Cyber Risk is a Key Focus for Corporate Boards

March 20th, 2017
By Adam Stone, Principal

For organizations across industry sectors, digital commerce is the dominant vehicle to transact business and improve efficiency. Groundbreaking innovations in computing potential accelerate the speed of change for business, and the risks that naturally follow. A key risk that is often highlighted is cyber risk. Cyber risk is a key focus for corporate boards. According to the Institute of Risk Management cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Board members of the digital economy need the knowledge to ask the right questions of corporate executives. Without a reasonable degree of technical fluency, board members lack important tools to ensure a professional standard of care for the organizations they serve. Board members face a business imperative: adapt, today, to the disruptive changes of digital commerce by adopting a new dialect based in cyber risk.

Recently, the National Association of Corporate Directors (NACD) published the 2017 Cyber Risk Oversight Handbook. The message of the Handbook is clear: to assert meaningful oversight in the digital economy, board members must treat cyber-risk as an issue of strategic import and operational significance for the organization. Cyber-risk ought not be written off as an “IT issue,” since this sort of thinking creates a hazardous blind spot for professionals charged with corporate governance responsibilities. To prepare board members for discussions about cyber risk, NACD recommends the following:

Understand the legal ramifications for the company, as well as the board itself.
Ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management.
Integrate cyber risk discussions with those about the company’s overall tolerance for risk.

These recommendations emphasize the need for proactive (rather than reactive) identification and analysis of cyber risks, as well as clear direction on cyber-risk management strategies. Importantly, the board’s treatment of cyber-risk ought to reflect the firm’s culture and capacity for change.

In support of an effective cyber risk strategy for the board, the Handbook outlines five cyber risk oversight principles fundamental to an effective risk management program.

Information security leaders play a crucial role in cyber risk governance. Board members depend on current, meaningful data to support the effectiveness of the firm’s information security controls and processes. For over a decade, Secure Digital Solutions (SDS) has provided solutions to elevate the language of information security by focusing on process maturity mapped to risk categories. Our award-winning TrustMAPP® platform leverages the powerful MAPP™ (Maturity Assessment, Profile, and Plan) methodology to quickly identify, measure and understand the performance of the business processes that support a security program and inform risk decisions.

Using process maturity as the key performance indicator for program effectiveness, TrustMAPP provides security leaders with readily available tools to effectively communicate the business value of cybersecurity and cyber risk. Executives and board members reap the benefits of TrustMAPP analytics via improved clarity in the organization’s information security posture and its impact on cyber risk strategies.

Want to learn more? Visit TrustMAPP.com for information about TrustMAPP®, powered by the MAPP™ methodology.