ISA policy is determined by the board of directors, consistent with ISA’s mission statement, principally through quarterly meetings.
The ISA’s mission is to “integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity.”
This mission is applied to ISA’s work with the government and its work with the private sector.
ISA’s novel Social Contract approach has, over the past decade, been gradually embraced as the dominant approach to cybersecurity policy by both Republicans and Democrats.
ISA’s unique approach to enterprise cyber policy development has had equivalent success in altering the way corporate boards and others address cyber security.
GOVERNMENT POLICY – THE CYBER “SOCIAL CONTRACT”
ISA’s government facing policy is broadly articulated in its “Cyber Security Social Contract” publications (see our three Social Contract publications, published in 2008, 2009 and 2016, respectively).
Details on the ISA’s Cyber Social Contract policy is detailed in the above links but, in essence, the Social Contract articulates a unique and approach to industry government relations that leads to the development and implementation of more effective government policies to promote sustainable cybersecurity.
When ISA first published the Social Contract in 2008, there were only two prevailing models for industry government relations on cybersecurity. There was the laissez-faire approach articulated in the Bush Administration’s National Strategy to Secure Cyber Space (pdf), which suggested that government should have a very limited role in promoting industry cybersecurity, confined largely to awareness programs and some R&D spending. There was also the traditional regulatory model embraced by early proposals by the Obama Administration such as the Lieberman-Collins bill, or Rockefeller-Snow legislation. These proposals called for a version of the Sarbanes-Oxley approach applied to cybersecurity with government mandates on industry and penalties for non-compliance.
ISA’s Social Contract suggested neither of these approaches would be effective in addressing the growing cybersecurity problem. Instead, ISA argued that we needed a pro-market public policy where industry and government—which use essentially the same system—would collaborate, e.g. through NIST, to agree on a set of standards and practices worthy of being promoted on a voluntary basis.
Where, for economic reasons, private entities are precluded from adopting adequate policies government ought to develop a menu of market incentives e.g. liability benefits, good actor preferences, insurance, etc., to make necessary improvements effective and sustainable.
Details of ISA’s success promoting these policies is detailed in the “Success Stories.” section. In summary, the core of the ISA model has been adopted by the House Republican Cybersecurity Task Force (pdf), the Obama administration’s principle policy paper on cybersecurity—“The Cyber Space Policy Review” (ISA is the first and most frequently cited source), Executive Order 13636, the latest update of the National infrastructure Protection Plan and the most impactful substance piece of legislation enacted by the Congress on a bipartisan basis, the Cyber Security Act of 2015, which uses a market incentive (liability protection) to promote a major cyber best practice (information sharing).
ENTERPRISE POLICY ON CYBERSECURITY
ISA has enjoyed similar success in evolving the way industry, including corporate boards, have begun to understand and address cyber security issues.
For many years policymakers, have called for greater attention to cybersecurity by corporate boards. However what most of the previous efforts entailed were attempts to instruct corporate boards in the details of IT. These efforts were, perhaps not surprisingly, unsuccessful.
Starting in 2013, ISA engaged in a partnership with the National Association of Corporate Directors (NACD) to develop an approach to cybesecurity that would “speak in the language of corporate boards” Rather than diving into the details of IT, ISA contextualized cyber security within the issues boards are most comfortable—innovation, mergers/acquisitions, PE ratios, etc., and ISA’s highlighted the cybersecurity issues boards ought to be addressing in these contexts.
In 2014 ISA created for NACD the first “Cyber Risk Handbook” specifically designed for corporate boards. An update was published in 2017—download it here.
However it is noteworthy that this Handbook is the only cybersecurity document produced by the private sector officially endorsed by both the US Department of Homeland Security and the US Department of Justice. It is by far the most popular publication NACD has offered to its membership and it has been embraced by multiple industry organizations including the Chamber of Commerce, the International Association of Auditors, the IT Sector Coordinating Council, the American Bankers Association, and many others.
Most notably, PricewaterhouseCoopers has independently assess the Handbook in its 2016 Global Information Security Survey (pdf) and determined that it had led to multiple significant changes in how boards address cybersecurity including increased budgets, better risk management, better alignment of cybersecurity with organizational goals and creating a culture of security throughout the entire organization.