According to the National Association of Corporate Directors, 31% of board members surveyed are dissatisfied with the quality of cybersecurity information provided by management.1
Boards of directors are seeking to engage with the cybersecurity strategy and monitor the risks more closely, but they face significant challenges. Recent court rulings provide some guidance, but there is no definitive standard for what constitutes "reasonable board oversight" of cybersecurity risk. Likewise, chief information security officers (CISOs) often struggle to determine what information is most useful to present to the board. When the two parties do meet, emerging issues like ransomware and Cloud security often steal the show, while the real rigor – a business-wide risk management program for cybersecurity – remains unaddressed. Both CISOs and board members alike can benefit from a dashboard of replicable metrics that help the board monitor risk and measure progress over time relative to corporate strategy and tolerance.
This white paper is a tool for improving the board-management dialog on cybersecurity risk management. It contains a Framework for Inquiry, a non-prescriptive exercise that can help boards and management work together to craft a common operational picture for reviewing risk levels, measuring effectiveness, and prioritizing investment over time.
1 *Source: NACD 2015-16 Public Company Governance Survey