• Home
    • About
    • News
    • Articles
    • Tools
    • Search
    • Accueil
    • À Propos
    • Nouvelles
    • Articles
    • Outils
    • Recherche
Menu

Josée Morin

Street Address
City, State, Zip
4185611326

Your Custom Text Here

Josée Morin

  • + English Menu
    • Home
    • About
    • News
    • Articles
    • Tools
    • Search
  • + Menu français
    • Accueil
    • À Propos
    • Nouvelles
    • Articles
    • Outils
    • Recherche

Cyber-risk oversight: Tips for corporate directors to improve understanding and involvement

July 3, 2017 josee morin
web-Wolf-with-Sheep-770x303.jpg

The topic of cybersecurity is coming up more and more frequently in my discussions with other fellow corporate directors. It is an indication of the increased concerns with regards to cyber-risk, and of the realisation that directors must play a more active role in cybersecurity oversight. With the growth of damaging cyber incidents, corporate directors understand it is not enough to rely on internal corporate expertise and that they themselves must be better prepared to ask the right questions, be able to understand and to challenge the answers they get on cyber-risks, and contribute significantly to improve its oversight. Staying informed on cybersecurity is a challenge, and an absolute necessity. To that end, I suggest reading two key publications to gain a deeper understanding of current practices in cybersecurity, to learn how to assess the state of a company’s cyber and IT security approaches and to participate in increasing the state of preparedness of companies. I am also sharing with you a tool I developed. It can be found in the tools section of my website at   http://www.joseemorin.ca/en-tools/

The Framework for Improving Critical Infrastructure Cybersecurity; The National Institute of Science and Technology (NIST).

The framework is a very detailed document targeting readers with some cyber-security understanding. Directors with a less technical background should concentrate on the Framework Core which consists of five concurrent and continuous functions relating to cyber-security practices—Identify, Protect, Detect, Respond, Recover. These 5 functions are the foundation upon which cyber-security policies and procedures should be built. Depending on the risk profile and maturity of the business, all 5 functions or just a few, can be present. Table 2, found in Appendix A of the framework, presents a series of common activities for managing cyber-risks that are found in organisations with a more sophisticated security approach. Directors can use this list of activities to rate the current state of their company’s cyber-security approach. They will find this state to be either at (Tier 1) Partial risk oversight, or (Tier 2) Risk informed, or (Tier 3) Repeatable oversight, or (Tier 4) Adaptive oversight. Appendix A can also be used to by directors to develop relevant questions to ask management, to evaluate their own understanding of security practices and to devise a self-training plan.

NACD Cyber-Risk Oversight Handbook 2017

This recent handbook is an excellent read from NACD for directors that are concerned with cyber-risk oversight, including directors of small and medium private companies. It does not require as much technical understanding as the NIST Framework. It demonstrates that greater connectivity leads to greater risks for all sizes of business. Malicious organisations are actively looking for different types of information, including employee and customer information, and can use even small and medium business as an entry point into the network of larger business partners. Boards must be aware that no organisation is immune to cyber-criminality. The example of the Chinese menu hack demonstrates the inventiveness and perseverance of criminal minds. The handbook proposes five steps that boards can follow to enhance cyber-security oversight:

  • Understand cyber-risks and approach them as enterprise-wide risks
  • Understand the legal implications of cyber-risks
  • Ensure access to adequate time and expertise to discuss cyber-risks at board meetings
  • Set the expectation that management will adopt a framework with appropriate resources and budget
  • Make certain to include discussions on which risks to avoid, to accept, to mitigate or to transfer.

I have assisted organisations to improve cyber and IT risk management and lower exposure. As a first step, I have used both publications to develop a list of basic questions I want to see discussed by management in a formal board presentation to gain a common understanding of the state of cybersecurity, to develop a common vision and set priorities.  It is a tool adapted to organisation in the early stage of cyber-risk management, and I am happy to share this tool with you. It can be found in the tools section of my website at   http://www.joseemorin.ca/en-tools/

← Adapting the role of the board in an age of exponential changeDo you have enough technology expertise on your board of directors? →

© Josée Morin, 2020

POWERED BY SQUARESPACE.