Download our “CISO's Guide To Reporting To The Board” eBook to get the scoop on metrics that matter to the board.
This development comes amid alarming findings by the industry analyst. When surveyed, directors cited cyber risk as the second-highest source of risk for the enterprise, following regulatory compliance risk. However, relatively few feel confident that their company is properly secured against a cyberattack.
In this blog, we will explore how a board cybersecurity committee can ensure cyber risk receives the attention it deserves, plus best practices for forming one.
What does a board cybersecurity committee do?
According to Gartner, a board cybersecurity committee allows for “…discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified.”
With a dedicated committee, board members can learn about the company's cyber risk profile and exposure, if security policy and controls are focused on the right risks, and what more can be done.
Who should be on the committee?
As risk management is not exclusively IT's responsibility, the committee should comprise board members with expertise in finance, legal, sales, HR, and marketing. Technical expertise is helpful, but not a requirement.
The work of the committee should be overseen and led by a board chair.
According to Gartner, the individual most qualified to lead the committee is the CISO. As chair, the CISO must translate the board’s goals for the committee into agendas and work plans. They also do the hard work of conveying the company’s cybersecurity performance to committee members, address strategic decisions about cybersecurity, and steer policy. Lastly, the chair will work closely with heads of functional business units to gain input and act on the committee’s recommendations.
As a result of this appointment, Gartner anticipates that CISOs will face more scrutiny, but they will also receive more support and resources to protect the company against cyber threats.
Why a board cybersecurity committee is critical
While government regulations don’t mandate that companies have a cybersecurity committee, the board is increasingly coming under the spotlight for its understanding and oversight of cyber risk.
For instance, a new proposed SEC ruling requires companies that are subject to the reporting requirements of the Securities Exchange Act (i.e., those listed on stock exchanges), must standardize disclosures regarding cyber risk management, strategy, governance, and incident reporting. If the rule is approved in its current form, companies must disclose the board’s role in implementing cybersecurity policies, their cybersecurity expertise and credentials, and how they oversee cyber risk.
Because the proposed SEC ruling impacts almost every sector, it behooves board members to act quickly to establish a board cybersecurity committee to ensure cyber risk receives appropriate governance and oversight.
What information does the committee need?
Most board members are not cyber experts and CISOs must assess and report on cyber risk and security performance in a language that makes sense to non-technical members of the committee. As Gartner insists, CISOs must “…shift away from performance and health-related discussion to risk-oriented and value-driven exercises.”
One way to do this is to use BitSight Security Ratings. Ratings are a data-driven measurement of enterprise-wide security performance that help assess risk and the likelihood of a cybersecurity incident – both internally and across a company’s supply chain.
Because findings are presented as a numerical score – like a credit score – CISOs can convey security risks in straightforward business terms. With this insight, it becomes much easier for non-technical board members to understand the company’s cyber readiness – across subsidiaries, business units, and remote locations – and gauge vendor risk.
Furthermore, BitSight Security Ratings can be paired with BitSight for Security Performance Management (SPM) so that the committee can measure how the company's security program performs over time.
With the continuous monitoring insights that SPM provides, CISOs can assess the company’s changing risk profile, guide discussions about security control effectiveness, compare performance against peers, inform decisions about investment and resource allocation, and set data-driven performance targets.
SPM also enables CISOs to quantify cyber risk in terms of its financial impact. With cyber risk quantification, they can easily simulate the organization’s financial exposure across hundreds of thousands of cyber events, including ransomware, regulatory compliance issues, supply chain attacks, and more, and demonstrate how that exposure changes as the organization invests in controls to improve its security posture.
By transforming the technical side of cybersecurity into financial language, the board cybersecurity committee can prioritize cybersecurity decisions and new technology investments.
Strong communication is key
As organizations form dedicated committees to address cyber risk, the CISO and board members must first review how the company measures and manages its security posture, as well as the posture of the entities that it does business with.
It’s a heavy lift for many companies and effective communication is key.
Board members need to know how the company is impacted by its security posture, how it stacks up against industry standards and regulatory requirements, and how cyber risk is quantified so they can make better risk prioritization and investment decisions. For this transparency to be achieved, data insights are essential.
Download our eBook to learn more: Reporting Cybersecurity to the Board: A CISO’s Guide.