How can boards play a more strategic role in cybersecurity governance and oversight? Where is the state of the art, and where is it heading? These questions motivate CLTC’s research on board governance of cyber risk. Cyber risk requires a different and more dynamic governance model than is common among boards for handling other risks, a mindset we define as “resilient governance.”
Research
QuantiSec Model | Boards’ Accounting for Cybersecurity
This reporting template was developed at the Center for Long-Term Cybersecurity and EM Strasbourg Business School to supply security executives, investors and companies across industries with an instrument for monitoring, disclosing, and evaluating risks and opportunities related to cybersecurity.
Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence
This study from the the Center for Long-Term Cybersecurity presents a model framework to help organizations improve their consideration of cybersecurity risk as part of a merger or acquisition (M&A). Developed through interviews with academics and practitioners who are experts in M&A, the report, Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence, integrates insights and best practices to improve on due diligence for security risk. The framework addresses three primary factors: 1) key business considerations that are germane to each phase in the deal cycle; 2) the cyber risk questions that should be the focus of investing teams, executives, and cyber auditors at each stage; and 3) desired outcomes, the conclusions that investing teams, executives, and cyber auditors should be able to draw.
Resilient Governance for Boards of Directors
Drawing on insights gleaned from board members with 130+ years of board service across nine industry sectors, this report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk provides an innovative framework to help boards take a dynamic approach to cybersecurity governance and oversight.
Cyber Oversight Effectiveness Development (COED) Framework
The Cyber Oversight Effectiveness Development (COED) framework is designed to help boards of directors gain a deeper understanding of their current capabilities, including areas where they need to improve. Through structured activities, the framework can increase board members’ individual and collective self-awareness, and move from a reactive posture toward a stance that is both proactive and resilient.
Media
Our research has been covered in a variety of outlets, including Politico, CIO Dive, CyberWire, Bloomberg, Journal of Cyber Policy, Yahoo! Finance, Tech Crunch, Executive Biz, MSSP Alert, Pittsburgh Post Gazette, Morning Star, and others.
- Watch a video by TechRepublic about why corporate boards are unprepared to handle cybersecurity risks, featuring the Resilient Governance for Boards of Directors research.
- Read a breakdown of an article by Help Net Security: “How to govern cybersecurity risk at the board level”.
- Read about a roundtable discussion with industry experts on the future of graduate cybersecurity education.
- Read our article in Harvard Business Review on risk communication.
Partners
We are grateful to the external partners with whom we’ve collaborated on this work, including Booz Allen Hamilton, Tapestry Networks, King & Spalding, and Cisco.
