NACD Raises the Bar for Boards

Published On: January 16, 2017

January 16th, 2017

The NACD (National Association of Corporate Directors) has just released an updated version of its Cyber-Risk Oversight Handbook with key principles for cyber-risk reporting and understanding at the board level. While cyber threats continue to escalate, the NACD noted that only 11% of board members have a high understanding of cyber risks. Cybercrime has nearly overtaken all other financial crimes with 54% of organizations reporting experiencing in a 2016 survey (PwC – Global Economic Crime Survey 2016: US Results), yet only 40% of boards “frequently ask about cyber-readiness.”

With this rising tide of concern, NACD saw the need to help boards be better prepared and address cyber risks, with two main approaches:

  • Training for boards to increase their understanding & background in the topic
  • Key principles on corporate governance of cyber risks at the board level

The handbook provides both boards and corporate security leaders (such as CISOs, CIOs or Security Directors) with best practices on keeping cyber risks both on the regular board agenda and visible through increased reporting and board understanding. The five principles laid out in the NACD handbook are:

  • Boards need to understand cyber risks, as an important part of overall enterprise risk
  • Boards need to understand the compliance issues related to cyber risk
  • Boards need access to cyber risk expertise and discussion as a regular agenda item
  • Boards expect security leadership to have a cyber-risk management framework
  • Boards will have regular discussion of cyber risks and the plans to avoid, accept, mitigate or cover these risks through cyber insurance

These principles help boards realize the extent of their duties when it comes to overseeing cyber risks, beginning with needing to get informed about cyber risks and compliance, the need for access to expertise, the value of frameworks, and most importantly the need for regular discussions. For security leaders, these principles mean a lot more frequent interactions with the C-Suite and the board, and time spent preparing and translating a array of controls or risk registers into an appropriate conversation with top leadership.

SDS has developed a methodology, MAPP, that has been used successfully for over 5 years to help security leaders better plan, track, evaluate, and communicate the impact of their cybersecurity activities with various stakeholders including the C-Suite and the board. The MAPP methodology (Maturity Assessment/Profile/Plan) provides the security leaders both the tools and the common language to discuss their security program and how it is addressing risks (through metrics), how and where investments need to be made to improve the program, requirements for greater expertise regarding cyber risk and a framework to assist with regular communication to the board.

The methodology has been automated in a solution called TrustMAPP that provides these capabilities with assessment, reporting and task planning to make security and cyber risk program improvements. TrustMAPP helps remove the complexity of the hundreds of “controls” that security leaders are normally engaged in. Instead, TrustMAPP groups activities in business processes, which are easier for leadership to grasp and evaluate.

Armed with TrustMAPP at their side, security leaders can confidently walk into the C-Suite or the boardroom, knowing that by using the language of maturity, top leadership will understand areas of strength, as well as areas that need improvements. When those areas are identified, TrustMAPP goes one step further and provides time and resources cost estimations for organizations of similar sizes and industries. Another advantage of leveraging TrustMAPP is its built-in support for multiple standard frameworks, including NIST CSF, ISO27001, GLBA, HIPAA, PCI DSS, FFIEC, FISMA, and SOX.

Browse These Topics


2022 Cyber trends Affordable Information Security Platform Affordable Security Assessment Tool analyze security data findings analyze your security data Assess Company's Security Readiness ciso CISO investment strategies Common Employee Data Security Mistakes company cyber security plans company that specializes in preventing data breaches company’s Internet security cybersecurity budgeting cybersecurity is discussed in board meetings data breach readiness Data Security Data Security Tactics Facebook Safety Federal Trade Commission’s cybersecurity standards fighting security attacks financial data stolen improving the information security of your company increase cyber security across your entire company information protected from a Malicious Cyber Attack Information Security Best Practices interactive security software platform Keep Cloud Storage Secure long term information security solutions maintain a successful security roadmap predict and protect yourself from potential threats prevent a devastating security breach prevent unauthorized access to your network prioritize potential threats Real-time Cyber Security Software real time information security Recent High Profile Companies with Data Breaches reduce cyber vulnerabilities security software dashboard for your entire company security team assess risk Simple Internet Safety stay ahead of cyber security threats unintentional data leakage valuable metrics and processes verbally explain the cyber security threats victim of a cyber security breach