Cybersecurity Managed Services

Cybersecurity Oversight for Boards

Cybersecurity has become a critical concern for organizations across all industries. Boards of directors have a vital role in overseeing their organization’s cybersecurity posture, ensuring that the necessary measures are in place to protect sensitive data, maintain compliance, and mitigate cyber risks. Here are some guidelines for boards of directors to use as a guideline for board oversight of Cybersecurity within their organizations.

Engage a Qualified External Assessor: Hire an external firm that is a qualified assessor of cybersecurity practices. The firm should have no conflicts of interest and be capable of providing critical, objective assessments of the organization’s cybersecurity posture.

Conduct Annual Cybersecurity Assessments: Engage your assessor to conduct a comprehensive cybersecurity risk as well as a cybersecurity defense assessment on an annual basis. The assessment results should be delivered independently to the board or a designated board representative, outlining the strengths and weaknesses of the organization’s cybersecurity controls and recommendations for improvement.

Approve the company’s Cybersecurity vision, including risk appetite, tolerance for a system, and business loss based on evaluating critical functions and systems.

Ensure you receive Quarterly Board-Level Cybersecurity Reporting and Metrics: The CISO should be able to provide consistent Cybersecurity Metrics related to the health of your Cybersecurity operations. Board-level cybersecurity reporting is critical in maintaining an organization’s strong security posture. Good reporting enables the board to make informed decisions about the organization’s risk management, resource allocation, and overall strategic direction. Reporting is necessary for the board committee with oversight to have a measurement that management is Staff executing a Cybersecurity strategy.

Know the difference between Compliance and Cybersecurity: Great compliance is not good Cybersecurity. Many industries have robust compliance standards intended to set minimums that can be up to 10 years behind prevailing cybersecurity industry best practices. Your companies cybersecurity plan should match the risk appetite set by the board and have robust capabilities in place to provide a defense in depth with capabilities such as Identity and Access Management (IAM), Threat Detection and Response (TDR), Vulnerability Management (VM), and Data Loss Prevention (DLP) among others. 

Implement Separation of Duties: Ensure a clear separation of duties between the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO). This separation ensures that the CISO can focus on security-related issues without conflicts related to broader IT management. Consider having the CISO report to CFO or COO to separate these duties further.

Engage a qualified Director: The SEC is clearly on a path to require boards to have an independent director qualified in Cybersecurity and a clear and consistent process to monitor Cybersecurity health akin to the obligations to have a qualified financial expert and constant oversight and reporting related to the financial health of the company. You should get ahead of this requirement and begin to engage now, as changes in Cybersecurity maturity require time, budget, and patience.

Engage in Active Dialogue with the CISO: While in-depth reporting and metrics are the baselines. Beyond reporting board should engage in meaningful discussions with the CISO to gain insights into the organization’s cybersecurity strategy and challenges. Sample questions for the board to ask to include:

  1. What is our cybersecurity strategy, and how does it align with our business objectives
  2. What cybersecurity capabilities do we need to enhance, and what are the cost and risk tradeoffs we should consider?
  3. What is our highest risk, and what actions do we need to take to mitigate it?
  4. What areas of the business are most at risk?
  5. How can we reduce our risk?

Effective cybersecurity oversight requires proactive engagement and a commitment to understanding the evolving cyber threat landscape and constantly evolving the company’s plan to address the risks and the tradeoffs needed to budget effectively for improving the company’s Cybersecurity to protect the company adequately. In closing, the board should ask the question if the internal team has the skills, resources, and budget to support your cybersecurity vision and consider cybersecurity managed services or outsourcing as an enabler of rapidly acquiring the required cybersecurity capabilities. By following these guidelines, boards of directors can enhance their oversight of cybersecurity practices, mitigate cyber risks, and contribute to the overall security and resilience of the organization.

 

Ben Trowbridge

Recent Posts

  • Business Challenge
  • Contract
  • Function
  • Governance
  • IT Applications
  • IT Infrastructure & Applications
  • Multisourcing
  • Service Level Agreement (SLA)
  • Time to Market
  • Transition
  • Vendor Management

The Meat and Potatoes of Multi-Vendors

While the glamorous multi-vendor deals are the ones garnering most of the attention in outsourcing,…

27 years ago
  • Contract
  • Function
  • Governance
  • IT Applications
  • Multisourcing
  • Procurement
  • Service Level Agreement (SLA)
  • Vendor Management

Teaming: Making Multi-Vendor Relationships Work

Since the late 1980's, outsourcing vendors have relied on subcontractors to perform part of the…

27 years ago
  • Business Challenge
  • Communication
  • Contract
  • Energy & Utilities
  • Financial Services & Insurance
  • Governance
  • Industry
  • Manufacturing
  • Time to Market
  • Vendor Management

Lateral Leadership For Organizations That Are Outsourcing

American firms continue their rapid expansion of service and product outsourcing. Companies signed major new…

26 years ago
  • Business Challenge
  • Communication
  • Contract
  • Financial Services & Insurance
  • Governance
  • Healthcare
  • Industry
  • Manufacturing
  • Pricing
  • Service Level Agreement (SLA)
  • Time to Market
  • Vendor Management

The Many Sides of a Re-Do

Outsourcing's maturation as an industry has created a substantial body of experience in 'renegotiating' and…

26 years ago
  • Business Challenge
  • Contract
  • Cost Reduction & Avoidance
  • CPG/Retail
  • Financial Services & Insurance
  • Government
  • Industry
  • Pricing
  • Risk-Reward
  • Service Level Agreement (SLA)
  • Time to Market
  • Transition
  • Vendor Management

EURO: Ready or Not, Here It Comes

On January 1, 1999, eleven member countries of the European Union (EU) will adopt the…

26 years ago
  • Business Challenge
  • Cost Reduction & Avoidance
  • Financial Services & Insurance
  • Function
  • Global Service Delivery
  • Industry
  • IT Applications
  • Manufacturing
  • Procurement

The Rise of Global Business Process Outsourcing

Business Process Outsourcing (BPO) is paving the way for leading companies to compete globally and…

26 years ago