Cybersecurity for Corporate Boards

A while ago, we researched and published an article about the cybersecurity knowledge (or lack thereof) in the corporate boards of Belgium.

Our research showed a terrible lack of experience and knowledge in boards when it comes to protecting digital assets. Boards hardly had people with IT management experience, let alone security experience on them.

It turns out that for all the risk management concerns the board takes on, it really has no understanding of the risk to its digital assets.

ECODA wants to change this and give Board Members a handle on cybersecurity. ECODA is the umbrella organization for the main national institutes for board members in Europe. In 2019, they started writing the ‘Handbook on Cybersecurity for European Board Members’, in partnership with ISA and AIG. The goal is to promote the adoption of uniform cybersecurity principles for Corporate Boards. It was finally published in early 2020.

I was very lucky to be able to contribute to this effort.

The handbook puts forward 5 principles to help board members get a grasp on cybersecurity or at least be able to talk about cybersecurity with their management.

The 5 principles are:

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management and strategy issue, not just an IT issue.
2. Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances.
3. Boards should ensure adequate access to cybersecurity expertise, with appropriate reporting, at both Board and Committee level.
4. Board directors should ensure that management establishes an enterprise-wide cyber risk management framework that encompasses culture, preventive, detective and response capabilities, monitoring, and communication at all levels. Resources should be adequate and allocated appropriately by the strategies adopted.
5. Board-management discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc).

The paper further provides toolkits for accomplishing these goals.

There’s a lot to get into. That’s why I would like to discuss the principles and toolkits in a series of blogs, coming soon. Look out for them!

This handbook is intended to promote sufficient knowledge by Board members, in any corporate structure, to allow the Board as a whole to respect its mandate for oversight and strategy of information security by evaluating the effectiveness of the risks their organization is facing, in a full and comprehensive manner, and how it is mitigating those risks.