|Targeted News Service|
Boards of directors must actively participate in measuring and monitoring an organization's strategy on cybersecurity, a new report from
"Cybersecurity: What the Board of Directors Needs to Ask (http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm)", released today at the opening of 2014 Governance, Risk, and
"This new report captures the theme on which the GRC conference is built by inviting yet another stakeholder -- the board -- to become involved in accessing and mitigating cyberrisks," said IIA President and CEO
The guidance builds on five principles cited in a report by the
"Cybersecurity is a continually growing issue and needs to be a strategic priority of boards of directors. It is not just an IT issue," said
The IIARF-ISACA report details how boards must position themselves to provide direction and support for cybersecurity efforts. It offers strategies and specific direction on several topics, including how boards must stay abreast of legal implications, demand adequate access to cybersecurity expertise, set expectations that management establish an enterprisewide risk management network, and communicate with management what risks should be avoided, accepted, mitigated, or transferred through insurance.
For example, one strategy outlined in the report urges board members to view themselves as a "fourth line of defense" against cyber risks, providing an additional safety net after management and internal controls (first line), financial controls, risk management, security, and other tools (second line), and internal audit (third line).
That means requiring annual "health check" reports that include descriptions and updates on every aspect of cyber protection. The checks should be performed by internal audit or an external security organization, according to the report.
The report's conclusion offers a strong challenge to board members to be much more involved -- or face potential consequences. Citing the high-profile cyberattack against Target stores during the 2013 holiday season, the report notes that proxy adviser Institutional Shareholder Services recently recommended the ouster of seven of 10 of the company's directors "for failure to provide sufficient risk oversight."
About The IIARF
Established in 1976,
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology.