Internet Security Alliance Applauds NIST Notice on Cyber and Enterprise Risk Management

May 18, 2020

Larry Clinton, President and CEO
Internet Security Alliance
(202) 236-0001

The Internet Security Alliance (ISA) filed comments on NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management today, applauding NIST for moving beyond the traditional techno-centric focus on cybersecurity and helping to build needed bridges between the roles of management and corporate boards in addressing the growing risks from cyber-attacks in a business and economic context.

In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards. ISA President Larry Clinton noted that “boards and management have distinct but complimentary roles in building cyber-secure enterprises.

“The Board’s role is to develop strategic goals, provide for adequate resources and oversee management’s efforts within the context of the business plan,” Clinton said. “Management’s role is to successfully implement these strategies at an operational level. A successful cyber-risk management plan must have both board and management elements working together. The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity with ERM tactics management should use in implementing the board level principles.”

Clinton said he was particularly impressed with NIST’s articulation of the need for management to address cyber-risk management within the economics on the business plan: “ISA and NACD have long noted that cybersecurity needed to be managed in an economic context and that cyber-risk tactics must be cost effective in order to be sustainable. The NISTIR outlines how management can determine whether the exposure associated with each risk is within the acceptable levels as set by the board. If not, the risk officer should identify cost-effective risk responses to achieve mission, financial, and reputational objectives based on the board’s decision on whether a risk should be accepted, mitigated, or transferred. This is almost the exact wording from the NACD-ISA handbook.”

ISA also applauded NIST for articulating practical methods for conducting the sort of difficult economic/risk management balancing calculations that are required in a world dominated by the need for digital transformation.

“The reality is that in many cases enterprises cannot compete in the world market without accessing digital innovations,” Clinton said. “At the same time many of the technologies and business practices that drive growth and profitability also can undermine security unless they are carefully evaluated and placed in the context of a secure business plan. The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

ISA, in partnership with NACD and director’s organizations around the world, have developed a set of principles for enterprises to follow in developing cyber-risk strategies. The NACD-ISA principles have been endorsed by numerous governments, including the U.S. Department of Homeland Security and Department of Justice and have been validated by PricewaterhouseCoopers.

About ISA

The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy, and promoting sound security practices. In addition to collaborating with NACD and directors’ organizations around the world, ISA’s public policy prescriptions articulated in the “Cybersecurity Social Contract” have been embraced as the model for government policy by both Republicans and Democrats. For more information, visit