A recent ruling by the U.S. Securities and Exchange Commission (SEC), known as the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, took effect last fall. This ruling mandates that public companies disclose the cybersecurity expertise of their board of directors. Specifically, organizations must reveal whether oversight of cyber risks lies with the entire board, a specific member, or a board committee. They are also required to explain how often these discussions occur and how cyber risks are integrated into business strategies and risk management.
“In simplest terms, boards are accountable for management, governance, and disclosure reporting,” states Keri Pearlson, executive director at the Cybersecurity at MIT Sloan Research Consortium (CAMS). “While there’s much room left for interpretation, this aspect is clear.”
Moreover, the rising frequency of hacking incidents and their escalating costs have become apparent. Despite ongoing efforts to enhance cybersecurity by corporations and governments alike, data breaches have surged significantly, recording a 20 percent increase from 2022 to 2023. Given the rapid expansion of digital operations, this trend is unsurprising. The SEC emphasizes in a fact sheet accompanying its recent rulings that “Cybersecurity risks have intensified with the digitalization of registrants’ operations, the surge in remote work, treacherous criminal monetization of cybersecurity incidents, the rise in digital payments, and an increased reliance on third-party IT service providers, including cloud services.”
Cyber Resilience: The Key to Responding and Recovering
Pearlson’s research encompasses various organizational, strategic, management, and leadership dimensions of cybersecurity, with a particular focus on the role of boards. In a January 2023 article for MIT Sloan Management Review, “An Action Plan for Cyber Resilience,” she and her co-authors assert that board members must operate under the assumption that cyberattacks are inevitable. They should ensure that executives and managers are adequately prepared to respond and recover.
“If we accept that every organization has a substantial risk of being breached, and we can’t guarantee 100 percent protection from every attack, then the rational strategy is to enable the organization to bounce back with minimal disruption to operations, finances, or reputation,” explains Pearlson. To effectively mitigate cyber risks, leaders must implement robust response and recovery plans, fostering true cyber resilience.
Pearlson likens cyber resilience to public health practices during the Covid pandemic. “We took measures like staying home, wearing masks, and getting vaccinated not only to lower our chances of contracting the virus but also to minimize the severity of illness if we did become infected.”
This illustrates that the current defense-heavy approach many companies adopt regarding cybersecurity leaves them vulnerable. Traditional protection strategies address known issues only, whereas cybercriminals continuously innovate and exploit unknown vulnerabilities. Pearlson emphasizes the necessity for resilience, a mindset that should originate from leadership. “Although boards receive periodic cybersecurity reports, these typically occur annually and often lack the critical data needed for ensuring organizational resilience,” she notes.
In their May 2023 article for Harvard Business Review, “Boards Are Having the Wrong Conversations About Cybersecurity,” Pearlson and co-author Lucia Milică highlight the shortcomings of traditional cybersecurity briefings at board meetings, which usually center on threats and protection technologies. “This perspective undermines effective board oversight. We know that complete immunity is unattainable, regardless of the resources we allocate to countering cyber threats. While investment in protective measures is vital, confining discussions solely to protection strategies leads to potential disaster,” they argue.
Instead, conversations should pivot toward resilience. Rather than delving into the intricacies of an organization’s incident response infrastructure during board meetings, members should focus on identifying major risks and how the organization plans to recover swiftly from potential disruptions.
Utilizing a Balanced Scorecard Approach to Assess Risk
To facilitate this shift in focus, Pearlson created the Board Level Balanced Scorecard for Cyber Resilience (BSCR), a tool designed to help boards and executives engage in more meaningful discussions about cyber risks. Inspired by Kaplan and Norton’s Balanced Scorecard, Pearlson’s BSCR organizes key risk factors into four quadrants: performance, technology, organizational activities (including people and compliance), and supply chain. Each quadrant comprises three key components:
- A quantitative progress indicator (using a red-yellow-green rating) based on existing cybersecurity control frameworks such as CISA Cybersecurity Performance Goals (CPG), NIST SP 800-53, ISO 27001, or CIS Controls;
- The most concerning risk factor to organizational resilience identified by C-level leaders;
- A qualitative action plan detailing how these leaders intend to mitigate the identified risks.
The scorecard serves to guide board discussions and reporting around critical areas that organizations should prioritize in the face of a cyberattack, namely technology, finances, organizational structure, and supply chain stability. While additional quadrants may be necessary for some businesses, each focus area should be assessed using quantitative metrics. By examining these indicators collectively, leaders can uncover insights that might otherwise remain overlooked.
“Implementing cybersecurity controls is not a new concept, especially for publicly traded companies with systems in place to gauge their cybersecurity investments,” states Pearlson. “However, there often exists a qualitative risk that traditional metrics fail to convey. While tracking the number of individuals who falter during phishing tests is essential, the scorecard encourages organizations to analyze what’s at stake and the strategies in place to address those challenges.” For further details about the scorecard, refer to this recent Harvard Business Review article.
Empowering Boards with Essential Information
Most leaders recognize their vulnerability to cyberattacks; the challenge lies in understanding how to communicate these risks and respond effectively. While cyber executives often default to reporting on tech or organizational metrics, such information is inadequate for boards striving for cybersecurity resilience. “Initially, it doesn’t serve the board’s purpose,” asserts Pearlson.
Throughout her research, cybersecurity experts, board members, and domain specialists have articulated a desire for critical insights on system assets, proactive capabilities, and recovery timelines. Many wish to gain clarity on the types of data held by their organization, its location, the likelihood of it being compromised, and the repercussions of such compromises on operational functionality. Notably, more than half of participants expressed a need to understand the financial implications of breaches or cyber incidents for their organization.
Pearlson’s BSCR contextualizes these risks within specific business functions, addressing nuances like whether a risk is immediate or long-term and evaluating potential impacts as minimal or substantial.
“A Balanced Scorecard for Cyber Resilience is a foundational tool for discussing business continuity plans in the event of an incident,” remarks Pearlson. “Investing solely in protection today falls short; our focus must broaden to include resilience against cyber threats and vulnerabilities. Achieving this necessitates a comprehensive, qualitative assessment from those at the operational helm.”
Pearlson also teaches two influential MIT Sloan Executive Education courses aimed at enhancing resilience among individuals and organizations. Tailored for non-cyber professionals, Cybersecurity Leadership for Non-Technical Executives equips participants with essential knowledge for informed discussions. Similarly, Cybersecurity Governance for the Board of Directors supports board members, C-suite leaders, and senior executives in acquiring vital insights for effective cybersecurity strategy formulation and risk management oversight.
Photo credit & article inspired by: Massachusetts Institute of Technology