilize a common language that all stakeholders (board of directors, operations and IT) can understand: dollars and cents.
  • Help them understand the organization's exposure to cyber risk in financial terms.
  • Provide a decision-making framework for prioritizing risk mitigation, optimizing security investments and transferring risk.

Directors that want to fulfill their cyber risk oversight responsibilities and enable cost-effective decision making as it relates to the management of cyber risks should expect their organizations to integrate the five principles outlined in the Handbook with proven cyber risk quantification methodologies.