The Board Cyber Risk Oversight Problem
Last week, I discussed integrating cybersecurity risk into enterprise risk management using the COSO framework. As a reminder, COSO has five guiding principles--the first of which is governance and culture.
Governance and culture are foundational to both an effective cybersecurity program and an effective ERM program. For us, governance and culture establish oversight and the cybersecurity risk tolerance for your organization.
Your treatment of risk starts here!
Only after establishing an ERM can you begin to treat cybersecurity risk from a strategical versus tactical “fire-fighting” level. Board Directors operate at the strategic macro level not the tactical micro level.
The five COSO principles for building governance and culture are:
1) Exercise Board Risk Oversight
2) Establish Operating Structures
3) Define Desired Culture
4) Demonstrate Commitment to Core Values
5) Attract, Develop and Retain Capable Individuals
This week, I will discuss the how cybersecurity fits into the first principle, “Exercise Board Risk Oversight”.
Board-level governance over cybersecurity risk entails keeping tabs on your organizations’ cybersecurity program, strategy, and performance.
AGAIN… Think strategically not tactically.
Board leaders don’t neeed, or even want, to know HOW--just WHAT and WHY. They need answers!
Now days, Boards worry about adequately disclosing cyber risk. They are even more concerned with cyber incident disclosures that may have a material impact on the company’s financials.
Have you ever been asked the question, “Are we secure?”
You and I know that is an impossible question to answer; however, the reality is that Board leadership asks that question and needs the answer because they are now accountable for reporting a breach and THEIR SOLUTION to such breach and show they have an understanding of company cybersecurity initiatives.
I am in my mid-fortes.
I’ve been specializing in cybersecurity for over 20 years.
I grew up during the rise of the Internet, and even I have a hard time keeping up with technology innovation and the ever-changing threat landscape.
The stereotypical corporate director does not stand a chance. Corporate boards continue to seek out external advisors to help “bridge the gap”. There is no reason why you cannot be that bridge.
Here are four things you can do.
Pick a framework, any framework that aligns with your organizational requirements and risk appetite against which to baseline your program.
The framework could be something like the NIST Cybersecurity Framework, ISO 27001 or IEC 62443 if you happen to work with operational technologies.
I’ve seen too many CISOs get wrapped around this axle and give too many solutions. Boards want your leadership and answer—not a multiple-choice rank ordered list.
Once you have the framework, THEN implement the next STEP.
Benchmark your cybersecurity program’s maturity and compare it to the organization’s peers using the framework you selected.
Board leaders want to know how their company stacks up against industry peers. They will use your benchmark to both better understand and inform others of the organization’s risk status and appetite.
Don’t be “chicken little.” Fear, uncertainty, and doubt (FUD) will get you nowhere.
Those “qualities” will ruin your credibility and give Board leadership a reason to keep you out of that room.
Say what you do and do what you say.
The money is in the follow-up. If there is a significant deviation in your strategy, between your last update and your next board update, contact the Board if you can. You may or may note be able to do so, but ALWAYS be transparent. Be prepared with an explanation that you back with facts and be prepared with your SOLUTION.
More often than not, Board leadership thinks of YOU and I as techno-nerds who they don’t want to understand. Break it down for them, bridge the gap, and become their GO-TO resource that they trust and can’t wait to see because YOU have the ANSWER to their problem.
Next week, I’ll talk about the 2nd COSO point under governance and culture -- establishing operating structures.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.