This is the last of a three-part series about developing a cybersecurity governance lifecycle that provides coverage, balance, effectiveness, efficiency and assurance. This series explores cybersecurity governance in the context of enterprise governance and strategy. Part one reviews the governance lifecycle approach while part two takes a look at the role of senior leaders in governance. This post discusses the role of board members in cybersecurity governance. Acknowledging the importance of clear boundaries between roles, it describes how the board can govern cybersecurity effectively.
Cybersecurity governance should go beyond managing cyber risk — it should clarify the boundaries of responsibility among cybersecurity leaders, the senior leadership team and board members. Board members are aware that stakeholders expect them to take an active role in cyber governance – and regulations (e.g., updates to NYDFS 500, SEC Disclosure Rules) are underscoring the expectation that boards exercise effective oversight of the cybersecurity program.
While boards differ in their knowledge of and approach to cybersecurity governance, cybersecurity leaders can support directors’ success by guiding board members to ask the right questions. To this end, the National Association of Corporate Directors (NACD) has provided guidance to support board members and their path to finding a proper level of oversite. Questions and activities offered here will prompt dialog that can lead to robust cybersecurity program oversight, but the level of depth and detail that topics are explored will vary by organization.
The questions and activities discussed here are directional in nature, rather than prescriptive. The level of depth and detail at which board members will consider the topics explored here will vary from one board to another.
NACD’s Six Consensus Principles
The NACD has published Six Consensus Principles for Board Governance of Cyber Risk, which boards can use these principles to govern cybersecurity throughout their organizations.
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
Cybersecurity leaders can support their boards by helping them understand what questions should be asked across these six principles while also helping them to understand how these individual principles are interdependent with each other.
How do changes in strategy affect the organization’s risk profile?
This extends from principle one (Cybersecurity is a strategic business enabler) and principle three (Align cyber risk management with business needs). It is important to understand the impacts that strategic changes can have on the risk profile and understand how cybersecurity concerns could prevent achieving strategic value. As the organization’s strategy changes business processes, products offered or how the organization goes to market, those changes could increase or decrease risks or subject the organization to risks that it did not face before. The board needs to ensure the cybersecurity organization is informing the senior leadership team of the changes in the risk profile and suggesting ways to reduce the risks to an acceptable level. Establishing a strong link between these elements removes cyber governance from the abstract and grounds it in specific activity appropriate to a particular enterprise. It ensures cybersecurity is a key requirement — one that’s integral to strategy.
What framework is being used to create a common understanding of cybersecurity principles and practices?
How does the board assure it has access to expertise and advice to aid in providing oversight? This stems from principle two (Understand the economic drivers and impact of cyber risk) and principle five (Incorporate cybersecurity expertise into board governance). Most board members will have a strong understanding of common business practices (e.g., revenue generation, accounting practices, common industry processes). They often do not have the same depth of knowledge regarding cybersecurity. Key to the board’s governance role is to assure there is a firm understanding of cybersecurity practices, much like their understanding of common business practices. Using a known and reputable framework (e.g., NIST CSF) will provide structure that defines common practices and will help the board continue to expand its cyber knowledge base. This will also help to connect the measurements and metrics for cyber risk to the decisions that need to be made about those risks.
In instances where the board seeks a deeper understanding of practices or risks, they should engage internal or external experts who regularly advise the board. Boards can also consider periodic audits, reviews and benchmarking by independent third parties as ways to formalize oversight and assess the effectiveness of their cybersecurity programs. Recent regulations like New York’s 23 NYCRR 500 further formalize this concept: New York’s regulation calls for a separate cybersecurity expert to either sit on or advise the boards of financial services companies. Further, 23 NYCRR 500 requires regular, independent, external audits of the cybersecurity program. Likewise, a new Security and Exchange Commission rule requires cybersecurity expertise on boards, as well as new cybersecurity reporting requirements.
Does the cybersecurity organization have the right support (budget and organizational position)?
This question drives home principle four (Ensure organizational design supports cybersecurity). At a high level, boards will want to ensure that cybersecurity functions receive sufficient staffing and funding and then monitor efficacy to ensure resources are adequate. How the cybersecurity organization is organized is a decision best left to cybersecurity leadership. Keeping the focus on funding and staffing does not draw the board into tactical decision-making about organizational design.
The board should also be concerned with assuring that the cybersecurity organization is aligned appropriately to influence strategy-setting and enterprise governance. Cybersecurity organizational design can differ by organization and should be based on the specific goals and influence needs for cybersecurity. Aligning with IT allows for a more direct influence over technology strategy but can create independence challenges and limit visibility to the senior leadership team. Aligning with a non-IT leader will help with influencing governance and business strategy but can make it more challenging to influence technology strategy.
What role does cybersecurity play in demonstrating governance to external stakeholders?
This last principle (Encourage systemic resilience and collaboration) is a recent addition to the NACD’s original five. While adherence to the first five principles helps an organization achieve resilience, principle six calls for developing a complete view of its risk and resiliency posture so that it can operate in a socially responsible way. Specifically, principle six acknowledges that the “governance” in environmental, social and governance (ESG) factors encompasses cybersecurity. When a board considers ESG matters, they’ll want cybersecurity to be a part of the discussion, because the cybersecurity program is a component of governance efforts. For public companies, in particular, reports on these matters must properly reflect an enterprise’s overall risk and resiliency posture.
Gaining the knowledge that results in robust oversight
As boards’ roles in cybersecurity oversight are formalized via regulation and practice alike, board members will need to continue to enhance their abilities to govern. The NACD’s consensus principles and a few supplemental questions help boards obtain the knowledge they’ll need to govern cybersecurity effectively. Cybersecurity leaders can add value by guiding boards toward the activities and questions that result in robust cybersecurity governance.
Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.