Best Practise Guide Offers Board Security Advice

Written by

A best practice guide on cybersecurity basics for boards of directors has been launched.

After cybersecurity issues were rated by the World Economic Forum as one of the top three risks for 2017, the World Economic Forum Future of Digital Economy and Society System Initiative has released a whitepaper to help boards understand the risks they are facing.

The guide claimed that “cyber resilience and cyber risk management are critical challenges for most organizations today”, but those organizations do not feel they are equipped with the tools to manage cyber risks with the same level of confidence that they manage other risks, and that emerging leading practices have not yet become part of the standard set of board competencies.

“Beyond individual organizations, cyber risk is a systemic challenge and cyber resilience a public good,” the report said. “In the coming years, several billions of everyday devices will be connected. As our virtual and physical worlds merge, the stakes are increased. This will require two things: 1) a significantly increased number of organizations adopting, sharing and iterating current leading practices; and 2) cross-sectoral collaboration to develop the new practices that will be required to deal with the unique attributes of managing cyber risks of physical assets.”

The report is intended to be a framework and set of tools that boards of directors can “use to smoothly integrate cyber risk and resilience into business strategy, so that their companies can innovate and grow securely and sustainably.”

Speaking at the launch of the Global Risks Report, Richard Samans, managing director and member of the managing board of the World Economic Forum, said that with the risk of cybersecurity increasing, the best practice handbook is a year-long project intended to make sure the board are up-to-date in order to “manage this critical risk as IoT is only going to get more serious so this is a boardroom issue, but the problem is more boardrooms are not equipped to carry out their duty so that the organization that they are governing has the right strategy and has the right tools and the right people in place.”

Asked if leadership is struggling to know what to do in the new environment, Samans said: “The world is moving very rapidly. Take cybersecurity: this has just rocketed up to become an existential issue in the last few years, so you cannot expect that most boards of directors are equipped for this.

“You can imagine being in that position; you have a gnawing sense of responsibility and there is a need for frameworks, and not just waiting for an international treaty or a formal code to be established, but we need to be more agile, rapid, flexible and purpose-built in our behavior.”

The whitepaper proposes ten “board principles for cyber resilience”:

Principle 1 – Responsibility for cyber resilience: The board as a whole takes ultimate responsibility for oversight of cyber risk and resilience.

Principle 2 – Command of the subject: Board members receive cyber resilience orientation upon joining the board and are regularly updated on recent threats and trends.

Principle 3 – Accountable officer: The board ensures that one corporate officer is accountable for reporting on the organization’s capability to manage cyber resilience and progress in implementing cyber resilience goals.

Principle 4 – Integration of cyber resilience: Board ensures that management integrates cyber resilience and cyber risk assessment into overall business strategy and into enterprise-wide risk management.

Principle 5 – Risk appetite: The board annually defines and quantifies business risk tolerance relative to cyber resilience, and ensures that this is consistent with corporate strategy and risk appetite.

Principle 6 – Risk assessment and reporting: The board holds management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during board meetings.

Principle 7 – Resilience plans: Support for the officer accountable for cyber resilience by the creation, implementation, testing and ongoing improvement of cyber resilience plans.

Principle 8 – Community: Encourages management to collaborate with other stakeholders in order to ensure systemic cyber resilience

Principle 9 – Review: Carrying out a formal, independent cyber resilience review of the organization annually.

Principle 10 – Effectiveness: to review its own performance in the implementation of these principles.

In an email to Infosecurity, ISF managing director Steve Durbin said that the principles touch upon a number of the key focus areas for a board to best infuse a culture of security and risk appetite internally within an organization, albeit at a high level, the principles certainly touch upon a number of the key focus areas for a board to best infuse a culture of security and risk appetite internally within an organization.

He said: “I’ve been saying for a number of years that information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cybersecurity: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies.

“Cybersecurity chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.

“Frankly, every organization, no matter their size, must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses.”

What’s hot on Infosecurity Magazine?