A trio of groups including the Internet Security Alliance has released a report offering “a cohesive, global, cross-border approach to cyber-risk governance” for corporate boards, with six principles that pull together consensus views developed by security and industry leaders in recent years.
“Principles for Board Governance of Cyber Risk” was released today by ISA, the National Association of Corporate Directors and World Economic Forum, in collaboration with PricewaterhouseCoopers. “The work that follows represents the collaborative efforts of that group to shape the principles and supporting practices for boards of directors. Their adoption will strengthen cybersecurity and resilience across organizations and environments,” the groups say in the report.
“These organizations came together to build a set of consensus principles that recognized up-todate techniques for cyber-risk governance. Building off existing guidance and through an iterative development process, this group developed six consensus principles for cybersecurity board governance,” according to the report.
The six principles are: “cybersecurity is a strategic business enabler”; “Understand the economic drivers and impact of cyber risk”; “Align cyber-risk management with business needs”; “Ensure organizational design supports cybersecurity”; “Incorporate cybersecurity expertise into board governance”; and “Encourage systemic resilience and collaboration.”
Pulling together the report was “an extensive program” over the past year, involving around 60 people from the participating organizations, ISA president Larry Clinton told Inside Cybersecurity in an interview.
“We found that boards are increasingly adopting a business-oriented rather than a technology-oriented approach to cybersecurity,” Clinton said. “We thought it would be good to pull this all together and see if we could come up with consensus principles.”
Clinton said “visionary corporate boards” are increasingly looking at the sixth principle on the need for collaboration. “Boards should look beyond their own four walls to understand the systemic risks,” he said. Further, “The corporation itself needs to be structured to be digitally sensitive. Cyber needs to be part of the business plan, not an appendage issue, plus consider the whole ecosystem. This is what the leading boards are doing.”
The report cites findings from a recent survey of corporate directors find a high degree of concern about growing cyber threats and potential impacts on their businesses.
According to the report’s conclusion: “As part of this body of work, the World Economic Forum, NACD and ISA will continue their shared efforts to enhance boards’ ability to incorporate cyber-risk planning into overall company strategy. Towards that end, our organizations have embarked on an effort to quantify the efficacy of these principles.”
The report says, “What began as an offering of good practices here will soon expand into a research agenda that will help board directors to determine where best to apply their limited time and which aspects of the principles described here are likely to be the most crucial to implement in the shortest time frame. While all of the principles described in this report form the basis of an effective cyber-risk governance regime, soon we will understand what impact adoption of each principle is likely to have.”
Clinton explained that the groups agreed to develop “empirical ways to measure” whether adopting these six principles leads to tangible security results.
“In a couple of years we should be able to analyze whether this theory results in security improvements,” Clinton said. “This would be a first. And frankly this is what they should be doing at a public policy level and they’re not doing it. [Government agencies] come up with a list of things to do and they have no idea whether they work. They should be testing these things.”