Owning Cyber Risk: Four Tips for Boards/CEOs
Although most boards of directors and CEOs now recognize cybersecurity and discuss it frequently, many would benefit from doing more to take ownership as key stakeholders of cyber risk management.
Consider that only 14% of corporate directors believe their boards have a high level of understanding of the risks associated with inadequate cybersecurity, according to the 2015–2016 National Association of Corporate Directors (NACD) Public Company Governance Survey. And 31% of responding directors said they were either “dissatisfied” or “very dissatisfied” with the quality of information from management about cybersecurity.
What is the best way for boards and CEOs to own cyber risk? Here are four steps to get started:
- Establish a culture of cybersecurity. Making it clear that cyber risk is everyone’s responsibility sends a clear message about the important role everyone plays in cybersecurity.
- Train board members and senior executives. Suitable training — including seminars and scenario-based incident response exercises — can help make the board and C-suite more conversant about cyber risk and more engaged in its management.
- Align cyber risk with your overall risk management strategy. Define the organization’s tolerance for cyber security risk. These important parameters, defined by senior management, refer to thresholds of financial impact that the business can incur due to cyber incidents. Additionally, particularly at senior levels, cyber risk should be described in terms of loss events (expressed in dollars) and the likelihood of those events (expressed as percentages within a timeframe). This will help get cyber “on the same page” as other enterprise risks.
- Use programmatic and strategic indicators. In managing cyber risks, expect management to define and regularly report both key performance indicators (KPIs) describing progress toward cyber security program objectives, as well as forward-looking key risk indicators (KRI) that help leadership anticipate cyber threats and other developments that can have strategic implications for the business.
Increasingly, the leadership of a CEO or board is being judged partly by how they are driving their organizations to manage cyber security risks. Taking ownership of cyber risk at the top is a critical first step.