Should boards of directors address cybersecurity risk as a central part of overall business strategy, investments and/or merger and acquisition decisions, or should responsibility remain primarily with security professionals, asks a new research report from consultant Booz Allen Hamilton and the University of California at Berkeley’s Center for Long-Term Cybersecurity (CLTC).
Concern over cybersecurity threats is no longer only the province of security pros, the report, entitled Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk, found -- it's an issue that also commands the attention of senior business leaders and boards of directors. The study aims to give board directors a framework to “think through the tough questions that must be answered to formulate new approaches” to handle cybersecurity threats, said Bill Phelps, a Booz Allen executive vice president who leads the consultancy’s U.S. commercial business wing.
“Until very recently, it was uncommon for boards of directors to address cybersecurity risk in a regular and disciplined fashion,” said Phelps. “Today, boards feel a deep sense of urgency to exercise a central role in improving their firm’s cybersecurity posture through enterprise-level governance and oversight."
Still, many boards aren’t confident that the necessary resources are in place that would enable them to provide effective cybersecurity governance, the report said. Most admit that they’re just getting started with oversight of cybersecurity. A rapidly changing cybersecurity threat landscape further imperils carving out a strategy of heightened involvement for the boards. Along those lines the report identifies what it calls four “dynamic tensions” likely to shape board governance and oversight of cybersecurity:
- An organization’s overall risk model or mindset.
- Distribution of cybersecurity expertise on the board.
- Balance between cooperation and competition with other enterprises.
- The model for information flows between management and the board.
Boards will need to hammer out their positions on each of the above four factors, the report said. In addition, they’ll need to:
- Develop a shared understanding with management about the pros and cons of their positions.
- Reevaluate their position regularly to assess the need for changes or upgrades.
- Grade themselves for effectiveness and adaptability.
The report will help boards answer the question: What does good cybersecurity governance look like?, said Steve Weber, CLTC faculty director and co-author of the report. “Cybersecurity is now at—or very near—the top of enterprise risks that boards of directors oversee, but few boards feel confident that they know how to do this well,” he said. “Our report offers a new framework for how to govern cybersecurity risk at the board level, and how to improve and evolve governance over time as the threat evolves.”
While the report acknowledges that there’s “no governance template for cyber that can be applied across sectors and level of exposure,” it identifies several key areas of agreement among boards that are shaping perspectives and decisions, including:
- Cyber risk is no longer confined to a set of operational decisions to be left solely in the hands of IT management.
- Standard board governance frameworks are not specific enough to create an operational model for cyber risk given the dynamic nature of the threat.
- Industry sectors differ in their overall exposure and relative sophistication around cyber risk.
The report offers recommendations that boards can adopt to ensure resilient governance from the top to improve a company’s ability to keep up with new and existing cyber threats.