In 2020, ISA and the National Association of Corporate Directors (NACD) updated the cyber risk handbook for boards, “The Cyber-Risk Oversight Handbook 2020”. This handbook is updated from the 2014 and 2016 versions. The cyber-risk handbook was first published in 2014.
This publication has been independently assessed by PricewaterhouseCoopers and shown to dramatically improve enterprise cybersecurity. In 2019, ISA and the NACD are jointly working together to update the Cyber-Risk Handbook to reflect current digital realities. Publication of the handbook is expected in first quarter 2020.
Working together, NACD and ISA have produced a unique and successful program that addresses cybersecurity as a board level issue – not simply an IT operational issue.
PricewaterhouseCoopers in its 2016 Global Information Security Survey (pdf) reported on the positive impact the Handbook is having on multiple consensus security metrics. PWC found that:
Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk.
Boards appear to be listening to this guidance. This year we saw a double-digit uptick in Board participation in most aspects of information security. Respondents said this deepening Board involvement has helped improve cybersecurity practices in numerous ways. It may be no coincidence that, as more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending.
Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, however, Board participation has opened the lines of communication between the cybersecurity function and top executives and directors.
The “Cyber-Risk Oversight Handbook” is the only private sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice. It has also been endorsed by a wide variety of private sector organizations such as the Chamber of Commerce and the International Auditors Association.
ISA and NACD jointly produce an annual summit meeting on cybersecurity exclusively for corporate boards, where the ISA board members expand on the principles in the Handbook.