Global Directors Are Focused on Cybergovernance

A spotlight has been cast upon directors who fail to exercise proper oversight of cyber risk. Will it fade with time, or will its intensity increase? Is the issue confined to the United States, or is it destined to become a global concern?

In its recent press release, the Global Network of Director Institutes (GNDI) issued a new policy perspective on the growing importance of cybergovernance. GNDI is the international network of director institutes, with member institutes representing over 100,000 directors from a wide range of organizations. In addition to the National Association of Corporate Directors (NACD) in the United States, 15 similar organizations throughout North and South America, Europe, and Asia are members.

In the new policy perspective, GNDI highlights several guiding principles for cybersecurity oversight that support its call for global solutions to this global issue:

The goal of board oversight should be “cyber resilience.”

All boards should urge their organization to develop cyber resilience. The term, coined by Mitre Corporation, is defined as “the ability of an enterprise to anticipate, withstand, recover from, and evolve to improve capabilities in the face of adverse conditions, stresses or attacks on the supporting resources it needs to function.”

Cybersecurity is more than technology, encompassing the people, processes, and technology involved in moving a company toward cyber resilience.

The board’s role is to oversee all three elements of cyber resilience. Directors must not manage the organization, but they “need to be familiar with the general effectiveness of the people, processes, and technology within the entities entrusted to their care. The board of directors needs to understand the big picture – the essential components of the entity they are overseeing and how they can oversee it effectively.”

The board should make one of the officers reporting to the board specifically accountable for cybersecurity governance.

Today, boards who review cyber risk regularly are usually updated by someone in the IT organization. GNDI makes the point that cybergovernance has become a “fourth estate” and cybersecurity is a key contributor to risk over and above traditional sources. The responsibility for cybersecurity oversight should be assigned to an officer of the company who reports to the board regularly. One solution receiving recent widespread support is the notion of elevating the role of Chief Information Security Officer to become a corporate officer.

Boards should adopt a recognized industry framework to stay informed of specific operational, reporting, and compliance aspects of cybersecurity.

GNDI mentions several frameworks available to boards for adoption, without trying to be prescriptive. Two of the most respected frameworks and models are (1) the Framework for Improving Critical Infrastructure Cybersecurity from the National Institute of Standards and Technology (NIST), and (2) the Cybersecurity Capability Maturity Model (C2M2) developed by the Department of Energy. Cybernance has integrated the NIST framework with C2M2 to create the Cybergovernance Maturity Oversight Model (CMOM) that is specifically designed for use by boards in cybergovernance.

Directors’ assessment of enterprise risk must be overseeing technology that is embedded into the operation of almost every modern business.

To build the cyber resilience recommended by its policy paper, GNDI suggests that “technology should be built into the DNA of business operations and thus become part of directors’ assessment of enterprise risk.” In other words, directors should be vigilant in guiding the organization’s use of technology across the organization in ways that mitigate risk.

GNDI has accentuated the global nature of the threats facing board members. Actions to hold directors and officers personally liable after cyber breaches and calls to develop compliance standards for cybersecurity are accelerating. Smart CEOs and board members are not waiting for compliance measures and are becoming proactive about increasing support for the board’s vital role in cybergovernance.