Although most of the ISA’s “Rethink Cybersecurity campaign” is targeted toward public policy, a rethinking at the corporate level is also required. This morning at the World Economic Forum’s headquarters in Geneve the three entities, ISA the National Association of Corporate Directors and the Forum jointly released global guidance for corporate boards of directors is implementing their oversight responsivities in addressing cyber risk.
Below is a guest blog from NACD President Peter Gleason which will be run simultaneously on the NACD site.
This new publication (available at) is largely consistent with NACD-ISA Cyber Risk Handbooks published previously. However, there is one new principle that has been added – Principle six calls on boards to “Encourage Systemic resilience and collaboration.” This new principle embodies the movement among the director community to encourage ESG (Environmental and Social Governance), recognizing cybersecurity as an essential part of maintaining a sustainable digital environment and the need to appreciate cyber risk as not merely entity specific but also on a systemic basis.
The three parties have also agreed that document released today will be promoted primarily for a non-US audience. The existing NACD-ISA handbook (Cyber Risk Oversight 2020) will remain the primary handbook for US consumption. While the new document represents a set of consensus principles developed by all three organizations, the NACD-ISA publication is far more detailed than the joint publication with the Forum. For example, the ISA-NACD handbook contains a detailed series of “tool-kits” that cover a wide range of specific issues such as insider threats, metrics, supply chain management etc. which are not developed to a similar extent in the edition developed with the Forum.
The most important element of this program is that major organizations representing global corporate leadership at the board, senior management and cybersecurity expertise levels have agreed on a coherent approach to address cyber risk. The three sponsoring organizations have already engaged to also determine a methodology to empirically test the precepts embodied in these publications which will serve as the basis for building out an increasingly coherent model focused on security outcomes as opposed to regulatory compliance.
NACD, ISA, and World Economic Forum Release Joint Cyber-Risk Principles
By Friso van der Oord, Larry Clinton, and Daniel Dobrygowski
The release today by the World Economic Forum, NACD, and the Internet Security Alliance (ISA) of global principles and metrics for cyber-risk oversight is an important turning point in how cyber risk will be understood.
Historically, cybersecurity has been conceived as a technical issue, and by extension, the management of cyber risk is shifted down corporate organizational charts to operations personnel. This has led to an almost exclusively technical or operational approach to addressing cyber risk with the hope that effective cyber-management principles will “bubble up” from the information technology (IT) department.
By almost any measure, that approach has been largely inadequate.
According the Forum, revenues for cyber criminals this year will total about $2.2 trillion—roughly equivalent to the annual revenues of the United Kingdom. Ransomware premiums have risen from the modest five-figure sums of a couple of years ago to up to seven-figure sums now. Although the recent systemic attacks on SolarWinds Corp. and Microsoft Exchange Server were executed by nation-states (Russia and China), we know from experience that, like most innovations, the techniques used in these attacks will fairly rapidly be diffused among a wide variety of attackers. Things are going from very bad to much, much worse.
Meanwhile, enterprises have been consciously engaged in digital transformation for several years now. In the early stages of digital transformation, the focus was on using the wonders of the digital age purely as a revenue-enhancing tool. As time went on, however, the dark underside of digital transformation—cyber risk—became apparent. This and the increase in frequency and severity of cyberattacks has prompted leading organizations to appreciate cybersecurity as a strategic business issue that is part of the core business mission and intimately correlated with organizations’ need for digital transformation.
In this construction of cyber-risk oversight, cybersecurity flows downward through the business from the board to senior leadership and across a reimagined organization that treats cyber risk as an enterprise-wide issue. The principles and methodologies the Forum, NACD, and the ISA have produced, in the new paper Principles for Board Governance of Cyber Risk, define a process for how boards and senior managers can implement their respective roles in best addressing growing cyber risks.
The NACD and the ISA have been partnering on cyber-risk oversight handbooks for nearly a decade. Meanwhile, the Forum has been operating its own program through its Centre for Cybersecurity. Happily, the three organizations found that their independent investigations yielded substantially similar conclusions, which have been fairly easily integrated in the below list.
- Cybersecurity is a strategic business enabler.
- Boards need to understand the economic drivers and impact of cyber risk.
- Cyber-risk management need to be aligned with business needs.
- Enterprises need to ensure organizational design supports cybersecurity.
- Cybersecurity expertise needs to be incorporated into board governance.
- Systemic resilience and collaboration need to be encouraged.
Although the first five principles largely echo previous publications from the three collaborating sponsors, the sixth principle is relatively new. This principle emphasizes that boards must be concerned with more than simply securing themselves and their businesses; in the digital age, modern organizations must appreciate that they are part of a broad and interdependent digital ecosystem. The size and nature of the risk illustrated by recent attacks such as those mentioned above highlight that not only are individual entities under attack, but supply chains and the system itself are subject to attack, as well. As a result, collaboration and information sharing are not simply wise policies; they are imperatives, just as environmental, social, and governance issues are. Although cyber risk needs to be addressed from an empirical and economic perspective, the needs of the greater enterprise system must also be included in cybersecurity ethics and practices.
Friso van der Oord is senior vice president of content at NACD. Larry Clinton is president of the Internet Security Alliance. Daniel Dobrygowski is head of governance and trust at the Centre for Cybersecurity at the World Economic Forum.