Risk Intelligent Governance in the Age of Cyber Threats
What you don’t know could hurt you
Continuing reports of cyberattacks on high-profile businesses – as well as recent SEC guidance urging companies to consider disclosing cybersecurity incidents – are prompting boards of directors to start exploring cyber threat risk with their executive teams in earnest.
However, at many companies, boards may experience unexpected challenges at the very first step: understanding the company’s current exposure to cyber threat risk and its effectiveness in managing it. The frequent problem is that, the greater a company’s need for effective governance over cyber threat risk, the harder it can be for boards to learn enough about the issue to provide it. Until a company reaches a certain level of sophistication, it simply may not have the language, metrics, or technology in place to offer boards clear answers about cyber threat risk exposure and effectiveness.
Fortunately, there’s a way out of the catch-22. In "Risk intelligent governance in the age of cyber threats", we describe how a maturity-based view of four specific “leading practices” in cybersecurity can give boards valuable insights on a company’s cyber risk management strengths and weaknesses – even at companies that are still ramping up their capabilities in the area. A basic awareness of key elements in an effective cyber defense can not only help boards understand their company’s maturity in managing cyber threat risk, but point towards next steps that can help move the company toward a more proactive, preemptive, and mature approach.