Jack and James argue that boards should get reporting on cybersecurity that’s on a par with enterprise risk management standards – not in tech-speak, but with financially based results that are transparent, benchmarked against peer companies, and supportive of the kinds of oversight that boards are required to exercise, including resource allocation, security controls, insurance, and compliance with public-company reporting requirements (see the SEC’s new guidance on cyber risk disclosure).
The authors suggest these questions as the framework for ongoing board-level discussions on cyber risk.
Read their article for recommendations on answering each of the questions, backed up with solid data.
Related:
Gartner Names Risk Quantification a Critical Capability of Integrated Risk Management