Nearly every large public company has made significant investments in cybersecurity. But even where internal management of cyber risk appears strong, a board may worry that its oversight of digital security is inadequate—or that it has no reliable way to assess its adequacy or to compare its capabilities with other firms.
A new framework, Cyber Oversight Effectiveness Development (COED) addresses these gaps and aims at helping boards become more resilient and adaptive. It is predicated on the belief that cyber risk often requires fundamentally different treatment than other risks, such as health and safety or fraud.
The Challenge: Staying Ahead of Rapidly Evolving Cyber Risk
Cyber risk oversight is new and highly challenging for boards. It is unlike almost any other risk, because the threats and their impact evolve quickly. Risks arise not only from distant actors, such as criminal gangs and hostile nation-states, but also from employees and third-party providers.
Threat actors operate outside of international rules and norms. They rapidly adopt new technologies and find novel vulnerabilities to exploit. Even full-time cybersecurity professionals are challenged to stay ahead; the majority of directors lack direct personal experience in dealing with cyber risk.
Step 1: A Baseline Level of Cybersecurity Oversight
Cyber Oversight Effectiveness Development begins with basic cybersecurity oversight practices that the board of every public company, in every industry, should consider foundational. Baseline oversight is essential to meeting the requirements of regulators, obligations to investors, and expectations of the public – ultimately reducing litigation and other risks to the company. Directors and experts have identified five key areas of focus for baseline governance.
Which firms need to go beyond the baseline?
Several situations might prompt a board to invest further in its cybersecurity oversight capabilities, and certain circumstances are more likely to prompt such a move. Examples are shown in the graphic below.
Going Beyond the Baseline
For those firms that decide to invest further, the COED framework provides a multi-step process to help gain a deeper understanding of their organizations’ current capabilities, how they differ from those of others, and where they need to aim.
Diagnostics clarify board alignment
COED provides two diagnostic exercises that aim to uncover areas where there are internal gaps in alignment, and to identify key uncertainties as directors assess their internal and external environments.
Diagnostic 1: The Dynamic Tensions Exercise
The Dynamic Tensions Exercise addresses fundamental questions facing every board: What is our overall risk model for cyber? How do we access cyber expertise on the board? How does cybersecurity fit into our competitive strategy? And, how do we share information with management, especially the CISO?
Diagnostic 2: The Official Futures Exercise
The Official Futures Exercise helps boards understand the beliefs about the business and the external business environment that their current actions imply they hold. In many cases, these are unwritten, and the exercise helps surface them.
To the left: an imaginary official-future exercise might have been carried out to try to understand why an auto manufacturer has taken as long as it has to invest in electric vehicles.
Staging
Staging is the process of establishing a snapshot of where the board is at a given moment. COED identifies five stages of board development, each of which can be assessed and benchmarked. As the technology, regulatory, and threat landscapes co-evolve, boards will repeatedly traverse these five stages.
Reflection
In the reflection step, a board can look back at the original staging assessment, review the process and results of intervention, and identify specific learnings. Third-party experts, including legal counsel, may be helpful as board and management engage in reflection on the progress they have made. A board may use the reflection to decide on the timing of its next staging exercise or the external events that might trigger a restaging. It may be appropriate to undertake some or all of the reflection step under attorney-client privilege.
Reassessment requires measuring the impact of the interventions. The approach repeats over time, ideally on a cadence determined by the board’s view of the threat environment and its own needs. The key is to enhance the speed of the process so the board’s management of each successive cyber threat creates greater confidence and results in greater speed in responding to future attacks.
Using the COED Framework will increase board members’ individual and collective self-awareness, moving from an emergency “ad hoc” posture (where the board has little choice but to accept management’s guidance regarding the threat landscape and the questions the board asks about it) toward a stance that is both proactive and resilient. Getting the most out of the COED Framework will require time, resources, and energy, but the payoff will be greater readiness for digital transformation and value creation that goes beyond the important goal of protecting the company from cyber criminals.
To learn more about the Cyber Oversight Effectiveness Development Framework — including a case study of how this process might play out — read the full report.
Credits: The Cyber Oversight Effectiveness Development framework was developed through a joint project of Tapestry Networks, the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC), and King & Spalding.