New Cyber Guide for Boards Stresses Collaboration

The National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) released the fourth edition of the Director’s Handbook on Cyber-Risk Oversight in March 2023.[1] The latest version reflects changes in cybersecurity and risk since the third edition was published in early 2020, including the increased prevalence of ransomware attacks targeting the global supply chain and the rise of remote workforces. 

The updated guidance comes amid mounting pressure for boards to better understand and oversee cyber risk management. The vast majority (83%) of board members surveyed by the NACD last year said that they had significantly improved their understanding of cyber risk over the preceding two years.[2] The presence of actual cybersecurity experience on a board can offer significant benefits as well. As the CTO of a financial services firm with several cyber-experienced directors noted in Mimecast’s Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk report, “The biggest advantage of this is that these specific board members can educate other board members on cybersecurity related matters.” While board-level cyber experience remains the exception rather than the rule, CISOs and CIOs also play a critical role in educating their boards, and best practices like those provided by the NACD and ISA bolster these efforts.

The handbook’s biggest addition — a sixth key principle encouraging collaboration — stresses that businesses should expand their cybersecurity networks to work more closely with industry partners and government entities. In the increasingly connected global economy, business systems are more integrated than ever. A threat to one party can spread, compromising data far beyond the initial victim. For example, less than two months prior to the handbook’s publication, the Cybersecurity & Infrastructure Security Agency (CISA) identified a massive ransomware attack on a major cloud services provider. This attack affected over 3,800 servers globally after malicious actors were able to exploit vulnerabilities in an unpatched version of the vendor’s software.[3] With greater cooperation, the handbook explains, the private and public sector can alert each other to risks, share best practices and — if successful attacks do occur — catch cybercriminals and recover files. 

Updates to the Original Five Cybersecurity Key Principles

The 2023 edition of the handbook adds new key considerations for the board regarding its original five key principles. The updated advice is summarized below.

1. Cybersecurity is a strategic, enterprise risk, not only limited to IT. A zero-trust architecture for cybersecurity practices can help limit data breaches by verifying every attempt to access data — regardless of the user — and has been endorsed by the U.S. government.[4]
2. Companies should be aware of the specific legal implications related to their cyber risks. Businesses often use outside counsel and expert consultants to regularly assess liabilities for existing and new business endeavors. Businesses should also monitor any upcoming data privacy laws or litigation to prepare for any potential changes. 
3. Boards should give regular and adequate time in board meetings to cybersecurity. Oversight should be integrated into both existing board meetings and the onboarding process through regular cybersecurity briefings from the CISO or equivalent officers. To promote a company-wide culture that prioritizes cybersecurity, companies can spread responsibility and accountability throughout the board, rather than relying on just one cybersecurity expert.
4. Directors should implement an enterprise-wide framework for managing cyber risks with structured reporting and sufficient budgets and staff. There is no “one-size-fits-all” cybersecurity framework, and the handbook emphasizes the need for carefully choosing appropriate technical and management strategies. Many companies opt to mix and match frameworks to find strategies that work best for their businesses.
5. Boards should identify and quantify potential financial exposure to create specific plans to accept or mitigate risks. No strategy can guarantee protection from cybercrime, and the board of directors should understand that some risk is the “cost of doing business in the digital economy.” But by measuring and reporting cyber risks and their potential impacts to the board, CISOs can work with directors to create effective strategies to prioritize, mitigate, and manage risks.

Why Collaboration is Critical

The handbook’s newly added sixth key principle is adapted from a previous publication on board governance of cyber risk produced in partnership by the NACD, ISA and the World Economic Forum. It reads: “Boards should encourage systemic resilience through collaboration with their industry and government peers and encourage the same from their management teams.” 

The new principle emphasizes the importance of collective action to meet the challenges of maintaining cyber resilience in the modern age. Collaboration should be encouraged from the top down and organizations should consider the environmental, social, and governance impacts of their actions on a broader range of stakeholders, according to the 2023 handbook. Each organization can be its “brother’s keeper,” as the handbook puts it, by maintaining security standards while remaining connected through the Internet. True cyber resilience requires active collaboration between companies, government bodies, and communities, the sixth principle explains.

