NACD Raises the Bar for Boards


January 16th, 2017

The NACD (National Association of Corporate Directors) has just released an updated version of its Cyber-Risk Oversight Handbook with key principles for cyber-risk reporting and understanding at the board level. While cyber threats continue to escalate, the NACD noted that only 11% of board members have a high understanding of cyber risks. Cybercrime has nearly overtaken all other financial crimes with 54% of organizations reporting experiencing in a 2016 survey (PwC – Global Economic Crime Survey 2016: US Results), yet only 40% of boards “frequently ask about cyber-readiness.”

With this rising tide of concern, NACD saw the need to help boards be better prepared and address cyber risks, with two main approaches:

  • Training for boards to increase their understanding & background in the topic
  • Key principles on corporate governance of cyber risks at the board level

The handbook provides both boards and corporate security leaders (such as CISOs, CIOs or Security Directors) with best practices on keeping cyber risks both on the regular board agenda and visible through increased reporting and board understanding. The five principles laid out in the NACD handbook are:

  • Boards need to understand cyber risks, as an important part of overall enterprise risk
  • Boards need to understand the compliance issues related to cyber risk
  • Boards need access to cyber risk expertise and discussion as a regular agenda item
  • Boards expect security leadership to have a cyber-risk management framework
  • Boards will have regular discussion of cyber risks and the plans to avoid, accept, mitigate or cover these risks through cyber insurance

These principles help boards realize the extent of their duties when it comes to overseeing cyber risks, beginning with needing to get informed about cyber risks and compliance, the need for access to expertise, the value of frameworks, and most importantly the need for regular discussions. For security leaders, these principles mean a lot more frequent interactions with the C-Suite and the board, and time spent preparing and translating a array of controls or risk registers into an appropriate conversation with top leadership.

SDS has developed a methodology, MAPP, that has been used successfully for over 5 years to help security leaders better plan, track, evaluate, and communicate the impact of their cybersecurity activities with various stakeholders including the C-Suite and the board. The MAPP methodology (Maturity Assessment/Profile/Plan) provides the security leaders both the tools and the common language to discuss their security program and how it is addressing risks (through metrics), how and where investments need to be made to improve the program, requirements for greater expertise regarding cyber risk and a framework to assist with regular communication to the board.

The methodology has been automated in a solution called TrustMAPP that provides these capabilities with assessment, reporting and task planning to make security and cyber risk program improvements. TrustMAPP helps remove the complexity of the hundreds of “controls” that security leaders are normally engaged in. Instead, TrustMAPP groups activities in business processes, which are easier for leadership to grasp and evaluate.

Armed with TrustMAPP at their side, security leaders can confidently walk into the C-Suite or the boardroom, knowing that by using the language of maturity, top leadership will understand areas of strength, as well as areas that need improvements. When those areas are identified, TrustMAPP goes one step further and provides time and resources cost estimations for organizations of similar sizes and industries. Another advantage of leveraging TrustMAPP is its built-in support for multiple standard frameworks, including NIST CSF, ISO27001, GLBA, HIPAA, PCI DSS, FFIEC, FISMA, and SOX.