By Larry Clinton
At last week’s RSA Conference, the National Association of Corporate Directors (NACD) in partnership with the ISA published Cyber Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.
This is the third in a series of cyber-risk handbooks ISA and NACD have partnered on since 2014, and like the previous editions, the 2020 version is supported by both the Department of Homeland Security and the Department of Justice, which each supplied substantial content from the government perspective. The newest edition is a substantially updated and upgraded version with the latest data, best practices, and more detailed guidance on the five core principles boards should consider adopting in their governance of enterprise cybersecurity.
The content is largely created by the ISA board of directors, who personally constructed much of the material based on their own extensive experience. This was then analyzed and integrated by senior NACD staff to create the most sophisticated version of the handbooks ever.
Today we will begin producing a series of blogs to briefly outline key elements of the new edition, starting with the very first principle for board cyber-risk oversight, namely understanding that cybersecurity is not an IT issue. It is an enterprise-wide risk management issue.
While this principle may seem obvious to many in the cyber field, it represents a substantial departure from the traditional way most enterprises, and boards of directors, have understood and treated the issue. Historically if boards received a report on cybersecurity at all it would almost always be an “IT” report delivered by the CIO or maybe a CISO in technical jargon discussing the network, its vulnerabilities, and perhaps some information on attacks and mitigation. All too often there was limited, or no linkage to the business goals or the rest of the enterprise and very limited discussion.
Going back to the very first edition of the NACD/ISA handbooks, there was a conscious effort to correct this approach. Instead of demanding that the boards learn the cyber lingo, the NACD/ISA approach was to locate cybersecurity within the business issues boards wanted to discuss. The initial books raised questions like: What are the cybersecurity issues when the firm is innovating a new product which demands a new supply chain? What are the cybersecurity issues when the firm is considering a merger or acquisition? What are the cybersecurity issues involved in entering a new market or creating new strategic partnerships? In short, these handbooks don’t require tech-talk, they use business talk.
As time has gone on, this principle has only become increasingly apparent, a fact that is reflected in the new edition. In an era where business competitiveness, and even survival, will require acquiring and using a wide range of digital technologies and associated business practices, boards must weigh the benefits of this digital transformation with attendant cyber risk. Moving to the cloud, using AI and mobile technology, or adopting business practices such as long international supply chains and BYOD all have the capacity to drive critical cost-effectiveness. At the same time all these technologies can dramatically undermine cybersecurity with the attendant risk to personal data, intellectual property and enterprise reputation.
At this point a foundational question for boards as they set enterprise strategy and assess their risk appetite is how to balance the requirement for aggressive digital transformation with the massive risk of inadequate cybersecurity.
Implementing this calculation (a process described in the successive principles and the associated toolkit) requires that boards understand that cyber cannot be considered in isolation. The entire enterprise including HR, legal, PR, finance, and of course, IT and others, as well as the ecosystem created by virtually ubiquitous Internet interconnection all needs to be part of the calculation.
As such, while cybersecurity obviously has a foundational operational aspect, it is not, from the board’s perspective, simply an operational issue. Cybersecurity is now a strategic issue, and boards of directors need to re-think, and possibly re-engineer the enterprise in accord with these realities of the digital age, consistent with this principle.