ISACA and IIARF urge corporate boards to promote cybersecurity
The layman's mental picture of a board of directors probably consists of a lot of shark-eyed men and women in immaculately tailored suits seated in leather chairs in an oak-paneled room. They're the people who seize companies out from under the likes of Steve Jobs, order massive layoffs, steer important business decisions in the direction of padding their own stock portfolios, and sometimes send a junior vice-president down to the executive stockroom for Cuban cigars and hors d'age cognac. (Sorry, boards of directors. It's the recession talking.) All kidding aside, boards play an important role in providing corporate leadership. And now a newly released reports suggests that they can use that influence to help organizations take a bite out of cybercrime.
The new report, compiled by IT governance group ISACA and the Institute of Internal Auditors Research Foundation (IIARF), was released on Tuesday at the 2014 Governance, Risk, and Control Conference in West Palm Beach, Fla. The report provides a blueprint for board members to follow in pursuing the implementation of sound cybersecurity practices. One key recommendation is for board members to learn the correct questions to ask in order to properly assess current security controls. Many boards of directors probably don't consider themselves as having responsibility to direct cybersecurity initiatives, but a senior ISACA official said in a press release that it's time for board members to think differently.
"Cybersecurity is a continually growing issue and needs to be a strategic priority of boards of directors. It is not just an IT issue," said Ron Hale, acting chief executive officer of ISACA. "This report is an important collaboration of our organizations, bringing together the global expertise of thousands who are working toward better detecting and mitigating cyberthreats. It urges executives to roll up their sleeves and get involved in the cybersecurity process, and provides concrete questions to get started."
While there are several other primary means of preventing attacks, the report encourages boards to be actively involved in defending against the depredations of cyberthieves, positioning themselves as an important element in the overall array of protective measures. Boards should take responsibility for requiring an annual review of cybersafety protocols, and directing improvements where necessary. The goals of the report, listed at the IIARF website, are as follows:
- Help directors know how they should react to a cybersecurity breach and what to do
- Understand that cybersecurity is an enterprise-wide issue, not just an IT issue
- Know what the auditor's role is in helping the board of directors address cybersecurity
The full report, Cybersecurity: What the Board of Directors Needs to Ask is available free of charge from the IIARF bookstore.