How to govern cybersecurity risk at the board level

Rapidly evolving cybersecurity threats are now commanding the attention of senior business leaders and boards of directors and are no longer only the concern of IT security professionals.

govern cybersecurity risk

A report from University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton uses insights gleaned from board members with over 130 years of board service across nine industry sectors to offer guidance for boards of directors in managing cybersecurity within large global companies.

Board members just getting started with oversight of cybersecurity

The report reveals that, while many boards regard cybersecurity risk as an “existential threat,” they are not confident they have the information and processes in place to provide effective governance in this high-stakes area of oversight.

Board members largely agree they are just getting started with oversight of cybersecurity and believe the cyber risk environment is not stabilizing or likely to do so in a predictable way over the next few years.

At the same time, boards are wrestling with difficult questions, including whether cyber risk should be addressed as a central part of overall business strategy discussions, and whether it should figure prominently in board-level investment or merger-and-acquisition decisions.

“Until very recently, it was uncommon for boards of directors to address cybersecurity risk in a regular and disciplined fashion,” said Bill Phelps, a Booz Allen executive vice president and leader of the firm’s U.S. Commercial business.

“Today, boards feel a deep sense of urgency to exercise a central role in improving their firm’s cybersecurity posture through enterprise-level governance and oversight.”

Govern cybersecurity risk

The report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. This includes an organization’s overall risk model or mindset, distribution of cybersecurity expertise on the board, balance between cooperation and competition with other enterprises, and the model for information flows between management and the board.

The report asserts that, in the context of fast-changing regulatory, competitive, and cyber-threat environments, a board should identify its position across these tensions; develop a shared understanding with management about the pros and cons of its position; reevaluate its position regularly to assess the need for changes or upgrades; and grade itself for effectiveness and adaptability.

Key areas of agreement among boards

The report also identifies several key areas of agreement among boards that are shaping perspectives and decisions about where to go and how to begin, including:

  • Cyber risk is no longer confined to a set of operational decisions to be left solely in the hands of IT management;
  • Standard board governance frameworks are not specific enough to create an operational model for cyber risk given the dynamic nature of the threat; and
  • Industry sectors differ in their overall exposure and relative sophistication around cyber risk.

While the report affirms there is “no governance template for cyber that can be applied across sectors and level of exposure,” it offers several recommended actions that boards can take to ensure resilient governance from the top thereby improving a company’s ability to keep up with new and existing cyber threats.

Don't miss