Following the release of the Cyber-Risk Oversight, cybersecurity guidelines specifically drafted to illuminate corporate boards and enhance their oversight of cyber-based risks, the Internet Security Alliance’s President Larry Clinton moderated a panel discussion on strategic decisions corporate boards need to face as they learn to manage the growing cyber threat.
The publication, drafted by the ISA in collaboration with the American International Group (AIG) and the National Association of Corporate Directors (NACD), advocates strategies for a broad spectrum of board-level considerations related to cybersecurity efforts, including guidance on board composition, potential liability implications, security event disclosure issues, gaining access to relevant security expertise, and the calibration of an organization’s risk appetite.
“This Handbook is the first document that places corporate management activities such as implementation of the NIST framework within a context that corporate boards of directors face such as profitability, growth, innovation, and PE ratios,” Clinton said.
“Until we weave cyber security into board level discussions on topics such as mergers, acquisitions product launches and the other core business decisions we will not create the sustainable model of cybersecurity management that the evolving threat demands.”
The panel was held during the NACD’s first ever conference devoted to the topic of cybersecurity, where Clinton was joined by AIG’s Gil Vega, who emphasized that with modern cyber threats, perimeter defenses alone are simply not adequate.
Vega said boards of directors need to come to terms with the fact that their organizations will be attacked at some point, and that they need to prepare now for such events rather than making snap decisions while in a crisis mode.
Another contributor to the Handbook for boards, Marc Sachs of VP of Verizon joined NIST senior policy advisor Adam Sedgewick in a panel discussion that described how government and industry are working together in partnership, especially with respect to critical infrastructure protection, and Randy Trzeciak of Carnegie Mellon University spoke on the insider threat and provided a series of best practices boards should consider in addressing this aspect of cyber security.
ISA was the only trade association represented at the NACD conference as an entity as well as having multiple members of its board brought in to present to the attendees. “ISA was naturally delighted to have been selected by NACD to put together the handbook for cyber security that will be distributed to corporate board members across the country, said Clinton.
“ISA has always believed cyber security is not an ‘IT’ issue. It’s an enterprise-wide risk management issue and there is no better vehicle to communicate that than through the membership of the NACD, we are delighted and honored to be working with them.”