Organizational Best Practices
So what’s an organization to do? First, download the
National Association of Corporate Directors (NACD) “Cyber-Risk Oversight Handbook,” a resource
that can be applied to an organization’s existing enterprise risk management (ERM) to track
cyber risks. The handbook outlines five key principles for boards to properly
oversee cyber risks:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
- Board management discussions about cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.
Second, follow a cyber risk management methodology such as
the U.S. National Institute of Standards and Technology (NIST) Risk Management Framework or the
Australian government’s 2015 Risk Management Benchmarking Programme documents,
which provide useful information for establishing and running a risk management
program and selecting a target maturity state, as well as typical
characteristics of the various risk management maturity levels for which one
might aim.
For more a more in-depth breakdown, check out Veracode's 2015 Survey, CyberSecurity in the Boardroom here.
The post Cyber Risks: From the Trenches to the Boardroom appeared first on Security Intelligence.
Author: Christophe Veltsos
No comments:
Post a Comment