By Kacy Zurkus
Jan. 13, 2017
The exponential growth of cyber risk has impacted roles for the CISO and the CEO, among others, but it has also left board members a little in the dark when it comes to understanding the risks associated with cybersecurity.
The National Association of Corporate Directors, NACD, who represents 88 percent of the Fortune 1000, recently released a Cyber-Risk Oversight Handbook. In an effort to set standards for corporate board leadership, they surveyed corporate board members and found that only 11 percent of today's directors have a high understanding of cyber risks.
As a result, the NACD decided that perhaps it is time to re-evaluate how they look at cybersecurity from a corporate board's perspective. In addition to the handbook, NACD partnered with Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University to create an online learning platform for board members.
The NACD Cyber-Risk Oversight Program for corporate directors, confers the CERT Certificate in Cybersecurity Oversight, intended to increase cybersecurity literacy as well as educate boards on their role in overseeing the company's cyber preparedness.
Former Gov. Tom Ridge, chairman of Ridge Global and former US Secretary of Homeland Security, said that the extent of the issue stems from the majority of board members not having a full appreciation of the range of risk and the different kinds of malware that can impact the business.
"They need to deal with financial risk, but the 21st century risk is digital, and many of them don't understand how vastly their reputation or profitability can be impacted," Ridge said.
Because malware changes all the time, the risk gets worse and worse every day. "Joining together with the standard setters (NACD), we’re going to improve their understanding of the risk, whether it's nation states, hacktivist, or who has access to what in their infrastructure," Ridge said.
More and more, conversations involving cybersecurity are intertwined with governance, risk, and compliance. Where technology had traditionally been cordoned off, the entire organization now needs to be risk aware in order to more effectively do their jobs.
The board of directors can no longer rely on reports from executives in order to make decisions that directly impact their share holders. They need to know not only how much money needs to be spent, but -- more importantly -- how to best invest those resources.
"It’s not just the money they invest but where they are investing it," Ridge said. "It’s an awareness that the malware changes. What kind of digital requirements do they have of their suppliers? Do they limit access within the enterprise? What are the risks, their greatest vulnerabilities? Who are the actors? They need to understand how to be matching resources with needs."