Recent court rulings in derivatives lawsuits resulting from a breach have clearly focused on whether the company made a "reasonable" effort to prevent the breach and whether boards provided a reasonable level of oversight in the context of protecting shareholder interests.
In addition to monitoring risk levels, board are beginning to add additional components to their oversight rigor, including a deeper understanding of the organization's strategy and capabilities for managing the cybersecurity risk.
This paper provides some educational groundwork to help board members engage with management on the strategy, including a description of the key components and capabilities that define a mature cybersecurity operation in today's environment.
