The Advanced Cyber Security Center (ACSC) has published its first annual report, Leveraging Board Governance for Cybersecurity, the CISO / CIO Perspective, the results of which highlight the need for boards to be active governance partners in collaborative cyber defense.
Recognizing the shared value of collaboration across organizational functions and between and among organizations when talking about cyber defense, the ACSC report calls upon boards to adopt a holistic and dynamic understanding of their organization’s cybersecurity responsibilities. In addition, boards are encouraged to maintain continuous direct access to CISOs and risk officers as well as with CIOs and other executives.
The report found, “For the most part, boards are not in a position to provide strategic guidance on cyber risk,” said Michael Figueroa, executive director of the ACSC in a press release. “In particular, the ACSC report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision making and operations as they relate to cyber risk management.”
As part of the study, 20 ACSC member CISOs and CIOs from a wide range of organizations across multiple sectors worked in conjunction with four outside experts. Collectively, the focus group shared perspectives which revealed common themes and perceptions about board engagement as it relates to board-management relationship.
““I can’t help but agree with the observations, in that all but the smallest organizations should have the CISO role defined as the go-to person for security,” said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.
“He or she manages up to others in the C-suite and the board, and ties together strategy across DevOps, SecOps, risk and compliance. The best example of a failure to clearly establish roles, responsibilities and lines of reporting is clearly outlined in the House committee report on the Equifax breach.”
According to the report findings, the board-management relationships are only in the nascent or maturing stages, which indicates that in most cases the boards are not effectively guiding management in making strategic risk-based decisions.
In addition, most boards are bereft of individuals with any real cyber expertise. The report recommended that they should make efforts to recruit members who can augment the board’s ability to build strategic partnerships that provide guidance specifically related to cyber risk.
“Boards should prioritize and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards,” the report stated.
I see articles like this one, reporting on reports like this one, and only in specific circumstances do we see the kind of collaboration prescribed.