Why corporate boards are unprepared to handle cybersecurity risks

There is no dashboard or set metrics for managing cybersecurity. The attack surface is so broad and the potential threats are so fast moving that traditional rules don't apply. Not only do corporate board members and CISOs have to run to keep up with a moving target, they need a whole new approach to understanding the issue.

Booz Allen Hamilton and The Center for Long-Term Cybersecurity (CLTC) at the University of California, Berkeley might have the answer in a new report, "Considerations for Effective Oversight of Cyber Risk." Bill Phelps, executive vice president, commercial business lead, Booz Allen Hamilton, and Ann Cleaveland, executive director of the CLTC, and Steve Weber, faculty director of the CTLC, wrote the report.During the summer of 2019, the team interviewed 20 corporate board members from communication services, consumer goods, the financial industry, health care, utilities, information technology, and real estate. The goal was to assess their beliefs, practices, and aspirations on cybersecurity governance.

SEE: How to get users on board with essential security measures (free PDF)

Board members said cybersecurity is an existential risk for businesses and they want to understand the issue because problems are growing faster than they are being solved.The report recommends defining a security posture that reflects a company's priorities and risk tolerances. Corporate boards should use a list of four questions of "dynamic tensions" to do this and revisit the list frequently to measure changes in risk, regulation, and internal expertise.CISOs need to develop a deep working relationship with board members and find new ways to educate them on current risks and future ones. CISOs should work with the board to answer these four questions:

1. What is our overall risk model for governing cybersecurity?2. Where, how, and when do we access the expertise to understand the risks?3. Is collaboration or competition our preferred approach with industry partners?4. How do we share and exchange information on cyber with management and the CISO?

The key is to ask and answer these questions frequently to "multiply the upsides and de-risk the downside" of a company's approach to managing security. The report found that there is no one right answer to the questions and that the best answer changes over time:

"There are no optimal landing spots that can be calculated given a known set of parameters. Dynamic tensions are, in fact, dynamic, as the terms of the relevant trade-offs arein motion. We articulate the most salient strengths and weaknesses associated with particular choices along each of the tensions."

The report recommends that corporate boards use this framework to oversee and govern cybersecurity in the enterprise right now and as new threats and regulations emerge.

The Center for Long-Term Cybersecurity is a research and collaboration hub that helps individuals and organizations address tomorrow's information security challenges to amplify the upside of the digital revolution.

Also see