Cyber risk planning for directors – six principles to follow

Four tiles spelling out risk on a computer circuit board
(Image credit: Shutterstock)

With reliance on data continuing to rise, and the cyber threat landscape rapidly evolving, it’s important for boardrooms to play a more active role in the governance of cyber security.

“Cybercrime is harmful to organisations and their stakeholders,” says Joe Fitzsimons, senior policy advisor at the Institute of Directors (IoD). “Directors must work to ensure there’s a strong understanding of cybercrime across all areas of the business and that the necessary steps are taken to prevent cyberattacks from disrupting business, or causing financial or reputational damage.”

This work needs to begin with education, as many directors don’t fully understand the risks. Of course, there are some industries where cyber has been an important part of the risk agenda for a long time, and there are even some directors that have come from a cyber security background. However, the vast majority are just now beginning to understand how cyber risk affects all aspects of their business.

On average, most directors are at the problem identification stage says Daniel Dobrygowski, head of governance and trust at the World Economic Forum (WEF). “They know that cyber risks exist, but look to the IT team to solve them. They’ve not yet come to understand that this is their responsibility, let alone developed a nuanced understanding of what they can do about it.”

Until now the boardroom’s response to cyber risk has been fragmented, says Dobrygowski, and for two main reasons. The first, he says, is because cyber risk is a relatively new issue, and the second is that normal incentives like market forces, regulation etc are themselves fragmented.

“Over the past decade we’ve seen more regulation over cyber breaches and stakeholder derivative suits, but it’s not been so widespread or all in one direction that there’s a clear signal to boards. In this fast-moving space however, it’s going to be important for boards to start moving ahead of some of these incentives.”

Digital transformation leads to increased cyber risk

Digital transformation is at the top of many organisations’ agendas, particularly as they look towards growth post-pandemic. But with digitalisation comes increased cyber risk, making it an enterprise-wide risk management issue.


Seven steps to successful digital innovation and transformation

What to invest in and what to avoid when pursuing digital transformation


This doesn’t mean directors need to start getting involved in the day-to-day management of their IT security. Instead, the board should be focused on improving their governance practices in this space “by talking to the right people in their company, making cyber security a standing board item, and holding management accountable for having good answers to questions the board asks them,” says Dobrygowski.

There’s no expectation that directors must become experts in cyber risk and security, but as with other areas of the business, they should have some familiarity with the subject, notes Larry Clinton, president of the Internet Security Alliance (ISA).

“They need to understand the terms being thrown about, be able to ask the right questions. Board members are chosen for their leadership experience, their good judgement and their understanding of how a business works. They can use those tools to ask the right questions about cyber as well.”

Six principles to support board oversight of cyber security

With the need for a cohesive international approach to cyber risk governance, the WEF, ISA, PwC and the US’ National Association of Corporate Directors came together to create a guide to help board members set cyber security strategy and engage with stakeholders around cyber risk.

In the past the organisations had developed their own handbooks, but in order to avoid a fragmented approach to guidance, they came together to identify the key areas that demand board-level understanding. From here they defined six core principles that support board oversight of a cyber resilient organisation while driving strategic goals, along with guidance for implementation. These six principles are:

  • Cyber security is a strategic business enabler.
  • Understand the economic drivers and impact of cyber risk.
  • Align cyber risk management with business needs.
  • Ensure organisational design supports cyber security.
  • Incorporate cyber security expertise into board governance.
  • Encourage systemic resilience and collaboration.

“At the core of the principles are the ideas that boards should incorporate cyber security into overall business strategy and decision-making, and increase board expertise and oversight of cyber security issues. When implemented together, these principles can help boards establish effective cyber governance,” advises Joe Nocera, cyber and privacy innovation institute leader at PwC.

Benefits of incorporating cyber security into business strategy

PwC is already measuring the impact such principles can have on an organisation’s cyber risk. In its 2019 Digital Trust Insights, it found that boards whose cyber strategies aligned with the business are more likely to achieve the goals of their digital initiatives, anticipate new cyber risk and mitigate them. It also found that those that have built up resilience capabilities tend to be much more confident that they can manage emerging risks, and those that build in privacy and security into their data monetisation plans are more likely to achieve the ROI from those initiatives.

Its 2021 report, meanwhile, found that half of businesses have cyber security baked in as a consideration in all business decisions and strategies and 96% had adapted their cyber security strategies as a result of COVID-19.

“In its Global State of Information Security Survey, PwC reported that boards which use these principles had better cyber risk management, cultural alignment of cyber security with overall business goals, better budgeting and better communication between management and staff. This, in turn, helped create a greater culture of security,” says Clinton.

“This is the only set of cyber security best practices that I'm aware of that have been independently assessed and found to create positive security outcomes. These actually enhance security, and therefore the viability of a business.”

While it may be new to many board members, cyber risk can be understood and governed like any other risk. It will take some understanding, but also some collaboration, says Dobrygowski, who notes the importance of cooperation between organisations.

“Board members are an especially great group to spur this,” he notes. “They often sit on a number of boards and work closely with their peers and government. They’re the people to spread the word regarding good cyber practices at board level, helping educate their peers and move things forward through greater cooperation and knowledge sharing. This is something we at the WEF want to encourage board members to do.”

Keri Allan

Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.