Advanced Cyber Security Center Report Identifies Need for Board-Level Cyber Risk Management Standard

January 7, 2019



Advanced Cyber Security Center Report Identifies Need for Board-Level Cyber Risk Management Standard 

CISO and CIO interviews provide insight into next steps for integrating corporate boards into collaborative cyber defense practices

 BOSTON, Mass. January 7, 2019 — The Advanced Cyber Security Center (ACSC) today announced the findings of its first annual effective practice report, “Leveraging Board Governance for Cybersecurity, The CISO / CIO Perspective,” which calls for Boards to be active governance partners in “collaborative cyber defense.” Recognizing that defending against cyber attackers requires collaboration across organizational functions and between organizations, the ACSC report urges Boards to adopt a holistic and dynamic understanding of their organization’s cybersecurity responsibilities and to maintain regular direct access to CISOs and risk officers in conjunction with CIOs and other executives.

Download the ACSC Report: Leveraging Board Governance for Cybersecurity, The CISO / CIO Perspective.

The ACSC report, “Leveraging Board Governance for Cybersecurity,” seeks to create an initial benchmark and method of evaluation for the evolving role of corporate boards in cybersecurity governance, initially through the perspective of Chief Information Security Officers (CISOs), Chief Security Officers (CSOs) and Chief Information Officers (CIOs), the primary networks supported by the nonprofit, member-based Advanced Cyber Security Center (ACSC).

Key findings:

The Board’s Strategic Risk Role: In most cases, the board partnership with management is still “at an early stage” or “maturing” phase in its ability to provide strategic guidance and help guide management’s strategic risk judgments.

Building Board Cyber Expertise: Because most boards do not yet have sufficient expertise in technology or cybersecurity to serve as strategic thought partners on cyber risk, they should recruit board members with broad digital/technology expertise, develop an annual curriculum of cyber briefings, provide ongoing training, and use third party assessments.

Aligning the Board Role and Corporate Structures: CISOs and CIOs should present jointly at board meetings to provide a holistic view of digital strategies and security.  Boards as a whole should review cybersecurity more consistently as a business risk; the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews.

Overseeing Cybersecurity and Digital Transformation Budgets: Boards should present digital transformation budgets as a whole, with cybersecurity investments as an element of overall IT-related decisions about where to invest in growth and security.

Developing Cyber Risk Metrics and Measurement: Boards should prioritize and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards.

“The ACSC report, ‘Leveraging Board Governance for Cybersecurity,’ examines the reality that, for the most part, boards are not in a position to provide strategic guidance on cyber risk,” said Michael Figueroa, Executive Director of the ACSC. “In particular, the ACSC report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision making and operations as they relate to cyber risk management.”


Through 20 executive interviews of ACSC member CISOs and CIOs, an online survey of the executives, and interviews with four other experts, the ACSC effective practice report offers a perspective on the current state of board engagement in cybersecurity; describes the benefits and challenges to maturing board engagement; and includes recommendations for model board engagement, all organized around five key elements of a cyber-mature relationship between a corporate board and management that were drawn from the interviews. The report is based on a “focus group” of diverse organizations. It is intended to surface major themes for effective board engagement and through the five key elements create a structure for ongoing assessment of an expanding board role in cybersecurity. Subsequent annual reports will build on this baseline study.


About the Advanced Cyber Security Center

The Advanced Cyber Security Center (ACSC), organized and supported by Mass Insight Global Partnerships, is a non-profit and cross-sector regional collaborative that is focused on building a stronger community defense by harnessing the collective resources of its members to solve common cyber security problems. As a leading federally-registered regional Information Sharing and Analysis Organization (ISAO), the ACSC serves as a security community hub that encourages cross-sector collaboration, taps advanced technology solutions, and promotes effective practices to help organizations strengthen their own cyber defense. At the same time, the ACSC deepens the capacity of the broader cyber community by enabling organizations to collectively address common problems, reduce duplicative effort, and establish a new baseline for security across Massachusetts and the New England regional community.




Joan Geoghegan, Cavalier Communications