Four Key Lessons From NACD’s ‘2018 Governance Outlook’ About Managing Cyber Risks

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year.

When it comes to cyber risks, there is a lot of room for improvement: Only 12 percent of respondents in the public governance survey said their boards had a “high level of knowledge” of cyber risks. With those numbers in mind, below are four takeaways for board directors from the report:

1. Get Engaged With Strategy and Risk Oversight

Boards should focus on what matters, and that includes organizational strategy and execution, the way risks are managed and keeping a close eye on cyber risks. Since board meetings are often filled with discussions about board composition, compensation, succession and disclosure-related issues, it can be extremely challenging to make time for anything else. However, businesses today are facing heavy turbulence, often resulting in management going from crisis to crisis. In such an environment, directors, with their varied experiences and backgrounds, are best positioned and prepared to spot trends and ensure that management’s actions not only help the company survive today, but also continue to thrive in the future.

Directors know that the buck stops with them, so it should come as no surprise that 71 percent believe their boards must improve their understanding of the risks and opportunities, as well as their impact on performance in the coming year. However, directors also understand that they need to get involved with the development of strategy (67 percent) and improve the way they monitor management’s ability to execute those strategies successfully (also 67 percent). Instead of “reviewing and concurring” with management’s approach, directors are cautioned to be more engaged with both strategy and risk oversight.

Part of that engagement is to “hold executives accountable for providing better intelligence on cyber risk and delivering better results.” It is reckless and unacceptable for a CISO or CIO to report on cyber risks in ways that are not relevant to the CEO and the board.

Listen to the podcast: If you can’t measure it, you can’t manage it

2. Pay Close Attention to Cyberthreats

One of the key lessons for boards to take away from this report is the need for directors to “implement defense strategies to combat cyberthreats.” Directors are cautioned against continuing a largely passive and disconnected approach to their oversight duties when it comes to cyber risks.

The message appears to have been received: When asked about the top five trends that have the greatest potential impact on their company over the coming year, directors ranked cyberthreats fourth (at 38 percent), below industry changes (58 percent), business model disruptions (46 percent) and global economic changes (46 percent). In fact, cyberthreats ranked well above political uncertainty, technology disruptions, U.S. tax reform and investor activism.

The report noted that cyber risks are likely to remain on board agendas permanently, but also reminded directors of their duty to press for “complete, relevant and timely” assurances on how effective the organization is in identifying, managing and responding to cyber risks. But the days of paying lip service to cyberthreats by reviewing, communicating and doing the bare minimum to avoid fines or pass a yearly compliance audit are long gone. The survival of the organization as a whole is at stake with the current level of threats. If the board isn’t confident in its own ability to fully understand cyber risks, the report urged directors to “add a cyber risk specialist on the board” or employ “outside cybersecurity consultants as board advisors.”

3. Work to Improve Organizational Culture

Directors need to get a clear, unbiased picture of the company’s culture and help shape it appropriately. Since culture is often a key driver of performance, it affects the way the organization interacts with its staff, clients and business partners. As such, it can have a direct impact on the company’s success and the kinds of risks it faces.

Organizational culture is most often perceived as risk-seeking and risk-averse. However, the nature of the organization’s security culture should also be part of the board’s overall dashboard metrics on corporate culture. Without a strong culture of security, the organization’s next breach may well come from one of its own employees instead of an external attacker.

4. Ask the Tough Questions

Board directors have a fiduciary duty to oversee cyber risks. They should be able to clearly document the steps and actions they’ve taken to become engaged. When asked about which practices board directors themselves had used, the top four responses were:

  • Looking at the company’s current strategy for protecting its most critical cyber assets (82 percent);

  • Looking at the company’s IT infrastructure to safeguard data (74 percent);

  • Reviewing management’s reporting of cyber risk information and improving the quality of information used to make cyber risk decisions (69 percent); and

  • Looking at the company’s data breach response plan (61 percent).

Because cyberthreats are constantly evolving, board directors need to help management identify and implement a more effective strategic plan for dealing with cyber risks. The report provided six key questions to assist with this endeavor, three of which are listed below:

  • What people, processes and technologies are we currently using to defend our network?

  • What additional resources are needed in people, processes and technologies to limit risk?

  • Are representatives from the security team included in every business planning meeting?

Improving Executive Engagement

As the report noted, “Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.” NACD’s “2018 Governance Outlook” provides good, actionable advice for boards to improve their engagement around strategic risk management and oversight of cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.