Board Governance of Cybersecurity Risk
How can boards play a more strategic role in cybersecurity governance and oversight? Where is the state of the art, and where is it heading? These questions motivate CLTC’s research on board governance of cyber risk. Cyber risk requires a different and more dynamic governance model than is common among boards for handling other risks, a mindset we define as “resilient governance.”
Drawing on insights gleaned from board members with 130+ years of board service across nine industry sectors, this report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk provides an innovative framework to help boards take a dynamic approach to cybersecurity governance and oversight.
The Cyber Oversight Effectiveness Development (COED) framework is designed to help boards of directors gain a deeper understanding of their current capabilities, including areas where they need to improve. Through structured activities, the framework can increase board members’ individual and collective self-awareness, and move from a reactive posture toward a stance that is both proactive and resilient.
Coming Soon: Cybersecurity in Mergers and Acquisitions
The current approach to mergers and acquisitions (M&A) underrepresents cybersecurity risk, eroding deal value and causing difficult-to-determine consequences for financial performance. CLTC is conducting research — including interviewing security organizations, board members, lawyers, technologists, bankers, consultants, and other actors — to develop a generalized framework for improving cybersecurity risk management and oversight in M&A.
Our research has been covered in a variety of outlets, including Politico, CIO Dive, CyberWire, Bloomberg, Journal of Cyber Policy, Yahoo! Finance, Tech Crunch, Executive Biz, MSSP Alert, Pittsburgh Post Gazette, Morning Star, and others.
- Watch a video by TechRepublic about why corporate boards are unprepared to handle cybersecurity risks, featuring the Resilient Governance for Boards of Directors research.
- Read a breakdown of an article by Help Net Security: “How to govern cybersecurity risk at the board level”.
- Read about a roundtable discussion with industry experts on the future of graduate cybersecurity education.
- Read our article in Harvard Business Review on risk communication.
We are grateful to the external partners with whom we’ve collaborated on this work, including Booz Allen Hamilton, Tapestry Networks, King & Spalding, and Cisco.