Corporate Cyber Governance: Owning Cyber Risk at the Board Level

For decades, cyber risk was considered part of information technology (IT) risk and largely delegated to engineering and security teams within an organization. More recently, however, corporate leaders have begun to see cyber risk for what it is: a strategic, enterprise risk, which they—not their Chief Information Security Officer (CISO)—own. Today, given our complex, dynamic, and highly interconnected environment—an environment where nation state adversaries are more active and capable than ever, and where the private sector is on the front lines of the cyber fight—boards and company leadership must consider the critical role they play in national security and ensuring systemic resilience.

To help advance this effort, CISA partnered with the National Association of Corporate Directors (NACD) and the Internet Security Alliance to develop the NACD Director's Handbook on Cyber-Risk Oversight, laying out a framework for considering cyber risk as a function of board governance. As noted in the Handbook’s foreword, we need a new model of sustainable cybersecurity—one that starts with a commitment at the board level to incentivize a culture in which managing cyber risk is treated as a fundamental matter of good governance. Indeed, Board members have unique power to drive such a culture through their actions and decisions:

• They should ensure that CISOs are fully empowered, with the influence and resources necessary to drive decisions where cybersecurity is effectively prioritized. Decisions to prioritize cost, features, or speed to market over security must be made transparently, with clear ownership by the Chief Executive Officer and Board and visibility by potentially impacted customers. Cybersecurity, as a matter of safety, should not be allowed to significantly lag behind innovation. 
• They should ensure that their peers and the senior executives that they oversee are well-educated on cyber risk, that cybersecurity considerations are appropriately prioritized in every business, technology, and software acquisition decision, and that decisions to accept rather than mitigate cyber risks are scrutinized and revisited often. Relatedly, boards should carefully consider which committee oversees cyber risk: while cyber risk has traditionally been the purview of the audit committee and treated largely as a matter of compliance, a small number of boards are establishing cybersecurity or technology risk committees to more effectively manage cyber risk. 
• They should review their company’s cyber-risk management framework and ensure the development of a common set of standards which the organization can use to determine and measure their exposure to cybersecurity risk. 
• They should ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; rather, they should be briefed on “near misses” as well as those intrusion attempts that succeed, as such near misses are among the most important signals to assess the quality of a company’s defenses and its reaction to incidents.
• Finally, board members should actively champion a model of collaboration over self-preservation—one where information about malicious activity is shared proactively with expectations that the government will be responsive and add value, and that industry will not suffer punitive sanction for sharing. 

As the nation’s cyber defense agency, CISA’s goal is to advance a new model of sustainable cybersecurity by working collaboratively with our partners to drive down risk to our nation, enabling the broader safety of consumers. The time is now for CEOs and Boards to actively embrace corporate cyber responsibility as a matter of good governance, recognizing that every organization has an obligation to reasonably assure the safety of their employees, partners, and customers.  This movement can start by ensuring that CEOs and Board Members are held personally accountable for effectively managing cyber risk and directly engaged when it comes to corporate cybersecurity decisions and the cybersecurity of their companies.  As NACD notes, security isn’t an IT function, but rather a culture and set of repeatable practices driven by the CEO and senior executives to reduce risk, wherein cyber literacy is considered like financial literacy: “Not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business.”