ISA’s Mission is to integrate advanced technology with economics and public policy to promote sustainably secure cyber system. The ISA board, consistits of cyber leaders (typically CISO) from virtually every critical industry sector. Over 20 years ISA has created a comprehensive theory and practice for cybersecurity covering both enterprise risk managment and government policy.
ISA’s consensus principles and practices, developed in collaboration with the National Association of Corporate Directors (NACD) and the World Economic Forum, are the foundation of this program and are contained in ISA’s numerous Cyber Risk Handbooks. These handbooks are the only set of cybersecurity best practices that have been independently assessed and found to generate significant security outcomes. A 2014 PWC review found organizations that use of these handbooks had better risk management, closer alignment of cybersecurity with business goals, and an improved culture of security. A 2022 MIT study found “organizations following the consensus principles are predictied to have 85% fewer incidents,” and “can significantly improve their cyber resilience without raising costs.”
There are now 7 editions of the handbook, in 5 languages, available on 4 continents. The ISA board adapts the handbooks in colaboration with business and government organizations from around the world. This list includes the NACD, World Economic Forum, DHS, FBI, the European Conference of Directors Associations, the German Federal Office of Information Security, the Organization of Americana States, the Japanese Federation of Businesses, and the Association of Governing Boards. Australian and Arabic editions of the handbook are under development.
In 2022, the ISA expanded the use of the consensus principles in their new book Cybersecurity for Business (C4B) This book defines management practices to implement an enterprise-wide approach to cybersecurity with specific roles for departments such as HR, legal, audit, supply chain, and emergency management in cybersecurity. C4B spent 8 weeks leading Amazon’s top new releases for risk management and is already in use at major institutions of higher learning such as Wharton, Columbia, NYU, Indiana University, and the University of Maryland.
ISA has also been a thought leader in cyber public policy. ISA’s Cybersecurity Social Contract defines a market-based, as opposed to regulatory, approach to cyber policy. It was the first and most often cited source in President Obama’s Cyber Space Policy Review and the basis for Executive Order 13636, which initiated the NIST Cybersecurity Framework. ISA was also the first witness called by the GOP Cybersecurity Task Force, which endorsed the Social Contract’s recommendation to develop market incentives, as opposed to regulations, for cybersecurity. That effort was the basis for the 2016 legislation creating liability incentives to spur additional information sharing. In 2022 ISA’s proposal to create a national, virtual cybersecurity Academy to address the cyber workfoce issues was included in the National Defese Authorization Act.
In 2023, ISA will publish a new policy book Fixing American Cybersecurity (forward by CISA Chief-of Staff Kiersten Todt) based on ISA’s “RE-Thinking Cybersecurity” social media campaign that won three national awards from Campaigns and Elections. ISA’s non-partisan legislative advocacy is based on aligning ISA board produced written policies with 280 cybersecurity specific profiles of Members of Congress/Senate/Administration with cybersecurity jurisdiction.