Schaumburg, Ill. (Jan. 6, 2021) — The recent hack of network monitoring service company SolarWinds, impacting a massive swath of U.S. federal agencies, state and local governments and other organizations, has served as a wake-up call to many enterprises—and likely spurred enterprise leaders and boards of directors to ask their cybersecurity teams about their own cyberrisk.
ISACA's new white paper, Reporting Cybersecurity Risk to the Board of Directors, outlines how cybersecurity and risk professionals can effectively communicate with their boards of directors about cybersecurity and its link to business objectives.
Reporting Cybersecurity Risk to the Board of Directors provides cybersecurity and risk professionals with a foundational understanding of how boards of directors are structured, as well as offers guidance around how to present cybersecurity as a business issue—including helping boards understand their legal and regulatory obligations, the potential disruption to systems, and risk of data loss and theft. The paper also guides cybersecurity and risk professionals in translating information around threat intelligence, risk identification and scenario analysis, risk management, cyberrisk economics and budgeting in ways that will resonate with leadership.
Some approaches for doing so include:
Offering peer comparisons, including through third parties like CMMI, which provides an assessment of enterprise cybersecurity maturity through its CMMI Cybermaturity Platform
Presenting risk quantification through dashboards, illustrating metrics like key performance indicators, key control indicators and key risk indicators in categories like data loss and theft, data reliability, systems reliability and fraud
Applying thresholds in categories of risk capacity, appetite and limits when discussing potential actions the board can take
"It is imperative that board directors understand how cybersecurity risk can impact their business and how vital it is to dedicate resources to reducing that risk and building their enterprise's cyber maturity," says Tracey Dedrick, ISACA board chair, and former EVP and Head of ERM for Santander Holdings US. "In order for that to occur, cybersecurity professionals need to understand how to communicate effectively with directors and how to cultivate those relationships in order to drive that awareness and advance their security goals."
Reporting Cybersecurity Risk to the Board of Directors is complimentary and can be downloaded at https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoEHEA0. Visit www.isaca.org/resources/cybersecurity for additional ISACA cybersecurity resources. For more information on IT risk, including ISACA's complimentary Risk IT Framework and Risk IT Practitioner Guide, visit www.isaca.org/resources/it-risk.
For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations.