In the current climate of increasingly sophisticated cyber attacks that can cripple business operations, expose sensitive data and negatively impact a company's reputation and market value, the mandate for corporate management teams and boards to adapt and improve its approach to cyber governance is becoming an imperative. Yet, in 2014, one third of North American firms did not have a Chief Information Security Officer, according to an annual survey by PWC, and the US government did not appoint its first Chief Information Security Officer until 2016. By 2018, many companies still don't have key roles related to cybersecurity, such as CISOs or chief security officers. These statistics, as well as our report on Collaborative Cyber Defense released last year, spurred the ACSC to more deeply investigate the current state of board engagement in cybersecurity. As a result, we are pleased to share our report, Leveraging Board Governance for Cybersecurity: The CISO/CIO Perspective, produced for the ACSC by Mass Insight Global Partnerships. The report can be downloaded through clicking on the image or can be acessed through this link.
Collaborative Defense Critical to Cyber Resilience
As the ACSC reported last year in our study on Collaborative Cyber Defense, conducted with assistance from Mass Insight and in conjunction with research partner McKinsey & Company, there is an increasing gap between offensive and defensive capabilities. Addressing this gap requires collaboration both cross-functionally within an organization as well as collaboration from organizations externally. The ongoing digital transformation we see across organizations in all sectors — implementation of new technologies and IT platforms; reliance on cloud services and cloud-based vendors; the move to mobile and the Internet of Things (IoT) with vastly increased numbers of connected devices — is creating more complexity and new challenges for institutions seeking to manage their cyber risk. As more and more companies accelerate their digital transformations to drive growth through innovation and improve efficiencies to reduce costs, corporate boards need far more expertise in digital risk and security and will require new risk frameworks to manage the strategic tension between digital innovation and organizational cybersecurity risks.
Strong Partnership Between Board and Management Supports Cyber Maturity Growth
ACSC member CISOs and CIOs representing organizations from a range of sectors, along with four outside experts, shared perspectives that painted a common picture of board engagement focused around board-management relationship. Five key elements emerged as significant opportunities for management to work with boards to move forward through the stages of cyber maturity:
The Board's Strategic Risk Role: the board’s approach to cybersecurity should be strategic and risk-focused with an understanding of how cyber operations function within the overall business context.
Building Board Cyber Expertise: a board should have a baseline knowledge of both digital strategies and cybersecurity challenges in order to fulfill the role of risk oversight and governance.
Aligning the Board Role and Corporate Structures: boards need an understanding of an organization’s cybersecurity responsibilities and establish a clear ownership structure for the responsibility of receiving cyber updates and reviewing digital strategies and risk.
Overseeing Cybersecurity and Digital Transformation Budgets: boards should understand the how security investments and broader IT and technology commitments intersect through the review of a multi-year strategic IT plan inclusive of transformation budgets.
Developing Cyber Risk Methods and Frameworks: boards should prioritize the development of next generation, outcome-based cyber-risk frameworks that can create alignment between risk and investment.
For each key element we identified findings and recommendations designed to be valuable in framing a board’s journey toward cyber maturity and to support new risk frameworks that will help management’s oversight of cybersecurity and the board’s cybersecurity governance. A comprehensive overview of each key element can be accessed in the full report. Members of the ACSC also have exclusive access to sample board briefings mentioned in the report provided by some of the executive participants of the study.
As a member-driven information sharing organization, the ACSC looks to our members to engage with us in developing research on the topics they believe are important to improving the collaborative approach to cyber defense. Leveraging Board Governance for Cybersecurity report is just one example of how valuable this approach can be and what we accomplish through the annual investment of ACSC members. A special thanks to our member organizations who participated in the study and to all who support our ongoing efforts to establish a new baseline for cybersecurity.