January 11, 2018 By Christophe Veltsos 4 min read

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year.

When it comes to cyber risks, there is a lot of room for improvement: Only 12 percent of respondents in the public governance survey said their boards had a “high level of knowledge” of cyber risks. With those numbers in mind, below are four takeaways for board directors from the report:

1. Get Engaged With Strategy and Risk Oversight

Boards should focus on what matters, and that includes organizational strategy and execution, the way risks are managed and keeping a close eye on cyber risks. Since board meetings are often filled with discussions about board composition, compensation, succession and disclosure-related issues, it can be extremely challenging to make time for anything else. However, businesses today are facing heavy turbulence, often resulting in management going from crisis to crisis. In such an environment, directors, with their varied experiences and backgrounds, are best positioned and prepared to spot trends and ensure that management’s actions not only help the company survive today, but also continue to thrive in the future.

Directors know that the buck stops with them, so it should come as no surprise that 71 percent believe their boards must improve their understanding of the risks and opportunities, as well as their impact on performance in the coming year. However, directors also understand that they need to get involved with the development of strategy (67 percent) and improve the way they monitor management’s ability to execute those strategies successfully (also 67 percent). Instead of “reviewing and concurring” with management’s approach, directors are cautioned to be more engaged with both strategy and risk oversight.

Part of that engagement is to “hold executives accountable for providing better intelligence on cyber risk and delivering better results.” It is reckless and unacceptable for a CISO or CIO to report on cyber risks in ways that are not relevant to the CEO and the board.

Listen to the podcast: If you can’t measure it, you can’t manage it

2. Pay Close Attention to Cyberthreats

One of the key lessons for boards to take away from this report is the need for directors to “implement defense strategies to combat cyberthreats.” Directors are cautioned against continuing a largely passive and disconnected approach to their oversight duties when it comes to cyber risks.

The message appears to have been received: When asked about the top five trends that have the greatest potential impact on their company over the coming year, directors ranked cyberthreats fourth (at 38 percent), below industry changes (58 percent), business model disruptions (46 percent) and global economic changes (46 percent). In fact, cyberthreats ranked well above political uncertainty, technology disruptions, U.S. tax reform and investor activism.

The report noted that cyber risks are likely to remain on board agendas permanently, but also reminded directors of their duty to press for “complete, relevant and timely” assurances on how effective the organization is in identifying, managing and responding to cyber risks. But the days of paying lip service to cyberthreats by reviewing, communicating and doing the bare minimum to avoid fines or pass a yearly compliance audit are long gone. The survival of the organization as a whole is at stake with the current level of threats. If the board isn’t confident in its own ability to fully understand cyber risks, the report urged directors to “add a cyber risk specialist on the board” or employ “outside cybersecurity consultants as board advisors.”

3. Work to Improve Organizational Culture

Directors need to get a clear, unbiased picture of the company’s culture and help shape it appropriately. Since culture is often a key driver of performance, it affects the way the organization interacts with its staff, clients and business partners. As such, it can have a direct impact on the company’s success and the kinds of risks it faces.

Organizational culture is most often perceived as risk-seeking and risk-averse. However, the nature of the organization’s security culture should also be part of the board’s overall dashboard metrics on corporate culture. Without a strong culture of security, the organization’s next breach may well come from one of its own employees instead of an external attacker.

4. Ask the Tough Questions

Board directors have a fiduciary duty to oversee cyber risks. They should be able to clearly document the steps and actions they’ve taken to become engaged. When asked about which practices board directors themselves had used, the top four responses were:

  • Looking at the company’s current strategy for protecting its most critical cyber assets (82 percent);

  • Looking at the company’s IT infrastructure to safeguard data (74 percent);

  • Reviewing management’s reporting of cyber risk information and improving the quality of information used to make cyber risk decisions (69 percent); and

  • Looking at the company’s data breach response plan (61 percent).

Because cyberthreats are constantly evolving, board directors need to help management identify and implement a more effective strategic plan for dealing with cyber risks. The report provided six key questions to assist with this endeavor, three of which are listed below:

  • What people, processes and technologies are we currently using to defend our network?

  • What additional resources are needed in people, processes and technologies to limit risk?

  • Are representatives from the security team included in every business planning meeting?

Improving Executive Engagement

As the report noted, “Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.” NACD’s “2018 Governance Outlook” provides good, actionable advice for boards to improve their engagement around strategic risk management and oversight of cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today