• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

  • About
    • Company
    • CTO
    • Events
    • Entertainment
    • Government
    • News
    • Tech Advice
    • Tech Careers
    • The Boardroom
    • Training and Education
    • Quotes
    • Members Only
      • Sign in
  • Tech Guide
    • CTOvision Guide To Technology
    • CTOvision Guide To The Cybersecurity Technology Marketplace
    • National Security Technology
    • Cloud Computing
    • Artificial Intelligence
    • Mobile
    • Blockchain and Cryptocurrency
    • Robots
    • Internet of Things
    • Cyber War
  • Contact Us
  • Newsletters
  • OODA LLC
Home » The Boardroom » Cyber Security and Corporate Governance: The five principles every corporate director should embody

Cyber Security and Corporate Governance: The five principles every corporate director should embody

Bob Gourley November 24, 2014

The Institute of Internal Auditors (IIA) is an international professional association of more than 180,000 members recognized as the preeminent professional organization for internal auditors. They provide a venue for internal auditors from around the world to share lessons learned and best practices. Among their many activities they publish periodicals and research reports designed to advance the professionalism of their practice.

The Information Systems Audit and Control Association (ISACA) advocates for the development, adoption and use of globally accepted, industry-leading knowledge and practices for information technology systems.

The National Association of Corporate Directors (NACD) is the recognized authority on advancing exemplary board leadership and establishing boardroom practices. They deliver insights and resources to more than 15,000 corporate director members in service to enhanced decision-making.

The Internet Security Alliance (ISA) is a unique association providing thought leadership and advocacy centered at enhancing cybersecurity.

All four of these organizations have been working issues of corporate governance regarding cybersecurity. This post captures highlights from some of their recent work

NACD and ISA published a report titled the “Cyber-Risk Oversight” where they propose five key principles for boards in approaching cyber-risk:

  1. Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.
  2. Cyber risks have important legal ramifications, which directors need to understand.
  3. Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.
  4. Directors should ensure management implements an effective cyber-risk framework for the company.
  5. The board and management should assess cyber-risk just like other enterprise-level risks: ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.

The IIA and ISACA have built upon these five principles to provide well thought out implementation guidance in a publication titled “Cybersecurity: What the Board of Directors Needs to Ask”

Here is how they recommend boards move out in turning the five principles above into action plans:

Principle 1: Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.

  • Require internal audit to provide annual “health check” report on cybersecurity programs
  • Internal audit should cover all domains of cybersecurity
  • Internal audit should leverage external security organizations (my favorite: OODA LLC).

Principle 2: Cyber risks have important legal ramifications, which directors need to understand.

  • This includes understanding risks associated with third party service providers
  • Outsourcing key components of IT is common, but understanding risks and legal ramifications in doing this is not
  • Board should get lists of all third party relationships and ensure appropriate agreements are in place
  • Understand that states and countries around the globe are putting different legal regimes in place. Know the law where you operate regarding privacy and security and breach notification.
  • Ensure the board is notified of all breaches and key breach attempts.

Principle 3: Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.

  • Boards must have access to adequate cybersecurity expertise and should devote time for board discussions on this topic
  • Boards should meet with the CISO. Discuss the CISO’s strategy and current projects. Provide opportunity for CISO to identify any key roadblocks (budget, political agendas, ignorance, apathy, arrogance)
  • Get “health checks” on the cybersecurity program from independent sources
  • Understand how peer organizations are being attacked and defended
  • Verify that management has established relationships with appropriate national and local authorities for cyber-crime responses.

Principle 4: Directors should ensure management implements an effective cyber-risk framework for the company.

  • Require management to communicate the enterprise risk management organization approach to cyber.
  • ERM approaches vary from organization to organization, but should all include cybersecurity
  • Understand what percentage of total revenue is in the IT budget and what percentage is for security. Understand what security spending is outside of IT as well.
  • Ensure that the CISO is reporting in at the right level of the organization. At some places there is conflict between CIO and CISO. Ensure this does not happen. The CISO might need to be a CEO/COO direct report.

