Most modern business operations rely on internet-facing computing. This exposure of corporate computing devices to the internet, especially cloud services, means cyberrisk is inevitable. Cyberrisk is a subset of operational risk that can adversely impact the organization’s returns and profitability, if improperly managed. The effective management of cyberrisk by senior management requires proactive support from the risk and audit committees as well as the full board of directors. Because the board of directors is responsible for setting the organization’s strategy and direction, the board must be proactive in ensuring that management has the budget necessary to develop and implement the appropriate controls to mitigate cyberrisk. The board is responsible for defining the organization’s strategic plan and the level of risk the organization intends to take on to achieve its strategic goals through a well-defined and easy-to-follow enterprise risk appetite. The second line of defense, with the help of the chief risk officer (CRO), may then develop a cyberrisk appetite that mirrors the enterprise risk appetite. The cyberrisk appetite must also be approved by the board.
If the first line of defense develops controls, then the board, through the risk committee, is expected to empower the CRO’s team to independently challenge the validity and appropriateness of the proposed controls. In the same vein, the audit committee should empower the chief auditor’s team to independently test and validate the proposed controls. All these activities by the risk and audit teams should generate reports to meet the information needs that can transparently convey to the board what is required by the organization to operate within the established cyberrisk appetite. The board cannot make decisions in a vacuum, which is why they need reports with metrics that show whether senior management is using the budget and available resources to effectively manage cyberrisk.
A perceptive board of directors composed of risk committee members that clearly understand the nature of cyberrisk can easily challenge senior management based on the reports to the board, effectively holding senior management accountable. In the past, there have been many costly incidents that have been reported in the press regarding cyberbreaches where it is evident that board members only got involved to contain the criticism arising from reputational and legal damage. The involvement of the board should not be reactive, reacting only when a cyberrisk is realized. With frequent and sufficient reporting, the board can use those reports as detective controls to assess whether senior management is following the best practices to protect the organization’s operations from material cyberrisk.
At a minimum, senior management must inform the board of all material risk (i.e., risk that can adversely impact the organization’s operations, profits and reputation and diminish compliance with legal and regulatory requirements). Senior management must be transparent with the board so that they can be effectively held accountable on how they are managing cyberrisk. The risk and audit committees must comprise people that have a broad range of knowledge spanning finance, accounting, technology and cybersecurity to discern underlying assumptions made by senior management when developing technology and cybersecurity program agendas and budgets. They should be able to interpret metrics with key performance indicators and key risk indicators so they can work with the board to strengthen and broaden controls. Key risk indicators are forward-looking and can give warning of pending risk to help management act expeditiously to mitigate the risk.
It is also important to recognize that the board must stay on top of evolving technology trends, threat landscape and regulatory matters by receiving periodic training on those matters. In addition, board members also need continuous updates on stakeholder needs, regulatory changes and fiduciary duties. The board must exemplify humility by performing introspection and self-evaluation to assess where there may be weaknesses in oversight. The board can also leverage lessons learned if they previously missed critical oversight expectations that resulted in failure to hold management accountable.
Gone are the days in which board members would simply rubber stamp whatever senior management presented without fully understanding and adequately challenging the underlying assumptions made. In this information age, the board of directors should be able to easily access the information they need to challenge management and steer their organization toward achieving its mission and goals. All these ideal goals depend on proper board composition (i.e., a board with members that exhibit the traits and attributes of fully engaged and inquisitive directors). The members should have enough time to attend committee meetings and review documents as they fulfil their fiduciary responsibilities. The board members must be able to sow seeds of trust and appreciation of each other by listening to each other’s opinions, including dissenting opinions, which can only strengthen their resolve to take the organization to new heights. The board must also establish clear processes when they create strategic plans and set related agendas, explaining how these are consistent with the established risk appetite. The board charters that guide the board committees must be frequently updated as per policy requirements. Board committee charters with clear mandates can help evaluate how board committees are performing as they govern and provide oversight. If board members are offering substandard services, then they should be rotated out.
Editor’s note: For further insights on this topic, read Allen Ari Dziwa’s recent Journal article, “Effective Governance and Board Oversight in a Globalized Information Environment,” , ISACA Journal, volume 4, 2023.