The purpose of this document is to provide boards of directors a set of Guiding Principles to enable the implementation of an effective cybersecurity program. A director should understand the full range of cyber risks facing his or her company and encourage management to develop appropriate strategies tailored to the company’s operating environment, risk profile, and long-term goals.
The specific needs of any effective cyber program include careful planning, smart delegation, and a system for monitoring compliance — all of which directors should oversee. It’s no longer a question of whether a company will be attacked but more a question of when this will happen — and how the organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.
Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.
Longer term, the board should understand and consider the strategic business implications of cybersecurity, foster the right company culture surrounding security, and encourage the integration of cyber risk management practices into other governance and approval processes. In essence, the board should consider cybersecurity as a managerial issue, not just as a technical one.
Click here for the full report.