About David X Martin

David X Martin is a veteran financial executive whose career includes stints at PricewaterhouseCoopers (PWC), Citibank, and AllianceBernstein. He has extensive experience working with regulators and sovereign governments, and at one time or another has handled the oversight of investable assets, investment strategies, operations, quantitative research, distribution channels, trading, and investment banking. He also has extensive experience running financial holding companies, overseeing acquisitions and the creation of new banking businesses.

Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity

The purpose of this document is to provide boards of directors a set of Guiding Principles to enable the implementation of an effective cybersecurity program. A director should understand the full range of cyber risks facing his or her company and encourage management to develop appropriate strategies tailored to the company’s operating environment, risk profile, and long-term goals.

The specific needs of any effective cyber program include careful planning, smart delegation, and a system for monitoring compliance — all of which directors should oversee. It’s no longer a question of whether a company will be attacked but more a question of when this will happen — and how the organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.

Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.

Longer term, the board should understand and consider the strategic business implications of cybersecurity, foster the right company culture surrounding security, and encourage the integration of cyber risk management practices into other governance and approval processes. In essence, the board should consider cybersecurity as a managerial issue, not just as a technical one.

Click here for the full report.

The Ongoing Battle of Cybersecurity

Cybersecurity is not a technical issue. It’s a managerial problem that requires a new approach to risk management.

Imagine going down a river in a rowboat. Water seeps in, and you cannot see below the waterline — or, as it’s called in cyberese, the attack surface. While on the river, you bail the water out, and upon arriving back onshore you patch the most obvious holes. The very next day, you purchase a new product that ensures the bottom of your boat is absolutely water resistant. Now, feeling highly confident that you solved yesterday’s problem, you take the rowboat out on the river again. This time, you go over a waterfall and wreck the boat.

To read the rest of the article, click here: