NACD Raises the Bar for Boards

Published On: January 16, 2017

January 16th, 2017

The NACD (National Association of Corporate Directors) has just released an updated version of its Cyber-Risk Oversight Handbook with key principles for cyber-risk reporting and understanding at the board level. While cyber threats continue to escalate, the NACD noted that only 11% of board members have a high understanding of cyber risks. Cybercrime has nearly overtaken all other financial crimes with 54% of organizations reporting experiencing in a 2016 survey (PwC – Global Economic Crime Survey 2016: US Results), yet only 40% of boards “frequently ask about cyber-readiness.”

With this rising tide of concern, NACD saw the need to help boards be better prepared and address cyber risks, with two main approaches:

  • Training for boards to increase their understanding & background in the topic
  • Key principles on corporate governance of cyber risks at the board level

The handbook provides both boards and corporate security leaders (such as CISOs, CIOs or Security Directors) with best practices on keeping cyber risks both on the regular board agenda and visible through increased reporting and board understanding. The five principles laid out in the NACD handbook are:

  • Boards need to understand cyber risks, as an important part of overall enterprise risk
  • Boards need to understand the compliance issues related to cyber risk
  • Boards need access to cyber risk expertise and discussion as a regular agenda item
  • Boards expect security leadership to have a cyber-risk management framework
  • Boards will have regular discussion of cyber risks and the plans to avoid, accept, mitigate or cover these risks through cyber insurance

These principles help boards realize the extent of their duties when it comes to overseeing cyber risks, beginning with needing to get informed about cyber risks and compliance, the need for access to expertise, the value of frameworks, and most importantly the need for regular discussions. For security leaders, these principles mean a lot more frequent interactions with the C-Suite and the board, and time spent preparing and translating a array of controls or risk registers into an appropriate conversation with top leadership.

SDS has developed a methodology, MAPP, that has been used successfully for over 5 years to help security leaders better plan, track, evaluate, and communicate the impact of their cybersecurity activities with various stakeholders including the C-Suite and the board. The MAPP methodology (Maturity Assessment/Profile/Plan) provides the security leaders both the tools and the common language to discuss their security program and how it is addressing risks (through metrics), how and where investments need to be made to improve the program, requirements for greater expertise regarding cyber risk and a framework to assist with regular communication to the board.

The methodology has been automated in a solution called TrustMAPP that provides these capabilities with assessment, reporting and task planning to make security and cyber risk program improvements. TrustMAPP helps remove the complexity of the hundreds of “controls” that security leaders are normally engaged in. Instead, TrustMAPP groups activities in business processes, which are easier for leadership to grasp and evaluate.

Armed with TrustMAPP at their side, security leaders can confidently walk into the C-Suite or the boardroom, knowing that by using the language of maturity, top leadership will understand areas of strength, as well as areas that need improvements. When those areas are identified, TrustMAPP goes one step further and provides time and resources cost estimations for organizations of similar sizes and industries. Another advantage of leveraging TrustMAPP is its built-in support for multiple standard frameworks, including NIST CSF, ISO27001, GLBA, HIPAA, PCI DSS, FFIEC, FISMA, and SOX.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization