Internet Security Alliance Top 25 Highlights of 2019

January 6, 2020


  • ISA Board Completes Update of National Association of Corporate Directors (NACD) Cyber Risk Handbook. ISA is the exclusive partner association for the NACD handbook. This will be the third edition of the handbook, which ISA updates every three years, it contains multiple new sections. It is the only set of such practices that has been independently assessed and shown to improve organizational cyber risk management and is the most popular document NACD publishes.
  • US Department of Justice (DOJ) Endorses Cyber Risk Handbook written by ISA board and published by National Association of Corporate Directors.
  • US Department of Homeland Security (DHS) endorses Cyber Risk Handbook written by ISA board and published by National Association of Corporate Directors.
  • Head of the German Federation’s Office of Information Security (BSI), Arne Schonobum is guest of honor at special ISA Salon dinner. In 2018 BSI cosponsored a German adaptation of the Cyber Risk Handbook and Mr. Schonobaum requests ISA agree to update the German edition on a similar basis as ISA has updated the NACD editions.
  • ISA, NACD, DHS and BSI are asked to develop a special session on how governments and senior executives can work together both domestically and internationally on enhancing cyber security which will be presented at the nation’s most prestigious cyber security conference hosted by RSA in San Francisco
  • ISA initiates a new line of research activity in coordination with the DHS’s Cyber Risk Management Initiative in Economics (CYRIE) and the Cybersecurity Infrastructure and Security Agency (CISA) by submitting several research proposals consistent with the ISA Cyber Security Social Contract to DHS.
  • DHS asks ISA to prepare detailed subsequent stages of the ISA proposal studying systemic cyber risk. This project to be led by AIG and SSIC but involving the entire ISA board would be the largest and most sophisticated study on system cyber risk conducted to date. DHS subsequently requests ISA conduct a substantive webinar on the proposal and is considering a final application to fund a partnership with ISA and DHS on systemic cyber risk
  • Acting in his capacity as industry co-chair of the Policy Leadership Working Group appointed by DHS Assistant Secretary for Cyber security Janett Manfra, ISA President Larry Clinton presents the findings of the “Collective Security Working Group” White Paper to the Federal Reserve Bank conference in Boston.
  • The Organization of American States publishes the Spanish edition of the Cyber Risk Handbook for Corporate Boards. ISA sponsors Bunge and FIS assist in translating the Spanish version into Portuguese – meaning the Handbook is now translated into 4 languages) and facilitating coverage of the entire continent. ISA and OAS jointly release the South American Handbooks as ISA provides the keynote for the OAS International Conference on Cyber Security.
  • European Conference of Corporate Directors (ecoDa) requests ISA collaborate on an EU region wide version of the Cyber Risk Handbook, again based on the core Principles identified in the NACD version. In 2018 ISA produced handbooks for the EU and Germany this edition would attempt to reach the other EU countries. ISA followed the OAS model of in region workshops – including a full day workshop with the ecoDa board – and international webinars and completes the handbook in December 2019. EcoDa intends to publish early in 2020.
  • Japanese Federation of Business (the JFB is the Japanese version of the Chamber of Commerce) requests ISA to collaborate to develop a Japanese version of the Cyber Risk Handbook again based on the core Principles identified in the NACD version. Working primarily with JFB, a Japanese version is finished in Quarter 3 of 2019. ISA is now helping to produce Cyber Risk Handbooks for corporate boards in 5 languages and on 4 continents with local industry, and often government support.
  • ISA signs MOU with Communication and Multi Media Association of India (CMAI) and Telecom Equipment Manufacturers Association of India (TEMA) to develop a cyber risk handbook for Indian Boards of Directors. Expected publication year is 2020.
  • ISA board members assist in teaching a graduate level class in cyber security at the Wharton School University of Pennsylvania. In 2019, the section on insider threats was taught be Gary McAlum, Chief Security Officer for USAA and Adrian Peters, Chief Information Security Officer at the Bank of New York Mellon; the Supply Chain section was taught by Lisa Humbert, Operational Risk Officer of the Americas at Bank of Tokyo Mitsubishi, MUFG and Tim McKnight, Chief Security Officer for SAP; the section on incident response was taught by Nasrin Rezai, Global Chief Information and Product Cybersecurity Officer for General Electric and Greg Montana, Chief Security Officer for FIS Global; and the section on using economics-based cyber risk management analytics and metrics was taught by Bob Vescio, Chief Analytics Officer for Secure Systems Innovation Corporation and Garin Pace, Cyber Product Leader – Financial Lines and Property for AIG.
  • ISA taught a series of Master Classes on the Economics of Cybersecurity for the National Association of Corporate Directors in Chicago, Las Angles, Austin Texas and Buford South Carolina. ISA also guest lectured at a range of universities including Syracuse, Marymount, and NYU.
  • At DHS’s Annual Cybersecurity Summit, ISA President Clinton and NACD CEO Peter Gleason and DHS Assistant Director for the Cybersecurity Infrastructure and Security Agency (CISA), Daniel Kroese, were asked to conduct a special session on collaboration between top corporate and government personnel to promote collective cyber security.
  • ISA collaborated with the Director of the National Risk Management Agency in DHS, Bob Kolasky, on the Center’s first outreach to the private sector in New York City.
  • At the request of the US Department of Commerce ISA conducted a special webinar for Commerce Department staff both domestically and internationally on the economics of cyber security and how it effects cyber risk assessment methods for the public and private sector.
  • ISA developed a relationship with the New Democratic Caucus (apex 100 moderate Democratic Members led by Congressman Derek Kilmer in the House of Representatives) to design a series of modest – but important bills on cyber security that Caucus members could champion and achieve bipartisan support enabling passage even in the current highly contentious political environment.
  • ISA has developed a relationship with the National Association of State Chief Information Officers to create a state government-industry coalition to press for regulatory streamlining for cyber security as both the state CIO’s and industry are being hurt by the current redundant and uncoordinated cyber regulatory environment
  • ISA, in conjunction with sponsors AIG and SSCI conducts a main stage interactive course in the evolution of economic and empirical cyber risk assessment methods at the National Association of Corporate Directors Annual Global Conference in Washington DC.
  • ISA accepts offer from NACD to co-host a conference on cybersecurity for corporate boards to be held in Washington DC in spring of 2020. This will be the fourth cybersecurity conference ISA has co-hosted with NACD and will be built around the Cyber Risk Handbook ISA has partnered with NACD on creating
  • As part of the new three-year plan (2020-2022) negotiations have begun with the World Economic Forum (WEF) to develop a partnership that will merge the ISA/NACD Cyber Risk Principles with those developed by WEF and develop scenarios enabling testing the use of these Principles by corporate boards and their effectiveness.
  • As part of the new three-year plan (2020-2022) negotiations have begun with the Association of Governing Boards (AGB) which represent the Boards of Trustees for America’s colleges and Universities. AGB has requested that ISA assist them in creating a version of the Cyber Risk Handbook designed for college and university boards trustees and ISA has suggested a collaboration enabling the dissemination of these NACD Principles in cybersecurity courses taught at these colleges and universities, possibly beginning with a textbook build around the NACD model.
  • As part of the new three-year plan (2020-2022) negotiations have begun with the NACD to design a certification program in cyber security for corporate boards. The cyber certification would be integrated into the overall board of director certification program NACD is launching.
  • ISA Board achieves its maximum capacity of 25 sponsors. The board reaffirms its desire to limit ISA board membership to 25 with a special provision that would allow the board to add up to 5 additional members with approval of the Executive Committee.