A new report from CLTC and Booz Allen Hamilton provides a framework to help boards of directors approach cybersecurity governance and oversight
Rapidly evolving cybersecurity threats are now commanding the attention of senior business leaders and boards of directors, and are no longer only the concern of IT security professionals. A new report released today from UC Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton (NYSE: BAH) uses insights gleaned from board members with 130+ years of board service across nine industry sectors to offer guidance for boards of directors in managing cybersecurity within large global companies. The report, “Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk,” provides an innovative framework to help boards take a dynamic approach to cybersecurity governance and oversight.
The report reveals that, while many boards regard cybersecurity risk as an “existential threat,” they are not confident they have the information and processes in place to provide effective governance in this high-stakes area of oversight. Board members largely agree they are just getting started with oversight of cybersecurity and believe the cyber-risk environment is not stabilizing or likely to do so in a predictable way over the next few years. At the same time, boards are wrestling with difficult questions, including whether cyber-risk should be addressed as a central part of overall business strategy discussions, and whether it should figure prominently in board-level investment or merger-and-acquisition decisions.
“Until very recently, it was uncommon for boards of directors to address cybersecurity risk in a regular and disciplined fashion,” said Bill Phelps, a Booz Allen executive vice president and leader of the firm’s U.S. Commercial business. “Today, boards feel a deep sense of urgency to exercise a central role in improving their firm’s cybersecurity posture through enterprise-level governance and oversight. With this report, Booz Allen and CLTC are empowering directors to think through the tough questions that must be answered to formulate new approaches to govern this rapidly evolving discipline.”
The report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. This includes an organization’s overall risk model or mindset; distribution of cybersecurity expertise on the board; balance between cooperation and competition with other enterprises; and the model for information flows between management and the board.
The report asserts that, in the context of fast-changing regulatory, competitive, and cyber-threat environments, a board should identify its position across these tensions; develop a shared understanding with management about the pros and cons of its position; re-evaluate its position regularly to assess the need for changes or upgrades; and grade itself for effectiveness and adaptability.
“Cybersecurity is now at — or very near — the top of enterprise risks that boards of directors oversee, but few boards feel confident that they know how to do this well,” said Steve Weber, CLTC Faculty Director and co-author of the report. “Our report offers a new framework for how to govern cybersecurity risk at the board level, and how to improve and evolve governance over time as the threat evolves. The report develops practical answers to the question, ‘what does good cybersecurity governance look like?’”
The report also identifies several key areas of agreement among boards that are shaping perspectives and decisions about where to go and how to begin, including:
- Cyber risk is no longer confined to a set of operational decisions to be left solely in the hands of IT management;
- Standard board governance frameworks are not specific enough to create an operational model for cyber risk, given the dynamic nature of the threat; and
- Industry sectors differ in their overall exposure and relative sophistication around cyber risk.
While the report affirms there is “no governance template for cyber that can be applied across sectors and level of exposure,” it offers a number of recommended actions that boards can take to ensure resilient governance from the top, thereby improving a company’s ability to keep up with new and existing cyber threats.