Opinion
Rise of the CISO
What is a CISO and how does it differ from a CTO and CIO?
Cyber risk is like any other business risk and requires board level attention and responsibility. Since the 2015 edition of the Cyber risk practice guide was published, boards have significantly stepped up their focus on cybersecurity.
The 2021 edition of the Cyber risk practice guide retains five core principles to help boards understand and approach cybersecurity in their organisations. Updates to the guide include privacy law developments and new resources for directors. It also presents questions for directors to ask management around their cybersecurity policies and settings.
Core principles
There are five core principles for boards in their oversight of cyber risks.
-
Take a holistic approach
Directors should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
-
Understand the legal environment
It is essential that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation.
-
Give cybersecurity regular attention on the agenda
Cybersecurity needs regular and adequate time on the agenda. Boards should also continue to build their cyber competency and ensure they have access to external expertise.
-
Establish a framework
Ensure that an enterprise-wide cyber risk management framework is established.
-
Categorise and address the risks
Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
