“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a recent report from the Directors and Chief Risk Officers Group (DCRO).

The DCRO is made up of over 2,000 board and C-suite officers from more than 100 countries. The council’s two co-chairs have served in several high-profile roles, including commissioner at the Securities and Exchange Commission (SEC), cyber risk consultant for a central bank and other senior advisory positions.

In June 2018, the DCRO released the Guiding Principles for Cyber Risk Governance report. The 12-page report is chock-full of well-written, straight-to-the-point advice — and some warnings — to help board directors and executives understand the critical role they must play in assessing and mitigating cyber risks.

Five Guiding Cyber Risk Governance Principles for Top Leadership

The days of relegating cybersecurity to the IT department are long gone. The DCRO guidelines highlighted the sense of urgency and fiduciary duty that falls squarely on board directors’ shoulders — and warned that an effective cybersecurity program requires an appropriate level of engagement by the board.

The report’s authors organized their insights into five guiding principles to help top leadership improve its level of engagement around cyber risk governance.

1. Cybersecurity as an Enterprise Risk

The first principle calls for a deep understanding of what the organization values most, the types of threats that might target those crown jewels, how those risks affect the business’ bottom line and how they should be handled. The board’s role is to review those plans, ensure they are accurately and appropriately prioritized and grant the security team access to the resources it needs to carry them out. Boards should review risk-transfer options, such as cyber insurance, to ensure they properly understand coverage choices and address any gaps.

The report also stressed that every department — not just IT — is responsible for cyber risk management. It implored IT leaders to conduct frequent training to improve security awareness. Executives should also assess the organization’s preparedness for responding to a data breach by reviewing its business continuity capacity.

2. Holding Management Accountable

Because cybersecurity has become such a high-level issue, directors need to hold management accountable for its cyber risk strategy. This includes how the organization prepares for and responds to a breach, as well as how it measures and improves employees’ cyber awareness. A cyber risk framework can help the organization strive for improved outcomes rather than simply reporting on risk mitigation activities.

This principle requires the chief information security officer (CISO) to have strong communication skills and a penchant for crisis management. In times of high stress, the report noted, “it is far better to have a skillful leader rather than a subject matter expert.”

3. Improving Resilience Through Three Lines of Defense

As cyber risks evolve, the organization’s response must adapt accordingly. Boards should urge management to drop its traditional, prevention-driven approach and start operating under the assumption that the organization has already been breached. This means leveraging threat intelligence and threat modeling; testing defenses and reactions; and practicing what-if scenarios to determine what to do if those fail.

Board directors should also verify the quality of the information they receive from cybersecurity leaders, risk managers and internal auditors. This strategy, called the Three Lines of Defense model, can help executives accurately assess the effectiveness of the organization’s cyber risk management efforts.

4. Vigilance Over Third-Party Cyber Risks

Third-party threats can cause long-term damage to a business — so it’s crucial for security leaders to monitor the activity of external vendors and partners closely.

As a company grows, these relationships create a multitude of new entry points into the IT environment, each of which represents an attack vector. Because these threats are well within the organization’s perimeter defenses, they will likely blend in with legitimate traffic.

5. Building a Culture of Security

Employees are a significant source of risk because they have access to loads of data about customers, contracts and even intellectual property. However, they can also act as the first line of defense — an early warning system, if you will. Of course, there must be an organizational culture of security.

Such an environment must be supported by a continuous learning program and a record of positive interactions between IT leaders and users who take the time to alert them to potential issues. The report also stressed that nobody — not even the C-suite — is exempt from practicing basic cyber hygiene.

A Consistent Message to Board Directors

The DCRO’s recommendations are consistent with other cyber risk governance guidelines, including the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

The message is clear across the board: Top leadership must improve its oversight of cyber risk, understand the legal implications of data compromise, review cyber risk reports regularly and measure the effectiveness of the organization’s security strategy continually.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…