If you’re a board member looking to get your arms around cybersecurity – or a CISO or other IT risk officer looking to win the admiration and support of your board – Jack Jones, the FAIR model creator and cyber risk guru, and James Lam, the enterprise risk management authority, have some very specific recommendations in an article just published by the National Association of Corporate Directors (NACD): “Getting the Right Cybersecurity Metrics and Reports for Your Board.”
Jack and James argue that boards should get reporting on cybersecurity that’s on a par with enterprise risk management standards – not in tech-speak, but with financially based results that are transparent, benchmarked against peer companies, and supportive of the kinds of oversight that boards are required to exercise, including resource allocation, security controls, insurance, and compliance with public-company reporting requirements (see the SEC’s new guidance on cyber risk disclosure).
The authors suggest these questions as the framework for ongoing board-level discussions on cyber risk.
- What is the threat environment that we face?
- What is our cyber-risk profile as defined from the outside looking in?
- What is our cyber-risk profile as defined by internal leadership?
- What is our cyber-risk exposure in economic terms?
- Are we making the right business and operational decisions?
Read their article for recommendations on answering each of the questions, backed up with solid data.