Skip to content ↓ | Skip to navigation ↓

One of the biggest challenges facing heads of information security is the ability to effectively communicate the value of their team’s efforts across the organization, especially to the decision-making executives that lack the technical understanding of the cybersecurity threat and risk landscape.

In an effort to reduce the knowledge gap and raise awareness at the board level, the National Association of Corporate Directors (NACD), in collaboration with the Internet Security Alliance (ISA) and the American International Group (AIG), released the NACD Directors’ Handbook on Cyber-Risk Oversight.

Endorsed by the Department of Homeland Security (DHS), the handbook is the first publicly available document designed to guide board executives through five key principles to enhanced cyber risk oversight in a language that connects security to key business decisions.

Larry Clinton, President and CEO of the Internet Security Alliance, states the handbook elevates the conversation about cyber security substantively, “What we are doing in the effort [of this handbook] is beginning to connect the dots between the operational issues that have dominated the cyber security discussion and the strategic issues that business leaders actually deal with.”

The handbook outlines the following five principles all corporate boards should consider:

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

This principle highlights the importance of managing cybersecurity from “a strategic, cross-departmental and economic perspective,” in which corporate boards should ensure that management is evaluating cybersecurity with regards to the larger ecosystem that the company operates in. Cybersecurity should be addressed regularly in board and/or committee meetings along with other strategic business plans.

2. Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances.

This principle suggests boards should be aware of the legal risks posed to the corporation in the event of a high-profile attack, including disclosure procedures and requirements issued by the Securities and Exchanges Commission’s (SEC’s).

3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

Recent studies show that boards often do not receive regular, comprehensive reports on privacy and security risks, making it difficult to adequately oversee these priorities. In addition to increasing access to cyber risk expertise, this principle recommends boards should receive enhanced reports that disclose actionable metrics and beneficial information.

4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.

This principle offers an integrated approach to managing cyber risk, including establishing ownership of responsibilities, appointing cross-organizational management teams and developing a proper budget of sufficient resources.

5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

Lastly, this principle discusses various critical questions that directors and management teams should contend, such as referencing the organization’s risk-tolerance, investments, choosing the right solutions and conducting impact assessments.

“Conscientious and comprehensive oversight at the board level is essential,” said Mark Camillo, head of cyber products for the Americas Region for AIG. “The complexity of cyber threats has grown dramatically over the past decade and as the intricacy of attacks increases, so does the risk they pose to corporations.”

By offering these pragmatic guidelines to board members, the collaborating organizations and contributors representing more than 20 organizations, hope this set of best practices can assist business leaders and the industry as a whole to “enhance the coherence of our nation’s overall approach to cyber security.”




picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Header image courtesy of ShutterStock