Information Security
Directional Oversight of Cybersecurity
Directional Oversight of Cybersecurity (N)
From the North… Governance and Planning
Areas of Focus:
• Governance and Oversight
• Security Strategy and Plan
• Body of Policies
• Risk Appetites and Risk Tolerances
• Tone from the Top
• Organization and Expertise
• Education and Risk Culture
• Escalation Process and Criteria
• Cyber Insurance
• Guidance, Regulation, and Disclosure
• Capital and Resource Allocation
Directional Oversight of Cybersecurity (S)
From the South… Control Environment
Areas of Focus:
• Controls and Mitigation
• KRIs and KPIs
• Plan Progress Milestones
• Security Performance
• Incident Response
• Detect, Respond, Recover
• Threat and Vulnerability Assessment
• Incident Response and Feedback Loops
• Cyber Value at Risk
Directional Oversight of Cybersecurity (E)
From the East… Independent Assessment
Areas of Focus:
• Audit and Regulatory
• Pen Testing and Red Teaming
• External Review
• Security Scorecard Services
Directional Oversight of Cybersecurity (W)
From the West… Supply Chain
Areas of Focus:
• Supplier Risk Assessment and Conformance
• Contract and Compliance Review
• Third and Fourth Parties
• Supply Chain Resiliency
• Concentration Risk
• Systemic Risk
Governing Cybersecurity
Governance
• Creating the right governance and authorizing environment
• Considering domain expertise, integration with IT functions, escalation, and oversight Governance
• Keeping up with guidance and regulation
Policy
• Ensuring policies are comprehensive and current Policy
• Assessing compliance
Testing
• Testing the security posture of your organization through internal and external assessment Testing
• Practicing incident response and learning from industry events
Transparency
• Identifying the reporting and metrics you need to manage cyber risk Transparency
• Making appropriate disclosure of material cyber risks and reporting of incidents
Resource Allocation
• Ensuring that allocation of resources aligns with goals and desired outcomes
• Evaluating effectiveness of resource allocations
Cybersecurity as an Enterprise Risk Management Issue
Identify Critical Digital Assets
Understand Key Threats and Risks
Set Risk Appetites and Tolerances
Address Key Risks
• Accept • Transfer
• Mitigate • Avoid
Assess Residual Risks
Testing
Internal and External Feedback Loops
Cybersecurity as an Enterprise Risk Management Issue
Oversight of Cyber Risk
A typical question asked about cyber risk
• Have we “addressed” our cyber risk?
Better questions to ask about cyber risk
• Do we understand our critical digital assets and processes, and the key risks to those assets and processes?
• Have we outlined – and kept current – our overall risk appetites and tolerances?
• Have we effectively lessened the probability and impact of cyber risk to within those stated risk tolerances?
• How do we assess the effectiveness of our cyber risk mitigation approaches?
• Have we prepared and practiced for a breach?
• Are we digitally resilient as an organization?
• How do we know?
• Are we keeping up and learning from events around us?
