The Conference Board uses cookies to improve our website, enhance your experience, and deliver relevant messages and offers about our products. Detailed information on the use of cookies on this site is provided in our cookie policy. For more information on how The Conference Board collects and uses personal data, please visit our privacy policy. By continuing to use this Site or by clicking "OK", you consent to the use of cookies. 

16 Jun. 2014 | Comments (0)

By Mary Ann Cloyd, Leader, PwC’s Center for Board Governance
  Editor's Note: Additional resources on cybersecurity from The Conference Board can be found here.
Earlier this year, the National Institute of Standards and Technology’s (NIST) released its new Cybersecurity Framework. Charles Beard, principal in PwC’s forensics practice and former senior vice president and general manager of Science Applications International Corp.’s cybersecurity group, and the Honorable Tom Ridge, former US Secretary of Homeland Security and co-founder of Ridge-Schmidt Cyber, discussed cybersecurity risk during PwC’s Center for Board Governance March 27 cybersecurity webcast. “There are five things not addressed in the framework that are important for independent directors to understand,” Beard said during the webcast. They are as follows:

1. Duties and obligations of companies wherever they operate 2. The “technical debt” (the cost of deferred maintenance on technical projects that remain incomplete) 3. The identity of threat adversaries and actors (i.e. countries, hacktivists, employees) 4. How the company should think about cyber threats in terms of risk tolerance 5. The element of time (for larger companies, a cyber risk plan may take years)

“Cyber attacks are not only a clear and present danger; they are a permanent danger,” Ridge said. “Companies need to look to see that they have a cybersecurity risk plan embedded in their overall risk plan.” Ridge called the NIST framework a modest step toward minimizing the cyber threat, and added that it should be used as a way for companies to start looking at their critical assets and how to protect them from hackers. The framework includes a taxonomy and a risk management tool that can help companies to describe their current cybersecurity condition, assess progress toward their desired cybersecurity state, identify and prioritize opportunities for improvement, and communicate cybersecurity risks to stakeholders. Additionally, the Department of Homeland Security (DHS) created the Critical Infrastructure Cyber Community (C3) Voluntary Program. It is designed to connect companies and governmental agencies with the DHS to help manage cyber risks. A cybersecurity risk plan can help a board understand the risks involved as well as the plans around risk mitigation. Ridge has some questions directors should consider asking management:
  • What is the governance structure around IT?
  • Is there an individual or team accountable?
  • How often do we get reports on this accountability? Is there a dashboard?
  • Will our company be reactive or preemptive with regard to cyber threats?
  • Do we need to engage a third party to help?
Here are links to more information on cybersecurity: About the Guest Blogger: [caption id="attachment_3179" align="alignleft" width="100"]Mary Ann Cloyd, Leader, PwC Center for Board Governance Mary Ann Cloyd, Leader, PwC Center for Board Governance[/caption] Mary Ann Cloyd is the Leader of PwC's Center for Board Governance which advises audit committees and boards of directors on emerging governance issues and leading practices. The Center also conducts research and provides perspectives on critical governance issues, including its Annual corporate directors survey. Mary Ann has over 35 years of public accounting experience serving multinational corporate clients in a variety of industries. She currently serves on PwC's Global Board of Partners and Principals and served two terms on the US Board of Partners and Principals.
  • About the Author:Mary Ann Cloyd

    Mary Ann Cloyd

    Mary Ann Cloyd is the Leader of PwC's Center for Board Governance which advises audit committees and boards of directors on emerging governance issues and leading practices. The Center also conducts r…

    Full Bio | More from Mary Ann Cloyd


0 Comment Comment Policy

Please Sign In to post a comment.

    Subscribe to the Governance Blog
    Support Our Work

    Support our nonpartisan, nonprofit research and insights which help leaders address societal challenges.