Here’s Why The Board Must Be Present In Cyber Strategy

Ignoring Cyber Security Is A Serious Blunder



Dan Gunderman
07/11/2018

Today, cyber security cuts through nearly every fiber of the business – from the dynamic security team to the employee base and straight up the corporate ladder.

The increasingly managerial/executive approach to cyber security is not only warranted – due to pernicious hackers – but it’s also steadily gaining traction. More and more research is emerging, shouldering C-suite and board-level executives into the cyber realm. That is, decision making, proactive defense and overall business strategy.

A new report from the Directors and Chief Risk Officers Group (DCRO), entitled “Guiding Principles for Cyber Risk Governance,” outlines these very points, highlighting the need for executive presence in cyber strategy – not an absent board.

The report, released in June 2018 from the DCRO, comprised of over 2,000 board and C-suite officers from 100 countries, pinpoints five “strategies” for upper-level folks to consider. In prefacing its points, the DCRO wrote, “A director should understand the full range of cyber risks facing his or her company and encourage management to develop appropriate strategies tailored to the company’s operating environment, risk profile and long-term goals.”

Other call-outs included planning, delegation, and compliance monitoring – with director oversight.

See Related: Data Privacy Expert Defines 'Moving Target Defense'

“It’s no longer a question of whether a company will be attacked but more a question of when this will happen – and how the organization is going to prevent it,” the report stated.

As with any concept, these elements snowball into other best practices, namely early-warning indicators, layered defense and prior experiences informing tomorrow’s resiliency.

The DCRO noted, “Cyber security cannot be guaranteed, but a timely and appropriate reaction can.”

The aforementioned points help foster a culture of security, meaning the team isn’t siloed and viewed as a barrier to growth or speedbump, but an appropriate and welcomed business component.

Additionally, the report’s key points included: cyber security as an enterprise-wide risk, management being accountable for security posture, the Three Lines of Defense model (cyber security teams, risk managers and auditors), recognition of third-party risk and improving the overall culture.

While these points are valid and should be implemented as “best practices,” here, we’ll expand on two.

See Related: What To Do In An Age Of Never-Ending Cyber Threats


In an age of ceaseless public breaches, new black-hat maneuvers to access sensitive information and advances in automation, it’s irrational to assume that the security team, alone, can handle overall defense. The network has also grown significantly, too, and between traditional hacking methods, sly malware strains and even insider attacks, the Chief Information Security Officer (CISO) certainly has his or her hands full.

That’s exactly why security must be embraced and prepared for from the highest levels. A recognition of the pulsating threat landscape is step one, but after that, C-suite and board members should plan, and budget, appropriately. Today, collaboration combats hacker sophistication.

Additionally, the wider question of cyber risk and data governance comes into play here. Data collection alone has become a “hot topic” within the cyber realm. An increasing number of enterprises now also fall beneath data privacy regulations which advocate proper control. With regard to data collection and management, both the security team and higher-ups need to be on the same page – the information must be accessible and verifiable in the case of an audit or forensic investigation (among other reasons).

In the same breath, all of these points underscore the validity of cyber security in the enterprise. It’s not going anywhere in the foreseeable future. As such, there are numerous folks intimately involved with its performance, all of whom share accountability. Of course the CISO must provide due diligence with network protection and advocacy with the wider business, but the remaining members of the C-suite and board must also be cognizant of the enterprise’s security posture – and ways to improve it.

Otherwise, the immediate aftermath could be bad press and a poor example of cyber hygiene.

As the DCRO report noted, “Public scrutiny after cyber-attacks, and the regulators, have made cyber security a board issue and key responsibility.”

Be Sure To Check Out: KPMG Cyber Director Outlines 'Expert Generalist,' Unified Data