As Regulators Raise the Stakes, Boards and Management Continue to Struggle
Translating Operational Risk Into Financial Impact
It is no revelation that you can’t manage what you can’t measure - and at the board level, that means data that support strategic decision making. And yet, the second of three key findings in the new Advanced Cyber Security Center’s (ACSC) report produced by Mass Insight, Leveraging Board Governance For Cybersecurity, Front Line Perspectives on How to Improve the Board / C-Suite Partnership, highlights a continuing major gap in the tools available to support board strategic cyber risk decisions.
Cyber risk frameworks and metrics framed in business and financial terms remain elusive today, preventing boards from playing their fundamental strategic risk governance role. This is the same conclusion the field reported four years ago in our first cyber risk governance report.
While the new SEC regulations raise the stakes for corporate boards to demonstrate cyber risk governance maturity, management has the responsibility to support their board’s governance role.
One of the ACSC’s founding partners put it succinctly:
“The onus should be on the company’s leadership to engage their board in the cyber risk assessment in the context of business and financial risk – and quit trying to snow them with arcane cybersecurity technobabble.”
- Robert Nesbit, Defense Science Board, MITRE senior executive (ret.)
Why is this still the case four years after we raised this fundamental disconnect between management and boards?
First, cybersecurity is a relatively new discipline, without the longstanding historical data that support other business and financial risk analysis.
Second, while industry cyber risk frameworks from groups like FAIR are available to adapt for operating decisions, our executives report they are too detailed for the high level, non-technical framing that boards require. Sophisticated financial services organizations, for example, are stitching together a customized package of variables for board level risk decision making.
At the operational level, the NIST CSF remains the most accepted and established among our ACSC membership. And yet, as one board advisor states, “NIST CSF is a benchmark tool. It leads to a false sense of preparedness — this is a point of time — it doesn’t mean you are prepared for a digital disaster. What is the mean time to recovery? What is the cost for every hour and every day we can’t do business?”
A quick NIST CSF pro / con tally for operational and board use looks like this:
Pro for operational use
Largely understandable by non-technical readers
Can be completed quickly or in great detail
Helps an organization understand what’s working
Con for board use
Better suited for diagnostic, organizational, and planning than execution (although it doesn’t tell you what to do or how to do it)
Doesn’t frame “identify, protect, detect, respond, and recover” guidance in the context of business risks that boards can understand
As outlined in our report, strategic risk frameworks need a rethink:
“Boards and management should prioritize and support development of a new generation of digital risk and resilience-based frameworks (recommended in 2018 and again today).”
While organizations wait for better frameworks and tools, including automated platforms that incorporate wider ranges of data, ACSC executives and board members and advisors are providing guidance to members on effective board engagement:
Boards and board committees should ask for continuous assessment results, beyond “check-the-box” updates in the context of operational frameworks
Management should use a limited number of operational metrics with Boards, and always connect them to business/financial risk
Management should present risk visually and consistently via risk registers, heat maps, etc.
Check out our in-depth report - filled with key findings and issues, and including the outline of a basic program to guide boards and management: Three Strategic Oversight Responsibilities and Five Lines of Board Questions that can help any organization reach a more mature level of Board Governance of Cybersecurity.
Comments