On a global basis, directors and the companies
that they oversee are facing disruptions caused by geopolitical volatility,
economic slowdown, emerging technologies, cybersecurity threats, and climate
change, among other forces. The pace of change just keeps speeding up.
It is important to note that while disruptive
risks are one among main concerns for directors, their confidence in corporate
risk management is low. As risks continue to evolve, the way corporate
directors and their organizations handle them must evolve as well. This
disconnect between may belie their low confidence in overseeing these changing
In BitSight’s newest Cyber Risk Monitor report, respect risk expert and NACD member James Lam details five recommendations for directors to manage disruptive risk within their organization. Within this list, he offers that corporate directors should “ensure board-level risk metrics and reports are effective.”
As stated in the report, one unique aspect of
disruptive risks is that they are usually very subjective and, as a result, can
be full of the influence of cognitive biases. It’s critical that organizations
have objective, independent data that allows them to both report on and
understand the state of the company’s cybersecurity. In addition to traditional
security assessment practices (like penetration tests and questionnaires, for
instance), security ratings can offer an objective, quantifiable measurement of
an organization’s security posture that the board can understand in the context
of industry, region, or competitive peer group.
When we look at disruptive risk—particularly
cyber risks or incidents—it’s no secret that organizations are being held to significantly
higher standards of cybersecurity outcomes than ever before. Regulatory bodies,
boards, and executive teams all are driving for better oversight and
accountability regarding data breaches and cybersecurity. Companies and their
leadership are seeking to prevent the inevitable backlash from customers,
business partners, and regulators that is inevitable when a breach occurs,
demonstrating their failure to meet cybersecurity industry-wide standards of
Security and risk leaders are challenged with
trying to understand what constitutes a reasonable, industry-wide standard of
care when it comes to cybersecurity performance. What was good enough yesterday
may not be today, and will almost certainly not be good enough next year. Not
to mention, the traditional approaches to cybersecurity performance metrics are
limited in scope, focus only on a point-in-time, and are subjective in nature, not
As a result, security and risk leaders are
forced to make important decisions about their cybersecurity programs based on
an incomplete set of data. This lack of visibility and context can often result
in ineffective spending and misalignment of resources, two areas of insight
critically needed to adequately protect any organization’s security.
Using security ratings to manage security performance helps security and risk leaders, and the directors who oversee their decisions, take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program. Security ratings enable broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk. Using the Security Rating as this baseline metric of cybersecurity program performance, security and risk leaders finally have an objective, independent, and broadly adopted key performance indicator to continuously and efficiently assess security posture, set program goals, track progress, and report meaningful information to executives and ultimately to you—the board.
Looking to learn more? Download BitSight’s latest Cyber Risk Monitor Report, prepared exclusively for directors of companies.