President, Internet Security Alliance
The cybersecurity field is undergoing a series of revolutions.
First, criminals and state-supported groups, empowered by the annual profits in the hundreds of billions, have become extremely sophisticated. Cyber attackers are now often as technologically sophisticated as the best IT companies. Attack methods, including artificial intelligence, the cloud, and other mechanisms once confined to government and military targets, are now commonly used against all manner of large and small commercial targets.
The second revolution is that leading organizations are learning how to improve resilience despite these more sophisticated attacks. One of the most successful tools to create cyber resiliency is articulated in the “Cyber Risk Handbook” published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA).
The NACD/ISA handbook differs from traditional models by taking a “top-down,” enterprise-wide risk management approach to cybersecurity, as opposed to the traditional “bottom-up” technocentric model. Moreover, The NACD/ISA model – unlike most technical frameworks – has been independently assessed and shown to actually improve organizations’ cybersecurity.
PwC, in its annual Global Information Security Survey, found that use of the NACD model led to increased cybersecurity budgets, better risk management, closer alignment of cyber security with business processes, and improved cultures of security.
The handbook identifies key principles all organizations need to embrace:
- Cyber Security is not an “IT” issue, it is an enterprise wide risk-management issue.
- Organizations must adopt a modern digital structure to deal with the uniqueness of the cyber age.
- Management must conduct a modern empirical and economics-based cyber risk assessment, identifying what risk to accept, mitigate, or transfer.
The handbook also provides a series of tool kits that link the principles to specific operational steps management and the board of directors must embrace to promote enhanced cyber security.
Stamp of approval
The handbook is endorsed by the U.S. Department of Homeland Security and the U.S. Department of Justice, and has been adopted by industry associations and governments in Europe, Asia, and Latin America.
In addition to receiving endorsements from the U.S. government, the adapted versions have been endorsed by the German Office of Information Security and the Organization of American States.