Board Level Cyber Risk Management Standard Needed

Calls for company boards to be active governance partners in “collaborative cyber defence” have been made in the Advanced Cyber Security Center's (ACSC)   effective practice report, “Leveraging Board Governance for Cybersecurity, The CISO / CIO Perspective." The report urges boards and their directors to adopt a dynamic understanding of their organisation’s cybersecurity responsibilities and to maintain regular direct access to CISOs and risk officers in conjunction with CIOs and other executives.


Importantly, the report seeks to create an initial benchmark and method of evaluation for the evolving role of corporate boards in cybersecurity governance, initially through the perspective of Chief Information Security Officers (CISOs), Chief Security Officers (CSOs) and Chief Information Officers (CIOs), the primary networks supported by the nonprofit, member-based Advanced Cyber Security Center (ACSC).


P{rimary recommendations of the report are:


The board’s strategic risk role: In most cases, the board partnership with management is still “at an early stage” or “maturing” phase in its ability to provide strategic guidance and help guide management’s strategic risk judgments.


Building board cyber expertise: Because most boards do not yet have sufficient expertise in technology or cybersecurity to serve as strategic thought partners on cyber risk, they should recruit board members with broad digital/technology expertise, develop an annual curriculum of cyber briefings, provide ongoing training, and use third-party assessments.


Aligning the board role and corporate structures: CISOs and CIOs should present jointly at board meetings to provide a holistic view of digital strategies and security.  Boards as a whole should review cybersecurity more consistently as a business risk; the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews.


Overseeing cybersecurity and digital transformation budgets: Boards should present digital transformation budgets as a whole, with cybersecurity investments as an element of overall IT-related decisions about where to invest in growth and security.


Developing cyber risk metrics and measurement: Boards should prioritise and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards.


The full report can be seen here

more news

Sea Turtle DNS Hijacking Threatens The Internet


A new and highly skilled team of hackers spying on dozens of government targets is never welcome news, but one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years. It is DNS hijacking, a technique that meddles with the fundamental address book of the internet.

read more

More than half of organisations with cybersecurity plans fail to test them - IBM


IBM Security has announced the results of a global study exploring organisations’ preparedness when it comes to withstanding and recovering from a cyberattack. The study found that a vast majority of organisations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77 per cent of respondents indicating they do not have a cybersecurity incident response plan applied consistently across the enterprise.

read more

New Supply Chain Attacks Using "Island Hopping"


Supply chain attacks are getting more prevalent and dangerous says the latest quarterly Global Incident Response Threat report from cybersecurity firm Carbon Black. Half of current cyberattacks use “island hopping” as an approach, which means attackers are after not only the target network but all those along its supply chain as well, the report states.

read more

UK Cybersecurity Watchdog Critical of Huawei


It's almost nine years since Chinese networking and telecommunications giant Huawei entered into an agreement with the UK government to permit extensive security reviews of Huawei’s hardware and software—a move intended to allay fears that the company posed a security risk to the UK’s networks. Since then, the Huawei Cyber Security Evaluation Centre (HCSEC) has given UK officials a window into the company’s information security practices. And UK officials haven’t necessarily liked what they’ve seen.

read more