Three respected organizations (PwC, National Association of Corporate Directors, and the World Economic Forum) have collaborated in a post on the Harvard Law School Forum on Corporate Governance.
Their piece, which merits our attention and analysis, is entitled: Principles for Board Governance of Cyber Risk.
It makes a number of excellent points but goes astray on a few as well.
I will use a couple of new metaphors to make some very important points that don’t seem to be well understood.
But first, the good stuff, with my comments:
- As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity.
Comment: the board is there to provide oversight, not to manage the organization. Their job is to obtain assurance that (a) management is setting and walking the right tone, and (b) is also taking the right risks for success (including those relating to cyber) through informed and intelligent decisions. They need to obtain assurance that management is addressing cyber effectively, not to define how they should do so.
- Cyberthreats are persistent, strategic enterprise risks for all organizations regardless of the industry in which they operate. Effective organizational cybersecurity directly…
