This is the second in the ACSC’s blog series expanding upon our 2019 report: “Leveraging Board Governance for Cybersecurity: The CISO/CIO Perspective.” 

That cyber expertise is not always easy to come by is well-known to organizations. Less discussed is how pervasive that challenge is up through the ranks of leadership. For example, our recent research report indicates that there “is a shortage of individuals with the right cyber background available to serve on boards. 

The report, “Leveraging Board Governance for Cybersecurity: The CISO/CIO Perspective,” conducted by Mass Insight Global Partners in partnership with the ACSC, discusses five key areas for boards to focus on. One area is the need to improve the cyber knowledge base at the board level. 

Several issues for boards to consider include how to: 

  • Spark a two-way conversation with their in-house cyber expertise
  • Incorporate audit and risk committees in cyber discussions 
  • Educate and/or find members who can bring a cyber perspective to decision-making
  • Develop a roadmap for an organization to improve cyber resiliency 

As one cyber executive said, boards “need to know the vocabulary and the framework, what’s important and what is not, where to focus.” 

You can read the details of the all five elements of board governance by downloading our full report. 

There is a model for boards to follow to help expedite the process. They can look back two or three decades as boards brought on technology experts. Just like CISOs today, CTOs and CIOs didn’t exist before the 1980s. As the technology roles became integral to organizations, boards adjusted through acknowledgment, education, and centralizing technology issues into the overall business landscape. The same process is happening today with how cybersecurity is transforming technology management and governance. Leaders can look to their past for ways to incorporate cyber risks as new business concerns. 

“The ACSC report has identified a need for standards, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision making and operations as they relate to cyber risk management.”

Cybersecurity is quickly becoming a very complex business concern. Cyber attacks are getting more sophisticated and frequent, liability and regulation more fragmented, and supply chains more diverse. Cyber risk management must take a more central role in overall business planning. As such, boards need to adjust to their roles of improving cyber resiliency.  

In acknowledgment of the current landscape, the ACSC convenes quarterly CISO roundtables, open to all business executives of member organizations and invited guests, to discuss ways to improve cyber resiliency and lead their organizations. Our research efforts will also continue, and we invite the New England community to join our members at ACSC’s Annual Conference in November in being the first to hear our updated findings.