Increasingly, executive-level involvement in matters of cybersecurity is becoming an imperative, as everything from regulatory compliance costs to brand reputations hang in the balance and affect overall corporate finances and strategy. And, as the industry has seen in recent data breach aftermaths, those at the helm when cybercrime strikes are often held personally accountable for the issue.
ISACA has issued new guidance for boards of directors, who it says must actively participate in measuring and monitoring an organization’s strategy on cybersecurity.
The report, released in tandem with the Internal Auditors Research Foundation, offers in-depth guidance on the key questions board members should be asking and how they can monitor and influence policies and practices involving cyber-risk.
“This new report captures the theme on which the GRC conference is built by inviting yet another stakeholder — the board — to become involved in accessing and mitigating cyber-risks,” said IIA president and CEO Richard Chambers, in a statement. “It provides the practical guidance that board members need to become active partners in battling cybercrime.”
The guidance builds on five principles cited in a report by the National Association of Corporate Directors (NACD) in conjunction with the AIG and the Internet Security Alliance (ISA). And, it details how boards must position themselves to provide direction and support for cybersecurity efforts.
It offers strategies and specific direction on several topics, including how boards must stay abreast of legal implications, demand adequate access to cybersecurity expertise, set expectations that management establish an enterprise-wide risk management network, and communicate with management what risks should be avoided, accepted, mitigated or transferred through insurance.
For example, one strategy outlined in the report urges board members to view themselves as a “fourth line of defense” against cyber risks, providing an additional safety net after management and internal controls (first line), financial controls, risk management, security, and other tools (second line) and internal audit (third line).
That means requiring annual “health check” reports that include descriptions and updates on every aspect of cyber protection. The checks should be performed by internal audit or an external security organization, according to the report.
Essentially, ISACA is offering a challenge to board members to be much more involved — or face potential consequences. Citing the high-profile cyber-attack against Target stores during the 2013 holiday season, the report notes that proxy adviser Institutional Shareholder Services recently recommended the ouster of seven of 10 of the company’s directors “for failure to provide sufficient risk oversight.”
“Cybersecurity is a continually growing issue and needs to be a strategic priority of boards of directors. It is not just an IT issue,” said Ron Hale, acting CEO of ISACA. “This report is an important collaboration of our organizations, bringing together the global expertise of thousands who are working toward better detecting and mitigating cyber-threats. It urges executives to roll up their sleeves and get involved in the cybersecurity process, and provides concrete questions to get started.”