Cyber-Risk Handbook Issued for Boards

Breaches Are Enterprise-Wide Risk Issue

By Chad Boeckmann, CEO, Secure Digital Solutions

This summer (2014), the National Association for Corporate Directors (NACD) acknowledged something we have long contended at Secure Digital Solutions: Company boards—not just IT departments—share responsibility for preventing cyber-attacks.

Prompted by a rash of high-profile breaches, which now includes Target, Michael’s, Super Valu and Home Depot, the largest association for corporate board members has acted. NACD teamed up with insurance giant AIG and the Internet Security Alliance to develop and publish security oversight guidelines for executives at the very top of American corporations.

The resulting Cyber-Risk Oversight Handbook spells out five excellent principles for boards to follow:
1. Directors need to understand and approach cyber-security as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cyber-security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

The question of “where the buck stops” is finally getting the buzz it deserves. Even the Department of Homeland Security has endorsed the guidelines. Too often, IT and security have been viewed as cost centers, rather than partners, of the C-Suite. Now that boards are advised to forge a better alliance with IT security, how will the two communicate on an issue that can be densely technical, and work together to build corporate cultures of security?

Our advice is to focus on the last two guidelines, were the rubber meets the road: Companies need to set up a healthy information security program, then systematically develop a plan to address identified risks. These are the first steps we counsel in every client engagement at Security Digital Solutions.

The best program starts with a healthy Information Security Council with defined roles, membership, and a definition of scope. Because security is a technical, cultural, and communications issue, it’s vital that a company-wide team representing finance, human resources, marketing, and operations co-develop an information security plan and share accountability for its success.

The second priority for boards is to commission an unbiased information security program assessment—one everyone understands, including the board and the Information Security Council. Too many audit reports today are laundry lists that paralyze decision-makers. At Security Digital Solutions, we translate assessments into a concise, one-page Information Security Dashboard that ranks priorities red, yellow or green based on their level of threat to the bottom line. With our dashboard, clients can convey the big security picture to upper-level management in a form that clarifies and motivates investment.

We applaud the Cyber-Risk Oversight Handbook. It’s a big step by the National Association of Corporate Boards. Information security professionals everywhere are grateful for leadership on a topic where corporate governance has too long been silent or shifted blame. Let’s put and end to silos and work together to protect consumers and the companies they trust.