In 2014, ISA and the National Association of Corporate Directors (NACD) published the first “Cyber-Risk Handbook.” This publication has been independently assessed by PricewaterhouseCoopers and shown to dramatically improve enterprise cybersecurity.
We issued a significantly updated version in 2017. Download it from our website here.
Working together, NACD and ISA have produced a unique and successful program that addresses cybersecurity as a board level issue – not simply an IT operational issue.
PricewaterhouseCoopers in its 2016 Global Information Security Survey (pdf) reported on the positive impact the Handbook is having on multiple consensus security metrics. PWC found that:
Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk.
Boards appear to be listening to this guidance. This year we saw a double-digit uptick in Board participation in most aspects of information security. Respondents said this deepening Board involvement has helped improve cybersecurity practices in numerous ways. It may be no coincidence that, as more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending.
Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, however, Board participation has opened the lines of communication between the cybersecurity function and top executives and directors.
The “Cyber-Risk Oversight Handbook” is the only private sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice. It has also been endorsed by a wide variety of private sector organizations such as the Chamber of Commerce and the International Auditors Association.
ISA and NACD jointly produce an annual summit meeting on cybersecurity exclusively for corporate boards, where the ISA board members expand on the principles in the Handbook.
In April 2018, ISA and NACD will host a Global Summit on Cybersecurity for corporate boards in Geneva. The goal of this event is to create a coherent approach to cybersecurity based on the Handbook’s principles but adapted to unique environments outside the United States. Starting in 2017, the ISA will hold events in the United Kingdom and Germany to prepare local versions of the handbook.