Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level.
Andrew Ozment, assistant secretary, Office of Cybersecurity and Communications at DHS, today said DHS endorsed the principles spelled out in the "NACD Directors' Handbook on Cyber-Risk Oversight" published by the National Association of Corporate Directors, which has over 14,000 members who are directors for public, private and non-profit organizations. The DHS will include the NACD's handbook on the U.S. CERT website as a source of information for businesses. In any organization, the board of directors is there to oversee its general direction, including how well upper management is performing.
+More on Network World: Survey: Corporate security thwarted by dialog failure between IT department and management+
"Most companies are targets for espionage, or worse," said Ozment at a press conference in Washington, D.C. where he was joined by Ken Daly, president and CEO of NACD; Mark Carmillo, head of AIG's cyber products for the Americas Region; and Larry Clinton, president and CEO of the Internet Security Alliance, the primary author of the "Cyber-Risk Oversight" Handbook intended to be read by board directors.
Ozment said CEOs should be well-informed about cyber risk issues that come up and should take the view that the board of directors also wants to know about them.
But that is not always the case today, and there's considerable debate about how the board of directors, which is usually non-technical and mainly concerned about the company's business growth and new products or services, can take on cyber-security issues effectively.
With the news headlines pouring out about data breaches and cyber-espionage on a daily basis these days, "directors are very much aware of cyber-security," said Daly, but they struggle to know how to confront it in detail.
The "Handbook on Cyber-Risk Oversight" insists that they should and must play a bigger role, spelling out five basic principles (see graphic, above) that first involve gaining in-depth understanding, then helping set an "enterprise-wide cyber-risk management framework" while also considering cyber-insurance might be worthwhile in order to cover the considerable costs that a data breach might entail.
DHS assistant secretary Ozment said the DHS wasn't explicating endorsing the notion of cyber-insurance per se, nor any particular products, but did view insurance as one option related to legal liability that companies might want to consider.
Although the NACD thinks "risk oversight should be the function of the board," according to the Handbook, the problem today is that many corporate boards remain divided on the subject and haven't determinedly taken up the banner on that yet.
The NACD "Handbook on Cyber-Risk Oversight" notes "a large percentage of boards continue to assign the majority of tasks related to risk oversight to the audit committee--even though more than half of the directors believe risk oversight should be allocated to the full board, and roughly a quarter believe it ought to reside within the audit committee." There's considerable debate as to whether one approach might have a single board member assigned to cyber-security oversight or not.
ISA president Larry Clinton said business leaders focus on growth, profitability, and innovation, so cybersecurity should be seen as critical in ensuring that.