Publication Date: November 18, 2016
Cybersecurity expert John Reed Stark has authored a four-part series of white papers outlining a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.
In the aftermath of a corporate cyber-attack, boards and the companies they govern are subjected to immediate public scrutiny and, in many cases, unwarranted criticism. This new cyber-reality has essentially removed the distinction between board member and IT executive, with cybersecurity emerging as a key corporate risk area.
For corporations, this is the dawning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year.
But cybersecurity engagement for members of the board of directors does not mean that members should obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts. Instead, a board’s oversight responsibilities should focus on the critical components relating to the governance practices, policies and procedures of a strong cybersecurity program, which are detailed in the attached white paper and include:
- Elements of a cybersecurity incident response plan
- Evaluating the business continuity plan in the context of cyber attacks
- IT security budgeting
- Cybersecurity table top drills
- Data security measures for cloud-based services.
The remaining papers in this series will broadly cover the following topics:
- People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.
- Technology: the technical systems that provide the foundation for cybersecurity infrastructure.
- Data Mapping and Encryption: the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: encryption and data mapping.
By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item.
Read John Reed Stark’s White Paper on Cybersecurity Governance >>
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.