Cybersecurity Governance: Best Practices for executives and Board Members
International Bar Association has just published the report "Global perspectives on protecting against cyber risks: Best governance practices for senior executives and boards of directors". Our partner Søren Skibsted is one of the main authors of this international report. The purpose is to provide first-of-its-kind global guidance for - and specific recommendations - to senior executives and boards of directors in protecting against global cyber risks. Don't miss out reading it.
Cybersecurity has become a top priority for organizations, necessitating significant attention from senior management and boards of directors. While compliance with laws and regulations is essential, it is no longer sufficient to protect against rapidly evolving cyber risks. Corporate and organizational leaders must take on the responsibility of being responsible stewards of their systems and information assets.
The "playbook" for good cyber governance now includes active management and board engagement with cyber issues. Leaders must understand the organization's cyber risk profile, critical systems and data, security choices, and conduct regular testing. Although the exact allocation of responsibilities may vary among jurisdictions, the principles of good cyber governance remain the same.
To enhance cyber risk management, it is crucial to follow these best practice recommendations:
- Understand the cyber risk profile of the organization.
- Understand the key information assets to protect.
- Understand significant regulatory requirements.
- Determine the appropriate risk tolerance of the organization.
- Understand what cybersecurity standards the organization is using.
- Ensure appropriate risk decisions on protecting key information assets.
- Ensure periodic risk assessments are conducted.
- Understand who 'owns' cybersecurity and cyber risk management.
- Ensure the board has sufficient cybersecurity expertise.
- Ensure management has sufficient cybersecurity expertise.
- Invest sufficient funds to meet cybersecurity goals.
- Understand the cybersecurity testing and training program and review results.
- Ensure senior management and the board receive regular updates.
- Ensure appropriate reporting lines so that cyber risks are raised to leadership.
- Assess changes in cyber risk posture caused by business developments.
- Review, understand, and test the organization's cyber incident response plans.
- Oversee the response to significant incidents.
The goal of this report is not to turn everyone into technical experts but to provide a roadmap for strong cyber risk management. By implementing these actionable steps, organizations can strengthen their cyber risk governance and stay informed about important cyber governance issues. This knowledge will enable them to have more effective discussions and make informed decisions to protect their organizations from cyber threats.