The Board’s Role in Managing Disruptive Risk: Enter Security Ratings
Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change.
However, while disruptive risks are the main concern for directors, their confidence in corporate risk management is low. As risks continue to evolve, the way corporate directors and their organizations handle them must evolve as well.
One unique aspect of disruptive risks is that they are usually very subjective and can absolutely be full of cognitive biases. It’s critical that organizations have objective, independent data that allows them to both report and understand cybersecurity. In addition to traditional security assessment practices (like penetration tests, questionnaires, etc), security ratings can offer an objective, quantifiable measurement of an organization’s security posture that the Board can understand in the context of industry, region, or competitive peer group.
When we look at disruptive risk — particularly cyber risks or incidents — it’s no secret that organizations are being held to significantly higher standards of cybersecurity outcomes than ever before. Regulatory bodies, Boards, and executive teams are driving oversight and accountability, seeking to prevent the inevitable backlash from customers, business partners, and regulators for a failure to meet cybersecurity industry-wide standards of care.
Security and risk leaders are challenged with trying to understand what constitutes a reasonable industry-wide standard of care when it comes to cybersecurity performance. What was good enough yesterday, may not be today, and will almost certainly not be good enough next year. Not to mention, the traditional approaches to cybersecurity performance metrics are limited in scope, point-in-time and subjective in nature, and not comparative.
As a result, security and risk leaders are forced to make important decisions about their cybersecurity programs based on an incomplete set of data. This lack of visibility and context can often result in ineffective spend and misalignment of resources.
Using security ratings to manage security performance helps security and risk leaders take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program enabling broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk. Using the security rating as this baseline metric of cybersecurity program performance, security and risk leaders finally have an objective, independent and broadly adopted key performance indicator (KPI) to continuously and efficiently assess security posture, set program goals, track progress and report meaningful information to executives and ultimately to you — the Board.
This blog was originally published on the NACD Board Blog.