July 9, 2018 By Christophe Veltsos 3 min read

“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a recent report from the Directors and Chief Risk Officers Group (DCRO).

The DCRO is made up of over 2,000 board and C-suite officers from more than 100 countries. The council’s two co-chairs have served in several high-profile roles, including commissioner at the Securities and Exchange Commission (SEC), cyber risk consultant for a central bank and other senior advisory positions.

In June 2018, the DCRO released the Guiding Principles for Cyber Risk Governance report. The 12-page report is chock-full of well-written, straight-to-the-point advice — and some warnings — to help board directors and executives understand the critical role they must play in assessing and mitigating cyber risks.

Five Guiding Cyber Risk Governance Principles for Top Leadership

The days of relegating cybersecurity to the IT department are long gone. The DCRO guidelines highlighted the sense of urgency and fiduciary duty that falls squarely on board directors’ shoulders — and warned that an effective cybersecurity program requires an appropriate level of engagement by the board.

The report’s authors organized their insights into five guiding principles to help top leadership improve its level of engagement around cyber risk governance.

1. Cybersecurity as an Enterprise Risk

The first principle calls for a deep understanding of what the organization values most, the types of threats that might target those crown jewels, how those risks affect the business’ bottom line and how they should be handled. The board’s role is to review those plans, ensure they are accurately and appropriately prioritized and grant the security team access to the resources it needs to carry them out. Boards should review risk-transfer options, such as cyber insurance, to ensure they properly understand coverage choices and address any gaps.

The report also stressed that every department — not just IT — is responsible for cyber risk management. It implored IT leaders to conduct frequent training to improve security awareness. Executives should also assess the organization’s preparedness for responding to a data breach by reviewing its business continuity capacity.

2. Holding Management Accountable

Because cybersecurity has become such a high-level issue, directors need to hold management accountable for its cyber risk strategy. This includes how the organization prepares for and responds to a breach, as well as how it measures and improves employees’ cyber awareness. A cyber risk framework can help the organization strive for improved outcomes rather than simply reporting on risk mitigation activities.

This principle requires the chief information security officer (CISO) to have strong communication skills and a penchant for crisis management. In times of high stress, the report noted, “it is far better to have a skillful leader rather than a subject matter expert.”

3. Improving Resilience Through Three Lines of Defense

As cyber risks evolve, the organization’s response must adapt accordingly. Boards should urge management to drop its traditional, prevention-driven approach and start operating under the assumption that the organization has already been breached. This means leveraging threat intelligence and threat modeling; testing defenses and reactions; and practicing what-if scenarios to determine what to do if those fail.

Board directors should also verify the quality of the information they receive from cybersecurity leaders, risk managers and internal auditors. This strategy, called the Three Lines of Defense model, can help executives accurately assess the effectiveness of the organization’s cyber risk management efforts.

4. Vigilance Over Third-Party Cyber Risks

Third-party threats can cause long-term damage to a business — so it’s crucial for security leaders to monitor the activity of external vendors and partners closely.

As a company grows, these relationships create a multitude of new entry points into the IT environment, each of which represents an attack vector. Because these threats are well within the organization’s perimeter defenses, they will likely blend in with legitimate traffic.

5. Building a Culture of Security

Employees are a significant source of risk because they have access to loads of data about customers, contracts and even intellectual property. However, they can also act as the first line of defense — an early warning system, if you will. Of course, there must be an organizational culture of security.

Such an environment must be supported by a continuous learning program and a record of positive interactions between IT leaders and users who take the time to alert them to potential issues. The report also stressed that nobody — not even the C-suite — is exempt from practicing basic cyber hygiene.

A Consistent Message to Board Directors

The DCRO’s recommendations are consistent with other cyber risk governance guidelines, including the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

The message is clear across the board: Top leadership must improve its oversight of cyber risk, understand the legal implications of data compromise, review cyber risk reports regularly and measure the effectiveness of the organization’s security strategy continually.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today