Excerpt from GARP.org
Oversight should be grounded in sound management practices
By David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good-management-practices perspective rather than a technical perspective. Here is a Top 10 list of what their issues should be:
Strategy. There are no offensive strategies in cyber security — only defensive strategies. In addition, you cannot protect everything. It is therefore critical for board members to, first, determine which assets are most valuable, and second, determine the most effective strategy or strategies to protect them.
Chief Information Security Officer. In today’s wired world, it is not a question of if a cyber security issue will happen, but when. Unfortunately, in far too many instances, the chief information security officer (CISO) is selected based predominantly on superior technical skills and/or military experience. Leadership skills — communication and crisis management — are equally, and sometimes, more important than technical skills. In the day-to-day management of technology, or in a crisis, it is far better to have a skillful leader rather than a subject-matter expert.