Information Security

Directional Oversight of Cybersecurity

Directional Oversight of Cybersecurity (N)

From the North… Governance and Planning

Areas of Focus:
• Governance and Oversight
• Security Strategy and Plan
• Body of Policies
• Risk Appetites and Risk Tolerances
• Tone from the Top
• Organization and Expertise
• Education and Risk Culture
• Escalation Process and Criteria
• Cyber Insurance
• Guidance, Regulation, and Disclosure
• Capital and Resource Allocation

Directional Oversight of Cybersecurity (S)

From the South… Control Environment

Areas of Focus:
• Controls and Mitigation
• KRIs and KPIs
• Plan Progress Milestones
• Security Performance
• Incident Response
• Detect, Respond, Recover
• Threat and Vulnerability Assessment
• Incident Response and Feedback Loops
• Cyber Value at Risk

Directional Oversight of Cybersecurity (E)

From the East… Independent Assessment

Areas of Focus:
• Audit and Regulatory
• Pen Testing and Red Teaming
• External Review
• Security Scorecard Services

Directional Oversight of Cybersecurity (W)

From the West… Supply Chain

Areas of Focus:
• Supplier Risk Assessment and Conformance
• Contract and Compliance Review
• Third and Fourth Parties
• Supply Chain Resiliency
• Concentration Risk
• Systemic Risk

Governing Cybersecurity


• Creating the right governance and authorizing environment
• Considering domain expertise, integration with IT functions, escalation, and oversight Governance
• Keeping up with guidance and regulation


• Ensuring policies are comprehensive and current Policy
• Assessing compliance


• Testing the security posture of your organization through internal and external assessment Testing
• Practicing incident response and learning from industry events


• Identifying the reporting and metrics you need to manage cyber risk Transparency
• Making appropriate disclosure of material cyber risks and reporting of incidents

Resource Allocation

• Ensuring that allocation of resources aligns with goals and desired outcomes
• Evaluating effectiveness of resource allocations

Cybersecurity as an Enterprise Risk Management Issue

Identify Critical Digital Assets

Understand Key Threats and Risks

Set Risk Appetites and Tolerances

Address Key Risks
• Accept   • Transfer
• Mitigate   • Avoid

Assess Residual Risks


Internal and External Feedback Loops

circular arrows

Cybersecurity as an Enterprise Risk Management Issue

Oversight of Cyber Risk

A typical question asked about cyber risk

• Have we “addressed” our cyber risk?

Better questions to ask about cyber risk

• Do we understand our critical digital assets and processes, and the key risks to those assets and processes?
• Have we outlined – and kept current – our overall risk appetites and tolerances?
• Have we effectively lessened the probability and impact of cyber risk to within those stated risk tolerances?
• How do we assess the effectiveness of our cyber risk mitigation approaches?
• Have we prepared and practiced for a breach?
• Are we digitally resilient as an organization?
• How do we know?
• Are we keeping up and learning from events around us?

Scroll to Top