Boards of Director are taking an increasingly active role in cybersecurity governance. The question is: what are they looking for and how should you manage your security program to meet their needs? \n\nThis topic has been addressed in the \u201cCyber-Risk Oversight\u201d handbook, published last month by the National Association of Corporate Directors. This is an update to the first NACD handbook, published in 2014. The handbook is just that, a set of recommended practices for directors. You can expect that your directors will be asking you these questions, now or in the near future. \n\nFive key principles are outlined and I will highlight the recommendations in those principles that seem to be novel or not commonly in practice. For more information, you can download the free content from the NACD website.\n\nPrinciple 1: Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue\n\nIf cyber-risks permeate all business processes, why shouldn\u2019t this approach be a no-brainer? The biggest reason is that information security has been the domain of the CIO for many years. CISOs, often reporting to the CIO, have been charged with information security risk management. But today, this reporting structure may not facilitate risk management across third-party collaboration, or IoT-based services, to name just two expanding risk areas. One good suggestion in the NACD handbook is to organize a cross functional cyber-risk team, led by an officer with well-established cross-functional responsibility. Examples are CFO, CRO or COO, but not CISO. This will amplify the CISO\u2019s expertise.\n\nPrinciple 2: Understand the legal implications of cyber risks\n\nEvery security breach will result in legal action. This is pretty much a given today. In some cases, security breaches will affect the organization as a whole. A perfect example is the Yahoo-Verizon deal, where the newly reported breaches may cost Yahoo shareholders $250-$350 million. I suspect a significant chunk of this money is in reserve to cover lawsuits in progress. Was the Yahoo board kept up to date with the state of the Yahoo security program? That\u2019s not known. An interesting recommendation in the NACD handbook is to get board members involved with table top exercises around incident response. That way, they will be part of the breach reporting conversation.\n\nPrinciple 3: Boards should have adequate access to cybersecurity expertise; cyber-risk management should be given adequate time on board agendas\n\nMany boards of director are reviewing cyber-risks on a regular basis. Cisco reports that boards and the CEO are taking the lead role in cyber-risk management at 39% of the organizations they surveyed. However, the NACD reports that only 15% of boards are very satisfied with the information they are getting from management. So you need to carefully understand the strategic information they are looking for and refrain from operational statistics like percent systems patched, etc.\n\nPrinciple 4: Directors should set expectations that management will establish an enterprise cyber-risk management framework\n\nThe handbook highlights the NIST Cybersecurity Framework (CSF) as a useful approach to risk management. Many people are already using this risk-based framework. Principle 4 also recommends doing a \u201cforward-looking\u201d risk assessment. I don\u2019t know how many people are attempting to do that. Most are satisfied with a current state risk assessment to satisfy compliance requirements. You really need to understand potential threats one to two years out, given that it will take you that long to implement new controls.\n\nPrinciple 5: Boards need to discuss details of cyber risk management and risk treatment\n\nThese details include: risk mitigation, risk transfer, risk avoidance and risk acceptance. Today, no one can mitigate all risks across the enterprise. Boards and management need to understand where the crown jewels are, what attacks are most likely and then defend against those. Security risk management has always been about prioritization and still is. Also important is to understand your organization\u2019s risk appetite. You need to know what the maximum risk your organization is willing to accept in pursuit of strategic objectives and what risks will be outside the bounds of corporate values? These risks must be mitigated whatever their priority values.