The Conference Board Governance Center Blog


Cybersecurity framework: A starting point for companies

By Mary Ann Cloyd, Leader, PwC’s Center for Board Governance

  Editor’s Note: Additional resources on cybersecurity from The Conference Board can be found here.

Earlier this year, the National Institute of Standards and Technology’s (NIST) released its new Cybersecurity Framework.

Charles Beard, principal in PwC’s forensics practice and former senior vice president and general manager of Science Applications International Corp.’s cybersecurity group, and the Honorable Tom Ridge, former US Secretary of Homeland Security and co-founder of Ridge-Schmidt Cyber, discussed cybersecurity risk during PwC’s Center for Board Governance March 27 cybersecurity webcast.

“There are five things not addressed in the framework that are important for independent directors to understand,” Beard said during the webcast. They are as follows:

1. Duties and obligations of companies wherever they operate
2. The “technical debt” (the cost of deferred maintenance on technical projects that remain incomplete)
3. The identity of threat adversaries and actors (i.e. countries, hacktivists, employees)
4. How the company should think about cyber threats in terms of risk tolerance
5. The element of time (for larger companies, a cyber risk plan may take years)

“Cyber attacks are not only a clear and present danger; they are a permanent danger,” Ridge said. “Companies need to look to see that they have a cybersecurity risk plan embedded in their overall risk plan.”

Ridge called the NIST framework a modest step toward minimizing the cyber threat, and added that it should be used as a way for companies to start looking at their critical assets and how to protect them from hackers.

The framework includes a taxonomy and a risk management tool that can help companies to describe their current cybersecurity condition, assess progress toward their desired cybersecurity state, identify and prioritize opportunities for improvement, and communicate cybersecurity risks to stakeholders.

Additionally, the Department of Homeland Security (DHS) created the Critical Infrastructure Cyber Community (C3) Voluntary Program. It is designed to connect companies and governmental agencies with the DHS to help manage cyber risks.

A cybersecurity risk plan can help a board understand the risks involved as well as the plans around risk mitigation. Ridge has some questions directors should consider asking management:

  • What is the governance structure around IT?
  • Is there an individual or team accountable?
  • How often do we get reports on this accountability? Is there a dashboard?
  • Will our company be reactive or preemptive with regard to cyber threats?
  • Do we need to engage a third party to help?

Here are links to more information on cybersecurity:

About the Guest Blogger:

Mary Ann Cloyd, Leader, PwC Center for Board Governance

Mary Ann Cloyd, Leader, PwC Center for Board Governance

Mary Ann Cloyd is the Leader of PwC’s Center for Board Governance which advises audit committees and boards of directors on emerging governance issues and leading practices. The Center also conducts research and provides perspectives on critical governance issues, including its Annual corporate directors survey.

Mary Ann has over 35 years of public accounting experience serving multinational corporate clients in a variety of industries. She currently serves on PwC’s Global Board of Partners and Principals and served two terms on the US Board of Partners and Principals.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply