Chapter 2 - Effective Cybersecurity Principles for Boards of Directors


Cybersecurity is now a serious, enterprise-level risk and strategy challenge. Boards need to continuously assess their effectiveness to address cybersecurity, both in terms of their own fiduciary responsibility as well as their oversight of management’s activities. While the approaches taken by individual boards will vary, the principles in the ISA-NACD Cyber-Risk Handbook, and the several versions adapted for various countries and regions now available around the globe, have been shown to offer a helpful blueprint and timely guidance.

Ultimately, the board’s role is to bring its judgment to bear and provide effective guidance to management, in order to ensure the cybersecurity program is appropriately designed and sufficiently resilient given their company’s strategic imperatives and the realities of the business ecosystem in which it operates.

Key Ideas
  • It is the board of directors’ responsibility to collaborate with the executive team to create a culture of security and effective oversight of executive’s cyber risk management.

  • Cybersecurity is not an IT-centric appendage issue, but rather needs to be woven into the full breadth of business decisions on an enterprise-wide basis.

  • There are a core set of board-level cyber risk principles that constitute a de-facto international standard of appropriate cyber risk oversight.

  • Boards should expect that the executive team will provide both technological and organizational structures that will implement the core principles the board has set.

  • Boards should expect management to be able to assess cyber risk in empirical and economic terms consistent with the business plan.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.