Boards Should Prepare For Increased Regulatory Scrutiny
The nonprofit Advanced Cyber Security Center is proud to announce the release of its newest report, Leveraging Board Governance For Cybersecurity, Front Line Perspectives on How to Improve the Board / C-Suite Partnership, for wider availability outside the ACSC membership.
With new regulations raising the stakes for boards to demonstrate active governance of cybersecurity, this second report on the board’s cyber risk governance role includes a special section outlining the board’s three primary responsibilities and five topics with sample questions for which management should prepare.
The report was produced for the ACSC by Mass Insight Global Partnerships. Based on 27 in-depth interviews with CISOs, risk officers, legal counsels, board members and board advisors and two focus groups, three of five framing elements from our 2018-19 report, have been updated to reflect what has changed four years forward:
The Board’s Strategic Risk Role
Strategic Risk Frameworks & Metrics
The Evolving CISO Role, Management Structures & Board Governance
Each of these topics is worthy of debate and discussion. To that end, we’ll focus on The Board’s Strategic Risk Role here, followed by additional blogs on other topics.
Key findings from the report on the board’s strategic risk role include:
There has been progress in board cyber risk governance in the four years since our earlier report, but a disconnect remains between boards and management on cybersecurity governance.
While CISOs made the case four years ago that it should be an embedded topic in board strategic business risk reviews, cybersecurity is still largely in a “separate box” on board agendas, with insufficient time devoted to support a mature board risk governance role.
While there are examples of more mature board relationships among ACSC members, there were only a few cases cited where the board affected the organization’s security posture, programs or strategic decisions.
Board members and advisors expressed deep concerns over both board capacity for cybersecurity governance and management’s presentation of issues in the language of financial and business risk.
Our report offers invaluable insights for board members seeking to elevate their cybersecurity governance practices. From the evolving role of the CISO to integrating cyber risk into business strategies, the report sheds light on critical agendas for management and boards.
As regulatory bodies tighten their reins and the digital landscape evolves rapidly, it's time to shift cybersecurity from the periphery to the center of boardroom discussions. For a comprehensive understanding of the current landscape, challenges, and solutions, download and read the full report here.