Booz Allen Hamilton and the University of California Berkeley have announced a joint white paper, titled “Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk,” the company announced on Wednesday. The paper outlines how cybersecurity has become an existential risk to every company board and offers a set of board processes for effective cybersecurity governance.
Booz Allen conducted a study and interviewed 20 board members across a variety of sectors to collect data and create a framework that boards can utilize to govern cybersecurity in the current enterprise, while evolving over time with the technology-business-regulatory central to cybersecurity risk.
“Today, boards are deeply committed to improving cybersecurity practices and outcomes for their companies. However, cybersecurity is still a relatively new area of focus and boards aren’t certain on the best practices for cyber oversight and risk mitigation. We used our findings to develop a core set of recommendations to help boards’ better govern cybersecurity practices,” said Rudy Bakalov, vice president with Booz Allen’s Commercial Business.
Booz Allen has acknowledged four dynamic risk tensions when companies create a defense for cybersecurity, including risk model, expertise, competition and cooperation and board-ciso-management protocol.
The company has noted that risk model is the most crucial tension within a company’s cybersecurity. The tension falls in the division between enterprise risk management versus existential safety, and the importance of cybersecurity.
The second tension the study has addressed is the distribution of expertise on the boards and how directors evaluate qualifications of cyber board members. The tension exists as boards decide how much expertise is necessary and how much authority should be delegated to cyber specialists and if it is reasonable to create a board technology or cybersecurity committee.
Elsewhere, the third dynamic tension that boards confront is finding the right balance between cooperation and competition with other enterprises when it comes to cybersecurity. The study has introduced the debate of whether or not companies and boards should compete or work together as a collective good when it comes to cybersecurity. The division between competitive assets and collective good creates two separate courses of action.
The fourth dynamic tension that boards navigate links to how the members choose to structure the oversight relationships on cyber as information systems flow between management and the board, which has created a divide between high touch and stable metrics.
Booz Allen has recommended that high touch supporters engage on security oversight with business units and other enterprise functions beyond the Security Operations Center, integrate quantitative and qualitative inputs in a consistent manner, deepen the relationship with the CISO through more frequent interaction, and create and defend protected spaces for management and employees to expose cybersecurity challenges.
Boards that utilize stable standard metics should allow metrics to evolve, but choose a consistent framework for how they can support oversight. Additionally, boards should re-assess the impact of the metrics on a regular basis and supplement quantitative metrics with integrated qualitative aspects in a balanced model.
“While there is no one right answer or template for holistic cybersecurity, we hope these proposed actions will be a good starting point for boards of directors looking to strengthen their cybersecurity posture,” concluded Bakalov.
About Booz Allen Hamilton
Booz Allen Hamilton Inc. is an American management and information technology consulting firm, headquartered in McLean, Virginia, with 80 other offices around the globe. The company’s stated core business is to provide consulting, analysis and engineering services to public and private sector organizations and nonprofits.