Chapter 3 - Structuring for the Digital Age


As digital transformation becomes a business necessity cyber risks are mounting. Boards at leading organizations are responding by increasingly integrating cybersecurity as a strategic element in their business plans. A natural outcome of this broader understanding of cyber risk has been an evolution in corporate structure sometimes generated by governmental regulatory oversights and sometimes by innovative business thinking. While the specific structures continue to evolve in ways unique to individual enter-prise business plans there are some themes that seem to be common. These themes include a flatter, less siloed approach engaging a multi-stakeholder grouping into the discussions on cyber risk, elevating the reporting structure for these responsible for managing cyber risk. Initial research suggests that such structures can both enhance the cyber risk management function and improve business efficiency.

Key Ideas
  • Traditional corporate structures for cybersecurity are inadequate to address modern cyber risk.

  • Research demonstrates that the management of the cybersecurity function will be more effective if it is integrated and encourages communication and flexibility on the issue throughout the enterprise.

  • Management of cyber risk is not solely the responsibility of the IT department within an organization, it should be managed across the enterprise.

  • Organizations need to find the right structure to address their cyber risks based on their size, priorities, and industry. There is no one-size-fits-all structure for the digital age.

  • Non-IT executives will play an important role in leading cybersecurity teams in new structures.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.