Following a steady march of large-scale breach crises at corporations and public entities over the past several years, business leaders and boards of directors have been put on notice that this is a business risk issue, not an IT problem.
Regulators and stakeholders have made their expectations clear: take action to proactively monitor and mitigate cybersecurity risk, or expect fines and legal intervention. As a result, board committees charged with cybersecurity oversight are seeking more direct access to the Chief Information Security Officer as well as a clear, concise dashboard for monitoring risk levels.
Board Oversight of Cybersecurity Risk: A Framework for Inquiry discusses:
- Maxims for doing business in today’s cybersecurity threat environment
- Guidance for defining top business risks
- Step by Step discussion guide for developing a risk reporting dashboard
SecureWorks offers this guide to boards, particularly audit and risk committees, as a tool for improving the board-management dialog on cybersecurity risk management. The included Framework for Inquiry is a non-prescriptive discussion exercise that boards can initiate with the CISO and CIO to gain a deeper understanding of cybersecurity strategy and ensure that the company’s efforts are reasonable in the context of business strategy, risk tolerance and industry expectations. In turn, management can use the framework to craft a better reporting dashboard with metrics that help the board oversee risk and better understand the security programme’s priorities.