Principle 5: The board and management should assess cyber-risk just like other enterprise-level risks: ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.

  • The board should meet with the chief risk officer and review all risks
  • Ensure cyber insurance risk coverage is sufficient to address potential cyber risks
  • Ask management to provide cost per record of data breach and other statistics that can inform judgement

IIA and ISACA also suggest six questions any board should consider to prepare for discussions with management and audit:

  1. Does the organization use a security framework?
  2. What are the top risks the organization has related to cybersecurity?
  3. How are employees made aware of their role related to cybersecurity?
  4. Are external and internal threats considered when planning cybersecurity program activities?
  5. How is security governance managed in the organization?
  6. In the event of a serious breach, has management developed a robust response protocol?

These questions are high level and should result in action-oriented discussions between the board and management. We most strongly concur. These are fantastic questions to start a dialog.

This post is sponsored by the Enterprise CIO Forum and HP’s Make It Matter.

 

 

  • About
  • Latest Posts
Connect Here
Bob Gourley
Co-Founder and CTO at OODA
Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.
Connect Here
Latest posts by Bob Gourley (see all)
  • Opportunity for companies in the national Security Space to Sponsor Defense Intelligence Memorial Foundation Event - March 2, 2021
  • Miracle on Ice: Business, Technology and National Security Leadership Lessons from the 1980 Olympics USA Hockey Team - February 24, 2021
  • ElasticON Public Sector US Federal on April 13: For any organizations with a desired to optimize data - February 22, 2021

Share this:

  • LinkedIn
  • Facebook
  • Twitter
  • Reddit
  • Email

Related

Filed Under: The Boardroom

Gain Decision Advantage With Innovative Enterprise Software

Snowflake names VMware veteran Jon Robertson as APJ boss

These factors are now a bottle-neck for Chainlink

From The Point Of View of an Investor: What Is The Graph?

OK this is huge: Ethereum mining revenue breaks $1 billion for the first time in February

NYT on Anduril: Away From Silicon Valley, the Military Is the Ideal Customer

Opportunity for companies in the national Security Space to Sponsor Defense Intelligence Memorial Foundation Event

Palantir sees slowing growth in 2021, but upbeat on expanding its enterprise

More Integrations for The Graph: Now Supports Fantom Network

AWS Used By Bad Guys: SolarWinds Hackers Used Elastic Compute Cloud

Chainlink rolls out Off Chain Reporting (OCR) system upgrade, reducing gas costs tenfold

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Primary Sidebar

Search

Hot News

Snowflake names VMware veteran Jon Robertson as APJ boss

These factors are now a bottle-neck for Chainlink

From The Point Of View of an Investor: What Is The Graph?

OK this is huge: Ethereum mining revenue breaks $1 billion for the first time in February

NYT on Anduril: Away From Silicon Valley, the Military Is the Ideal Customer

Opportunity for companies in the national Security Space to Sponsor Defense Intelligence Memorial Foundation Event

Palantir sees slowing growth in 2021, but upbeat on expanding its enterprise


OODAcast OODA cast

OODA

Disruptive IT finder

CTOevents

Featured Content

CTO Guide To The Business of the Internet of Things

CTO Guide To The Business of Robotics

CTO Guide To The Business of Bigdata

CTO Guide To The Business of Mobility

Learn things your competitors wish you did not know

CTO Guide To The Business of Cloud Computing

CTO Guide To The Business of Cybersecurity

CTO Guide to the Business of Artificial Intelligence

RSS CTO Events

  • An error has occurred, which probably means the feed is down. Try again later.

Footer

Free Newsletters and Tech Reports

CTOs on Facebook
CTOs on LinkedIn

CTO Events
Tech Guide

OODA LLC Technology Due Diligence
OODAloop.com

CTOVision Pro: Exclusive Content

Reports
Crucial Point LLC

Copyright © 2021 CTOvision.com·

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.