Implementing Effective Collaboration

The handbook recommends five key considerations for the board when implementing principle six. It advises boards of directors to:

1. Develop a 360-degree view of risk and resiliency to ensure the organization maintains a level of social responsibility within the areas in which the business operates. Many businesses rely on multiple products and strategies to maintain rigorous and layered security standards, often called a defense-in-depth approach. But discrete security tools require effective integration to prevent exposure to unnecessary risks — both for individual companies and their business partners.
2. Network with other board members to share best practices. Some risk managers are predicting that recent global threats are only the beginning of a new phase in cyberattacks and that new technologies such as 5G will create more opportunities for systemic attacks. Businesses can share threat intelligence and best practices across institutional boundaries to help improve industry-wide cybersecurity standards and avoid widespread breaches.
3. Create management plans to collaborate and share security and resilience information. Management should regularly share information with private and public sector collaborators to improve security on an ongoing basis. With a consistent flow of more broadly-sourced information, businesses can refocus security procedures to take a more proactive role in keeping their data protected. Many CISOs rely on external tools and products to provide predictive threat intelligence and determine if current security measures are sufficient to prevent future threats — including attacks that are currently being levied on peers.
4. Analyze risks created by external relationships, such as partners and third-party vendors. Companies working with other parties — whether through close partnerships or tertiary relationships — should consider vulnerabilities brought on by these connections. For example, the CISO at a well-known shoe manufacturer and retailer assesses the security maturity of potential suppliers before partnering with them. If security controls are not up to the CISO’s standards, the business finds a new supplier instead.
5. Encourage knowledge sharing through sector-specific information sharing and analysis centers (ISACs) and/or cross-sectoral information sharing organizations (ISOs). Knowledge-sharing platforms can raise cybersecurity awareness levels and create real-time response capabilities. Oklahoma, for example, overhauled its cybersecurity infrastructure and created the Oklahoma Information Sharing and Analysis Center (OK-ISAC) in late 2020, bringing together public and private sector members to exchange intel, best practices, and lessons learned.

How CISOs and CIOs Can Work with the Board

As boards of directors take ever more interest in the oversight of cyber risk management, CISOs and CIOs play a critical role in providing ongoing education and information. 

To effectively communicate with board members, cybersecurity and technology leaders need to speak the board’s language and focus on business risks — not technical jargon. By keeping cybersecurity risk briefings open and honest, CISOs can give board members realistic expectations and a baseline understanding of the challenges the company faces. In addition, IT and cyber leaders can bring relevant context to board meetings, such as recent newsworthy data breaches, to illustrate specific business risks before showing how the business is protected and what more needs to be done. Once a common understanding is reached, cyber and IT leaders can work with the board to develop strategies, such as targeted security measures and cybersecurity awareness training for staff.

The Bottom Line

The 2023 Director’s Handbook on Cyber-Risk Oversight outlines cybersecurity guidelines for boardroom practices based on current trends and threats. In addition to updating the five key principles from previous handbooks, this edition adds a new principle emphasizing the need for collaboration with industry partners and government entities to encourage systemic resilience in the face of increasingly prevalent global malware attacks. Cybersecurity experts can use these new guidelines to effectively communicate new strategies to boards and ensure cybersecurity is a priority throughout the company. Read Mimecast’s Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk for more information on the board of directors’ role in managing cyber risk.

[1] “2023 Director's Handbook on Cyber-Risk Oversight,” NACD

[2] “2022 NACD Private Company Board Practices and Oversight Survey,” NACD

[3] “ESXiArgs Ransomware Virtual Machine Recovery Guidance,” Cybersecurity & Infrastructure Security Agency

[4] “Executive Order on Improving the Nation’s Cybersecurity,” The White House