The Institute of Internal Auditors (IIA) is an international professional association of more than 180,000 members recognized as the preeminent professional organization for internal auditors. They provide a venue for internal auditors from around the world to share lessons learned and best practices. Among their many activities they publish periodicals and research reports designed to advance the professionalism of their practice.
The Information Systems Audit and Control Association (ISACA) advocates for the development, adoption and use of globally accepted, industry-leading knowledge and practices for information technology systems.
The National Association of Corporate Directors (NACD) is the recognized authority on advancing exemplary board leadership and establishing boardroom practices. They deliver insights and resources to more than 15,000 corporate director members in service to enhanced decision-making.
The Internet Security Alliance (ISA) is a unique association providing thought leadership and advocacy centered at enhancing cybersecurity.
All four of these organizations have been working issues of corporate governance regarding cybersecurity. This post captures highlights from some of their recent work
NACD and ISA published a report titled the “Cyber-Risk Oversight” where they propose five key principles for boards in approaching cyber-risk:
- Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.
- Cyber risks have important legal ramifications, which directors need to understand.
- Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.
- Directors should ensure management implements an effective cyber-risk framework for the company.
- The board and management should assess cyber-risk just like other enterprise-level risks: ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.
The IIA and ISACA have built upon these five principles to provide well thought out implementation guidance in a publication titled “Cybersecurity: What the Board of Directors Needs to Ask”
Here is how they recommend boards move out in turning the five principles above into action plans:
Principle 1: Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.
- Require internal audit to provide annual “health check” report on cybersecurity programs
- Internal audit should cover all domains of cybersecurity
- Internal audit should leverage external security organizations (my favorite: Crucial Point!).
Principle 2: Cyber risks have important legal ramifications, which directors need to understand.
- This includes understanding risks associated with third party service providers
- Outsourcing key components of IT is common, but understanding risks and legal ramifications in doing this is not
- Board should get lists of all third party relationships and ensure appropriate agreements are in place
- Understand that states and countries around the globe are putting different legal regimes in place. Know the law where you operate regarding privacy and security and breach notification.
- Ensure the board is notified of all breaches and key breach attempts.
Principle 3: Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.
- Boards must have access to adequate cybersecurity expertise and should devote time for board discussions on this topic
- Boards should meet with the CISO. Discuss the CISO’s strategy and current projects. Provide opportunity for CISO to identify any key roadblocks (budget, political agendas, ignorance, apathy, arrogance)
- Get “health checks” on the cybersecurity program from independent sources
- Understand how peer organizations are being attacked and defended
- Verify that management has established relationships with appropriate national and local authorities for cyber-crime responses.
Principle 4: Directors should ensure management implements an effective cyber-risk framework for the company.
- Require management to communicate the enterprise risk management organization approach to cyber.
- ERM approaches vary from organization to organization, but should all include cybersecurity
- Understand what percentage of total revenue is in the IT budget and what percentage is for security. Understand what security spending is outside of IT as well.
- Ensure that the CISO is reporting in at the right level of the organization. At some places there is conflict between CIO and CISO. Ensure this does not happen. The CISO might need to be a CEO/COO direct report.
Principle 5: The board and management should assess cyber-risk just like other enterprise-level risks: ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.
- The board should meet with the chief risk officer and review all risks
- Ensure cyber insurance risk coverage is sufficient to address potential cyber risks
- Ask management to provide cost per record of data breach and other statistics that can inform judgement
IIA and ISACA also suggest six questions any board should consider to prepare for discussions with management and audit:
- Does the organization use a security framework?
- What are the top risks the organization has related to cybersecurity?
- How are employees made aware of their role related to cybersecurity?
- Are external and internal threats considered when planning cybersecurity program activities?
- How is security governance managed in the organization?
- In the event of a serious breach, has management developed a robust response protocol?
These questions are high level and should result in action-oriented discussions between the board and management. We most strongly concur. These are fantastic questions to start a dialog.