Light Dark
July 9, 2018 By Christophe Veltsos 3 min read
Risk Management

“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a recent report from the Directors and Chief Risk Officers Group (DCRO).

The DCRO is made up of over 2,000 board and C-suite officers from more than 100 countries. The council’s two co-chairs have served in several high-profile roles, including commissioner at the Securities and Exchange Commission (SEC), cyber risk consultant for a central bank and other senior advisory positions.

In June 2018, the DCRO released the Guiding Principles for Cyber Risk Governance report. The 12-page report is chock-full of well-written, straight-to-the-point advice — and some warnings — to help board directors and executives understand the critical role they must play in assessing and mitigating cyber risks.

Five Guiding Cyber Risk Governance Principles for Top Leadership

The days of relegating cybersecurity to the IT department are long gone. The DCRO guidelines highlighted the sense of urgency and fiduciary duty that falls squarely on board directors’ shoulders — and warned that an effective cybersecurity program requires an appropriate level of engagement by the board.

The report’s authors organized their insights into five guiding principles to help top leadership improve its level of engagement around cyber risk governance.

1. Cybersecurity as an Enterprise Risk

The first principle calls for a deep understanding of what the organization values most, the types of threats that might target those crown jewels, how those risks affect the business’ bottom line and how they should be handled. The board’s role is to review those plans, ensure they are accurately and appropriately prioritized and grant the security team access to the resources it needs to carry them out. Boards should review risk-transfer options, such as cyber insurance, to ensure they properly understand coverage choices and address any gaps.

The report also stressed that every department — not just IT — is responsible for cyber risk management. It implored IT leaders to conduct frequent training to improve security awareness. Executives should also assess the organization’s preparedness for responding to a data breach by reviewing its business continuity capacity.

2. Holding Management Accountable

Because cybersecurity has become such a high-level issue, directors need to hold management accountable for its cyber risk strategy. This includes how the organization prepares for and responds to a breach, as well as how it measures and improves employees’ cyber awareness. A cyber risk framework can help the organization strive for improved outcomes rather than simply reporting on risk mitigation activities.

This principle requires the chief information security officer (CISO) to have strong communication skills and a penchant for crisis management. In times of high stress, the report noted, “it is far better to have a skillful leader rather than a subject matter expert.”

3. Improving Resilience Through Three Lines of Defense

As cyber risks evolve, the organization’s response must adapt accordingly. Boards should urge management to drop its traditional, prevention-driven approach and start operating under the assumption that the organization has already been breached. This means leveraging threat intelligence and threat modeling; testing defenses and reactions; and practicing what-if scenarios to determine what to do if those fail.

Board directors should also verify the quality of the information they receive from cybersecurity leaders, risk managers and internal auditors. This strategy, called the Three Lines of Defense model, can help executives accurately assess the effectiveness of the organization’s cyber risk management efforts.

4. Vigilance Over Third-Party Cyber Risks

Third-party threats can cause long-term damage to a business — so it’s crucial for security leaders to monitor the activity of external vendors and partners closely.

As a company grows, these relationships create a multitude of new entry points into the IT environment, each of which represents an attack vector. Because these threats are well within the organization’s perimeter defenses, they will likely blend in with legitimate traffic.

5. Building a Culture of Security

Employees are a significant source of risk because they have access to loads of data about customers, contracts and even intellectual property. However, they can also act as the first line of defense — an early warning system, if you will. Of course, there must be an organizational culture of security.

Such an environment must be supported by a continuous learning program and a record of positive interactions between IT leaders and users who take the time to alert them to potential issues. The report also stressed that nobody — not even the C-suite — is exempt from practicing basic cyber hygiene.

A Consistent Message to Board Directors

The DCRO’s recommendations are consistent with other cyber risk governance guidelines, including the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

The message is clear across the board: Top leadership must improve its oversight of cyber risk, understand the legal implications of data compromise, review cyber risk reports regularly and measure the effectiveness of the organization’s security strategy continually.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

November 12, 2024

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature