Senior managers from companies across the world fear they still do not have the level of information to adequately tackle the threat of cyber attack.
Research from the University of California, Berkeley’s Centre for Long-Term Cybersecurity (CLTC) and consultancy Booz Allen Hamilton has found that, while many boards regard cybersecurity risk as an “existential threat,” they are not confident they have the information and processes in place to provide effective governance.
In the report, Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk, board members largely agree they are just getting started with oversight of cybersecurity and believe the cyber risk environment is not stabilising or likely to do so in a predictable way over the next few years. At the same time, boards are wrestling with difficult questions, including whether cyber risk should be addressed as a central part of overall business strategy discussions, and whether it should figure prominently in board-level investment or merger-and-acquisition decisions.
“Until very recently, it was uncommon for boards of directors to address cybersecurity risk in a regular and disciplined fashion,” said Bill Phelps, a Booz Allen executive vice president and leader of the firm’s U.S. Commercial business. “Today, boards feel a deep sense of urgency to exercise a central role in improving their firm’s cybersecurity posture through enterprise-level governance and oversight. With this report, Booz Allen and CLTC are empowering directors to think through the tough questions that must be answered to formulate new approaches to govern this rapidly evolving discipline.”
The report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. This includes an organization’s overall risk model or mindset, distribution of cybersecurity expertise on the board, balance between cooperation and competition with other enterprises, and the model for information flows between management and the board.
The report also identifies several key areas of agreement among boards that are shaping perspectives and decisions about where to go and how to begin, including:
- Cyber risk is no longer confined to a set of operational decisions to be left solely in the hands of IT management;
- Standard board governance frameworks are not specific enough to create an operational model for cyber risk given the dynamic nature of the threat; and
- Industry sectors differ in their overall exposure and relative sophistication around cyber risk.
While the report affirms there is “no governance template for cyber that can be applied across sectors and level of exposure,” it offers several recommended actions that boards can take to ensure resilient governance from the top thereby improving a company’s ability to keep up with new and existing cyber threats.
It explained that, in the context of fast-changing regulatory, competitive, and cyber-threat environments, a board should identify its position across these tensions; develop a shared understanding with management about the pros and cons of its position; re-evaluate its position regularly to assess the need for changes or upgrades; and grade itself for effectiveness and adaptability.
“Cybersecurity is now at, or very near, the top of enterprise risks that boards of directors oversee, but few boards feel confident that they know how to do this well,” said Steve Weber, CLTC faculty director and co-author of the report. “Our report offers a new framework for how to govern cybersecurity risk at the board level, and how to improve and evolve governance over time as the threat evolves. The report develops practical answers to the question, ‘What does good cybersecurity governance look like?’”