NACD Raises the Bar for Boards

Published On: January 16, 2017

January 16th, 2017

The NACD (National Association of Corporate Directors) has just released an updated version of its Cyber-Risk Oversight Handbook with key principles for cyber-risk reporting and understanding at the board level. While cyber threats continue to escalate, the NACD noted that only 11% of board members have a high understanding of cyber risks. Cybercrime has nearly overtaken all other financial crimes with 54% of organizations reporting experiencing in a 2016 survey (PwC – Global Economic Crime Survey 2016: US Results), yet only 40% of boards “frequently ask about cyber-readiness.”

With this rising tide of concern, NACD saw the need to help boards be better prepared and address cyber risks, with two main approaches:

  • Training for boards to increase their understanding & background in the topic
  • Key principles on corporate governance of cyber risks at the board level

The handbook provides both boards and corporate security leaders (such as CISOs, CIOs or Security Directors) with best practices on keeping cyber risks both on the regular board agenda and visible through increased reporting and board understanding. The five principles laid out in the NACD handbook are:

  • Boards need to understand cyber risks, as an important part of overall enterprise risk
  • Boards need to understand the compliance issues related to cyber risk
  • Boards need access to cyber risk expertise and discussion as a regular agenda item
  • Boards expect security leadership to have a cyber-risk management framework
  • Boards will have regular discussion of cyber risks and the plans to avoid, accept, mitigate or cover these risks through cyber insurance

These principles help boards realize the extent of their duties when it comes to overseeing cyber risks, beginning with needing to get informed about cyber risks and compliance, the need for access to expertise, the value of frameworks, and most importantly the need for regular discussions. For security leaders, these principles mean a lot more frequent interactions with the C-Suite and the board, and time spent preparing and translating a array of controls or risk registers into an appropriate conversation with top leadership.

SDS has developed a methodology, MAPP, that has been used successfully for over 5 years to help security leaders better plan, track, evaluate, and communicate the impact of their cybersecurity activities with various stakeholders including the C-Suite and the board. The MAPP methodology (Maturity Assessment/Profile/Plan) provides the security leaders both the tools and the common language to discuss their security program and how it is addressing risks (through metrics), how and where investments need to be made to improve the program, requirements for greater expertise regarding cyber risk and a framework to assist with regular communication to the board.

The methodology has been automated in a solution called TrustMAPP that provides these capabilities with assessment, reporting and task planning to make security and cyber risk program improvements. TrustMAPP helps remove the complexity of the hundreds of “controls” that security leaders are normally engaged in. Instead, TrustMAPP groups activities in business processes, which are easier for leadership to grasp and evaluate.

Armed with TrustMAPP at their side, security leaders can confidently walk into the C-Suite or the boardroom, knowing that by using the language of maturity, top leadership will understand areas of strength, as well as areas that need improvements. When those areas are identified, TrustMAPP goes one step further and provides time and resources cost estimations for organizations of similar sizes and industries. Another advantage of leveraging TrustMAPP is its built-in support for multiple standard frameworks, including NIST CSF, ISO27001, GLBA, HIPAA, PCI DSS, FFIEC, FISMA, and SOX.

Browse These Topics

Tags

boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries