The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.
This blog summarizes Chapter 11: Establishing a board-level cybersecurity review blueprint by Erin Nealy Cox, an executive managing director at Stroz Fridberg LLC. Please refer to the original article for any direct quotations.
Cybersecurity is now at the top of boardroom agendas but there are no guidelines to help boards navigate the issue. This chapter aims to help directors incorporate cybersecurity into the board’s overall enterprise risk strategy by setting out a blueprint for board-level cybersecurity review.
Establishing the right blueprint for boardroom cybersecurity review
Directors should know that cybersecurity is not a technological issue: It is an issue of enterprise risk that focuses on mitigation, not prevention. No one can prevent all cyber breaches; today’s board-level cybersecurity review goal is therefore cyber resilience (identifying, responding to, and recovering from security breaches). Directors don’t need technical expertise to achieve this.
The correct blueprint for board-level cybersecurity review can be summarized by three high-level questions:
- Has your organization appropriately assessed and evaluated all of its cybersecurity risks?
- Have you appropriately prioritized your cybersecurity risks? Are these priorities aligned with corporate strategy, business requirements, and a cybersecurity risk assessment?
- What actions are you taking to mitigate cybersecurity risks and do you have an appropriate incidence response plan?
The board’s cyber resilience blueprint
The board-level cybersecurity review blueprint is organized into six areas, which is a useful structure that helps boards frame the issues:
- Inclusive board-level discussion
- Establish a cybersecurity risk committee, or add the subject to an existing enterprise risk committee.
- Discuss cybersecurity risk at every board meeting.
- Empower all directors to become educated and comfortable discussing cybersecurity risk.
- Proactive cyber risk management
- Think about potential cybersecurity risk from the outset of all business initiatives, from corporate strategy to new types of customer interaction.
- Think particularly about new kinds of risk associated with emerging digital business initiatives.
- Risk-oriented prioritization
- Optimize limited resources by prioritizing along two dimensions: what’s most valuable and what’s most vulnerable.
- Ensure the quality of policies and practices around the organization’s approach to information governance so that all assets are protected appropriately.
- Investment in human defenses
- Supplement appropriate investment in information security products with continuous enterprise-wide cybersecurity awareness, education, and training programs.
- Assessments of third-party relationships
- Review all business partner relationships for potential cybersecurity vulnerabilities.
- Empower IT’s involvement earlier in the development of business relationships.
- Incident response policies and procedures
- Because breaches will happen, the board review must ensure first-class incident response.
- All enterprise employees should be part of the incident response plan.
- Incident response must continually evolve – because threats do.
Conclusion: No surprises
The goal of a board’s cybersecurity review is to avoid being unprepared for a cyber incident. If you follow the principles discussed above, and partner with external experts who have the knowledge your organization lacks, you can avoid surprises. This doesn’t mean that your company won’t be breached – that’s impossible to guarantee – but if you are, you will be able to handle the incident confidently and effectively.
Best-practice cyber risk management
The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
Registration to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.