“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a recent report from the Directors and Chief Risk Officers Group (DCRO).

The DCRO is made up of over 2,000 board and C-suite officers from more than 100 countries. The council’s two co-chairs have served in several high-profile roles, including commissioner at the Securities and Exchange Commission (SEC), cyber risk consultant for a central bank and other senior advisory positions.

In June 2018, the DCRO released the Guiding Principles for Cyber Risk Governance report. The 12-page report is chock-full of well-written, straight-to-the-point advice — and some warnings — to help board directors and executives understand the critical role they must play in assessing and mitigating cyber risks.

Five Guiding Cyber Risk Governance Principles for Top Leadership

The days of relegating cybersecurity to the IT department are long gone. The DCRO guidelines highlighted the sense of urgency and fiduciary duty that falls squarely on board directors’ shoulders — and warned that an effective cybersecurity program requires an appropriate level of engagement by the board.

The report’s authors organized their insights into five guiding principles to help top leadership improve its level of engagement around cyber risk governance.

1. Cybersecurity as an Enterprise Risk

The first principle calls for a deep understanding of what the organization values most, the types of threats that might target those crown jewels, how those risks affect the business’ bottom line and how they should be handled. The board’s role is to review those plans, ensure they are accurately and appropriately prioritized and grant the security team access to the resources it needs to carry them out. Boards should review risk-transfer options, such as cyber insurance, to ensure they properly understand coverage choices and address any gaps.

The report also stressed that every department — not just IT — is responsible for cyber risk management. It implored IT leaders to conduct frequent training to improve security awareness. Executives should also assess the organization’s preparedness for responding to a data breach by reviewing its business continuity capacity.

2. Holding Management Accountable

Because cybersecurity has become such a high-level issue, directors need to hold management accountable for its cyber risk strategy. This includes how the organization prepares for and responds to a breach, as well as how it measures and improves employees’ cyber awareness. A cyber risk framework can help the organization strive for improved outcomes rather than simply reporting on risk mitigation activities.

This principle requires the chief information security officer (CISO) to have strong communication skills and a penchant for crisis management. In times of high stress, the report noted, “it is far better to have a skillful leader rather than a subject matter expert.”

3. Improving Resilience Through Three Lines of Defense

As cyber risks evolve, the organization’s response must adapt accordingly. Boards should urge management to drop its traditional, prevention-driven approach and start operating under the assumption that the organization has already been breached. This means leveraging threat intelligence and threat modeling; testing defenses and reactions; and practicing what-if scenarios to determine what to do if those fail.

Board directors should also verify the quality of the information they receive from cybersecurity leaders, risk managers and internal auditors. This strategy, called the Three Lines of Defense model, can help executives accurately assess the effectiveness of the organization’s cyber risk management efforts.

4. Vigilance Over Third-Party Cyber Risks

Third-party threats can cause long-term damage to a business — so it’s crucial for security leaders to monitor the activity of external vendors and partners closely.

As a company grows, these relationships create a multitude of new entry points into the IT environment, each of which represents an attack vector. Because these threats are well within the organization’s perimeter defenses, they will likely blend in with legitimate traffic.

5. Building a Culture of Security

Employees are a significant source of risk because they have access to loads of data about customers, contracts and even intellectual property. However, they can also act as the first line of defense — an early warning system, if you will. Of course, there must be an organizational culture of security.

Such an environment must be supported by a continuous learning program and a record of positive interactions between IT leaders and users who take the time to alert them to potential issues. The report also stressed that nobody — not even the C-suite — is exempt from practicing basic cyber hygiene.

A Consistent Message to Board Directors

The DCRO’s recommendations are consistent with other cyber risk governance guidelines, including the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

The message is clear across the board: Top leadership must improve its oversight of cyber risk, understand the legal implications of data compromise, review cyber risk reports regularly and measure the effectiveness of the organization’s security strategy continually.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Tech Stack Diversity: Security Benefits and Costs

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming "we have the solution" is almost equally exhausting. Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…