The report urged boards to adopt a comprehensive and dynamic understanding of their organisations’ cyber security responsibilities and to maintain regular direct access to CISOs and risk officers in conjunction with CIOs and other executives.
The report, based on a survey of 20 ACSC member CISOs and CIOs from diverse organisations and interviews with external experts, was intended to provide a perspective on the current state of board engagement in cyber security.
It also described the benefits and challenges of maturing board engagement and included recommendations for model board engagement.
The New England-based ACSC is a federally registered regional information sharing and analysis organisation (ISAO) aimed at encouraging cross-sector collaboration and promoting effective practices to help organisations strengthen their cyber defences.
According to the report, in most cases the board partnership with management is still “at an early stage” or in a “maturing phase” in its ability to provide strategic guidance and help guide management’s strategic risk judgements.
Because most boards do not yet have sufficient expertise in technology or cyber security to serve as strategic thought partners on cyber risk, the report recommended that they should recruit board members with broad digital or technology expertise, develop an annual curriculum of cyber briefings, provide ongoing training and use third-party assessments.
A key finding of the survey was that placing cyber security in an organisational silo at the operational or board level makes it difficult to develop a comprehensive and nuanced understanding of cyber security’s impact on business risk.
Boards generally spend one meeting a year on cyber security, delegating responsibility to the risk or audit committee, leaving the full board with little time to develop expertise on the cyber risks, the survey showed.
The report recommended that CISOs and CIOs should present jointly at board meetings to provide a comprehensive view of digital strategies and security.
Read more about cyber risk
“Boards as a whole should review cyber security more consistently as a business risk and the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews,” the report said.
The survey showed that as cyber security budgets continue to grow, two issues have arisen The first is “budget fatigue” and the second is that cyber security investments are seen as “separate” from IT investments and so do not represent a complete picture of security spend.
In terms of overseeing cyber security and digital transformation budgets, the report recommended that boards should present digital transformation budgets as a whole, with cyber security investments as an element of overall IT-related decisions about where to invest in growth and security.
Boards and management require cyber risk frameworks that provide a means to make informed risk judgements, the report said, noting that cyber security has not yet developed the standard risk frameworks that financial and audit risk functions have.
In the light of this fact, the report recommended that boards should prioritise and support senior management’s development of a new generation of outcome-based cyber risk management frameworks. “In the meantime, executives should use only a few operational metrics with boards,” it said.
Michael Figueroa, executive director of the ACSC, said the report examines the reality that, for the most part, boards are not in a position to provide strategic guidance on cyber risk.
“In particular, the report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision-making and operations as they relate to cyber risk management,” he said.