Cybersecurity: What Every Board Must Know
IIA Research Foundation, ISACA offer board guidance on managing security risks
WEST PALM BEACH, Fla. (Aug. 18, 2014) — Boards of directors must actively participate in measuring and monitoring an organization’s strategy on cybersecurity, a new report from The Institute of Internal Auditors Research Foundation™ (IIARF™) and ISACA® urges.
“Cybersecurity: What the Board of Directors Needs to Ask”, released today at the opening of 2014 Governance, Risk, and Control Conference™ here, offers in-depth guidance on the key questions board members should be asking and how they can monitor and influence policies and practices involving cyberrisks.
“This new report captures the theme on which the GRC conference is built by inviting yet another stakeholder — the board — to become involved in accessing and mitigating cyberrisks,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “It provides the practical guidance that board members need to become active partners in battling cybercrime.”
The guidance builds on five principles cited in a report by the National Association of Corporate Directors (NACD) in conjunction with the American International Group (AIG), and the Internet Security Alliance (ISA).
“Cybersecurity is a continually growing issue and needs to be a strategic priority of boards of directors. It is not just an IT issue,” said Ron Hale, Ph.D., CISM, acting chief executive officer of ISACA. “This report is an important collaboration of our organizations, bringing together the global expertise of thousands who are working toward better detecting and mitigating cyberthreats. It urges executives to roll up their sleeves and get involved in the cybersecurity process, and provides concrete questions to get started.”
The IIARF-ISACA report details how boards must position themselves to provide direction and support for cybersecurity efforts. It offers strategies and specific direction on several topics, including how boards must stay abreast of legal implications, demand adequate access to cybersecurity expertise, set expectations that management establish an enterprisewide risk management network, and communicate with management what risks should be avoided, accepted, mitigated, or transferred through insurance.
For example, one strategy outlined in the report urges board members to view themselves as a “fourth line of defense” against cyber risks, providing an additional safety net after management and internal controls (first line), financial controls, risk management, security, and other tools (second line), and internal audit (third line).
That means requiring annual “health check” reports that include descriptions and updates on every aspect of cyber protection. The checks should be performed by internal audit or an external security organization, according to the report.
The report’s conclusion offers a strong challenge to board members to be much more involved — or face potential consequences. Citing the high-profile cyberattack against Target stores during the 2013 holiday season, the report notes that proxy adviser Institutional Shareholder Services recently recommended the ouster of seven of 10 of the company’s directors “for failure to provide sufficient risk oversight.”
About The IIARF
Established in 1976, The Institute of Internal Auditors Research Foundation (IIARF) is the global leader in sponsoring, disseminating, and promoting research and knowledge resources about internal audit. Its mission is to shape, advance, and expand knowledge of internal auditing by providing relevant research and educational products to the profession globally.
With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide. Follow ISACA on Twitter at https://twitter.com/ISACANews.