Chapter 2

Board Responsibility for the Ecosystems They Govern

“The biggest issue for a typical board to focus on is how to become cyber-resilient quickly.”

—Brad Smith, President and Chief Legal Officer, Microsoft

The board of directors bears the ultimate responsibility for cybersecurity governance, one which cannot be transferred to management. Cyber-risk is a form of systemic risk that can only be governed by understanding your business ecosystem, a regularly interacting or interdependent group of elements and subsystems which comprise your business function. Ecosystem elements include assets, processes, and the people who interact with one another both internally and externally. Despite the complexity and changing nature of the ecosystem, boards can effectively govern by committing to firm-wide organizational, educational, and cultural reforms which lead to the development of an understanding of the ecosystem sufficient for good governance. Cyber risk cannot be contextualized and governed without understanding this ecosystem. There are no “check-the-box” solutions.

Change Board Culture on Cybersecurity

Cyber-risk is becoming more complex and chaotic. Market, regulatory and legal pressures are mounting for boards to get control of and develop better cybersecurity governance practices. Economic damage and litigation exposure are increasing at the same time, while cyber insurers are charging more and covering less. As discussed, the SEC is proposing “SOX-like” disclosure requirements that will drive new board composition and behavior. This leads to the conclusion that major changes in board cultures are inevitable. Boards must choose to become proactive to get ahead of this problem or to remain reactive with unknown consequences. Some practical steps and recommendations for changing the board culture follow:

Inform

Directors must be regularly informed about the organization's cybersecurity posture, emerging threats, and the potential business impact of cyber incidents. In addition to providing an internal perspective, providing real-life examples and case studies of other organizations that have experienced significant financial or reputational damage due to cyberattacks can help drive home the importance of this issue.

Engage with the Cyber Community

Encourage board members to attend cybersecurity conferences, workshops, and training sessions to deepen their understanding of the subject matter. Being around the cyber community and other digital savvy directors will demystify what might seem a foreign and intractable issue.

Self-learning

Education will enable the board to better understand the complexities of cybersecurity and appreciate its critical role in the organization's overall risk management strategy.

Engage Experts

Cybersecurity and technology experts can advise the board on specific threats, best practices, and industry trends. These qualified technology experts (QTEs) can offer valuable insights, ensuring that the board remains up-to-date with the rapidly evolving cyber threat landscape.

Create a Culture of Accountability

by assigning specific cybersecurity responsibilities to individual directors. This can include appointing dedicated board members with cybersecurity expertise or establishing a cybersecurity subcommittee responsible for overseeing the organization's cyber risk management efforts.

Organizing for Cyber Resiliency

A strong signal of the importance of cybersecurity as part of enterprise risk management is to elevate the Chief Information Security Officer (CISO) role to report to the C-Suite and also have direct channel to the cybersecurity subcommittee, if one exists. Additionally, boards should establish Cybersecurity Risk Committees at both the board and management level. Both committees should interact on a regular basis to evaluate and mitigate existing risks and new risks introduced by changes to the business ecosystem. Changes could include new digital technologies, acquisitions, divestitures, changing third-party relationships, etc. The management committee should include representatives from all functional areas of the enterprise and be led by the CISO. Additionally, the charter for the committee should establish clear authorities and responsibilities for committee heads.

Keys to Understanding the Ecosystem

To create a robust cybersecurity culture within an organization, it's essential for all stakeholders, including board members, to grasp the key concepts and vocabulary related to cybersecurity.

Begin by inviting external advisors to collaborate with your management team and board to explore, clarify, and explain the various components of your organization's cybersecurity ecosystem, using easy-to-understand business language. This process can be integrated into the broader risk assessment studies that typically examine potential cybersecurity vulnerabilities.

Broaden the educational scope to encompass the C-Suite, ensuring that both management and the board develop a shared understanding of the ecosystem. Including the CISO in these discussions will enable them to better comprehend the company's risk mitigation objectives. As the fundamental concepts are grasped, continue the education process across all levels of the organization. This shared understanding will facilitate better communication and collaboration between the board, management, and the CISO.

To initiate meaningful discussions, consider addressing the following questions:

  • What are your business' most valuable information assets?
  • Which data is the most crucial to protect?
  • Where is your most critical data hosted?
  • Are there any design flaws in your ecosystem that could be improved?
  • How resilient is your ecosystem against inevitable cyberattacks?
  • What are the cyber vulnerabilities within your ecosystem, and can they be mitigated or eliminated?

As the board and management develop a common language and understanding, it becomes possible to delve deeper into more complex issues. In later chapters, we will expand on these questions to explore topics such as technical debt and the organization's overall security posture. However, comprehending the business ecosystem forms a solid foundation for ongoing conversations and adapting to changes within your organization, whether they stem from digital transformation, shifts in business strategy, or other factors.

The road to proactive cybersecurity governance involves nurturing an enterprise-wide culture that views cyber-risk management from an ecosystem perspective. Investing in organizational, educational, and cultural changes today will significantly enhance your cybersecurity governance. In the following chapters, we will delve deeper into the roadmap for proactive governance.

Chapters