How can boards play a more strategic role in cybersecurity governance and oversight? Where is the state of the art, and where is it heading? These questions motivate CLTC’s research on board governance of cyber risk. Cyber risk requires a different and more dynamic governance model than is common among boards for handling other risks, a mindset we define as “resilient governance.”
This study from the the Center for Long-Term Cybersecurity presents a model framework to help organizations improve their consideration of cybersecurity risk as part of a merger or acquisition (M&A). Developed through interviews with academics and practitioners who are experts in M&A, the report, Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence, integrates insights and best practices to improve on due diligence for security risk. The framework addresses three primary factors: 1) key business considerations that are germane to each phase in the deal cycle; 2) the cyber risk questions that should be the focus of investing teams, executives, and cyber auditors at each stage; and 3) desired outcomes, the conclusions that investing teams, executives, and cyber auditors should be able to draw.
Drawing on insights gleaned from board members with 130+ years of board service across nine industry sectors, this report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk provides an innovative framework to help boards take a dynamic approach to cybersecurity governance and oversight.
The Cyber Oversight Effectiveness Development (COED) framework is designed to help boards of directors gain a deeper understanding of their current capabilities, including areas where they need to improve. Through structured activities, the framework can increase board members’ individual and collective self-awareness, and move from a reactive posture toward a stance that is both proactive and resilient.
Our research has been covered in a variety of outlets, including Politico, CIO Dive, CyberWire, Bloomberg, Journal of Cyber Policy, Yahoo! Finance, Tech Crunch, Executive Biz, MSSP Alert, Pittsburgh Post Gazette, Morning Star, and others.
We are grateful to the external partners with whom we’ve collaborated on this work, including Booz Allen Hamilton, Tapestry Networks, King & Spalding, and Cisco.