The World Economic Forum (WEF) recently released a report Principles for Board Governance of Cyber Risk that makes a handy format for CISOs or CROs looking to present on cyber risk to board directors, especially with reporting based on cyber risk quantification.
As the WEF states, “In order for organizations to make effective business decisions, risk determinations should focus on the financial impact to the organization,” the basic deliverable of cyber risk quantitative (CRQ) analysis through the RiskLens platform.
The WEF is a board-level organization best known for its yearly Davos conference, the annual gathering of the business elite. The Principles report is a consensus view from a panel of international business and risk experts (including Nick Sanna, President of the FAIR Institute and CEO of RiskLens), with participation from the National Association of Corporate Directors (NACD), the Internet Security Alliance and PwC.
Here’s a snapshot of the six principles, and how CRQ helps fulfill their goals:
1. Cybersecurity is a strategic business enabler
“Analyze cybersecurity issues with respect to their strategic implications and as part of enterprise risk,” the report says. Translating cyber risk into financial terms opens the door to communication between the technical discipline of cybersecurity and the rest of enterprise risk management.
2. Understand the economic drivers and impact of cyber risk
Boards should receive reporting from management to “define cyber risk appetite in financial terms,” to “give detailed rationales for the organization’s determination of materiality of risk” and use “industry-accepted models for risk quantification.” CISOs and CROs in fact use RiskLens Top Risks analysis functions for exactly these purposes, including setting risk appetite.
3. Align cyber-risk management with business needs
The report advises boards to “require management to integrate cyber-risk analysis into significant business decisions (e.g., launching a new product or publishing an app).” With the comparative analysis functions of RiskLens, risk managers can compare a baseline of current risk to a changed risk environment with a new business initiative.
4. Ensure organizational design supports cybersecurity
“This includes defining clear ownership, authority and key performance indicators (KPIs) among all internal stakeholders.” RiskLens clients frequently use the analysis outputs of the CRQ platform to track risk-related KPIs. Read more about cyber risk dashboards and our API for exporting performance indicators.
5. Incorporate cybersecurity expertise into board governance
“Each member of the management team has a responsibility to understand the impact of cyber risk within her or his remit and can therefore support the board’s effort to develop a holistic view.” RiskLens enables flexible reporting at the line of business level and, through the risk aggregation capabilities of the platform, offers a consolidated view of risk across the organization.
6. Encourage systemic resilience and collaboration
“Ensure that management takes into account risks stemming from the broader industry connections (e.g., third parties, vendors and partners).” RiskLens provides the means to conduct analysis of scenarios across the entire spectrum of risk, from any number of threat actors and vectors, and store the relevant data, to build over time a comprehensive library of board-ready reports. See a relevant blog post: Boards Ask, ‘What’s Our Risk from the SolarWinds Hack?’
Read the WEF report Principles for Board Governance of Cyber Risk for more considered advice to boards, and the CISOs and CROs who report to them.
More from Our Blog:
How to Describe to Your Board the Benefits of RiskLens, FAIR and Cyber Risk Quantification in 3 Minutes