Cyber risk planning for directors – six principles to follow

By following these core principles, members of the boardroom can help create a business-wide culture of security

With reliance on data continuing to rise, and the cyber threat landscape rapidly evolving, it’s important for boardrooms to play a more active role in the governance of cyber security.  

“Cybercrime is harmful to organisations and their stakeholders,” says Joe Fitzsimons, senior policy advisor at the Institute of Directors (IoD). “Directors must work to ensure there’s a strong understanding of cybercrime across all areas of the business and that the necessary steps are taken to prevent cyberattacks from disrupting business, or causing financial or reputational damage.”

This work needs to begin with education, as many directors don’t fully understand the risks. Of course, there are some industries where cyber has been an important part of the risk agenda for a long time, and there are even some directors that have come from a cyber security background. However, the vast majority are just now beginning to understand how cyber risk affects all aspects of their business.

On average, most directors are at the problem identification stage says Daniel Dobrygowski, head of governance and trust at the World Economic Forum (WEF). “They know that cyber risks exist, but look to the IT team to solve them. They’ve not yet come to understand that this is their responsibility, let alone developed a nuanced understanding of what they can do about it.”

Until now the boardroom’s response to cyber risk has been fragmented, says Dobrygowski, and for two main reasons. The first, he says, is because cyber risk is a relatively new issue, and the second is that normal incentives like market forces, regulation etc are themselves fragmented.

“Over the past decade we’ve seen more regulation over cyber breaches and stakeholder derivative suits, but it’s not been so widespread or all in one direction that there’s a clear signal to boards. In this fast-moving space however, it’s going to be important for boards to start moving ahead of some of these incentives.”

Digital transformation leads to increased cyber risk

Digital transformation is at the top of many organisations’ agendas, particularly as they look towards growth post-pandemic. But with digitalisation comes increased cyber risk, making it an enterprise-wide risk management issue. 

Related Resource

Seven steps to successful digital innovation and transformation

What to invest in and what to avoid when pursuing digital transformation

Seven steps to successful digital transformation - whitepaper from IBMWatch now

This doesn’t mean directors need to start getting involved in the day-to-day management of their IT security. Instead, the board should be focused on improving their governance practices in this space “by talking to the right people in their company, making cyber security a standing board item, and holding management accountable for having good answers to questions the board asks them,” says Dobrygowski. 

There’s no expectation that directors must become experts in cyber risk and security, but as with other areas of the business, they should have some familiarity with the subject, notes Larry Clinton, president of the Internet Security Alliance (ISA). 

“They need to understand the terms being thrown about, be able to ask the right questions. Board members are chosen for their leadership experience, their good judgement and their understanding of how a business works. They can use those tools to ask the right questions about cyber as well.”

Six principles to support board oversight of cyber security

With the need for a cohesive international approach to cyber risk governance, the WEF, ISA, PwC and the US’ National Association of Corporate Directors came together to create a guide to help board members set cyber security strategy and engage with stakeholders around cyber risk. 

In the past the organisations had developed their own handbooks, but in order to avoid a fragmented approach to guidance, they came together to identify the key areas that demand board-level understanding. From here they defined six core principles that support board oversight of a cyber resilient organisation while driving strategic goals, along with guidance for implementation. These six principles are:

  • Cyber security is a strategic business enabler. 
  • Understand the economic drivers and impact of cyber risk. 
  • Align cyber risk management with business needs.
  • Ensure organisational design supports cyber security.
  • Incorporate cyber security expertise into board governance.
  • Encourage systemic resilience and collaboration.

“At the core of the principles are the ideas that boards should incorporate cyber security into overall business strategy and decision-making, and increase board expertise and oversight of cyber security issues. When implemented together, these principles can help boards establish effective cyber governance,” advises Joe Nocera, cyber and privacy innovation institute leader at PwC. 

Benefits of incorporating cyber security into business strategy

PwC is already measuring the impact such principles can have on an organisation’s cyber risk. In its 2019 Digital Trust Insights, it found that boards whose cyber strategies aligned with the business are more likely to achieve the goals of their digital initiatives, anticipate new cyber risk and mitigate them. It also found that those that have built up resilience capabilities tend to be much more confident that they can manage emerging risks, and those that build in privacy and security into their data monetisation plans are more likely to achieve the ROI from those initiatives.

Its 2021 report, meanwhile, found that half of businesses have cyber security baked in as a consideration in all business decisions and strategies and 96% had adapted their cyber security strategies as a result of COVID-19.

“In its Global State of Information Security Survey, PwC reported that boards which use these principles had better cyber risk management, cultural alignment of cyber security with overall business goals, better budgeting and better communication between management and staff. This, in turn, helped create a greater culture of security,” says Clinton.

“This is the only set of cyber security best practices that I'm aware of that have been independently assessed and found to create positive security outcomes. These actually enhance security, and therefore the viability of a business.” 

While it may be new to many board members, cyber risk can be understood and governed like any other risk. It will take some understanding, but also some collaboration, says Dobrygowski, who notes the importance of cooperation between organisations. 

“Board members are an especially great group to spur this,” he notes. “They often sit on a number of boards and work closely with their peers and government. They’re the people to spread the word regarding good cyber practices at board level, helping educate their peers and move things forward through greater cooperation and knowledge sharing. This is something we at the WEF want to encourage board members to do.”

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Samsung 870 QVO review: Cheap and speedy
solid state storage (SSD)

Samsung 870 QVO review: Cheap and speedy

13 Oct 2021