Skip to main content
Home » Future of Healthcare » Why Cybersecurity Isn’t Just an IT Issue
Future of Healthcare

Why Cybersecurity Isn’t Just an IT Issue

Larry Clinton

President, Internet Security Alliance

The cybersecurity field is undergoing a series of revolutions. 

First, criminals and state-supported groups, empowered by the annual profits in the hundreds of billions, have become extremely sophisticated. Cyber attackers are now often as technologically sophisticated as the best IT companies. Attack methods, including artificial intelligence, the cloud, and other mechanisms once confined to government and military targets, are now commonly used against all manner of large and small commercial targets.   

The second revolution is that leading organizations are learning how to improve resilience despite these more sophisticated attacks. One of the most successful tools to create cyber resiliency is articulated in the “Cyber Risk Handbook” published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA). 

The NACD/ISA handbook differs from traditional models by taking a “top-down,” enterprise-wide risk management approach to cybersecurity, as opposed to the traditional “bottom-up” technocentric model. Moreover, The NACD/ISA model – unlike most technical frameworks – has been independently assessed and shown to actually improve organizations’ cybersecurity. 

PwC, in its annual Global Information Security Survey, found that use of the NACD model led to increased cybersecurity budgets, better risk management, closer alignment of cyber security with business processes, and improved cultures of security.

Key principles

The handbook identifies key principles all organizations need to embrace: 

  1. Cyber Security is not an “IT” issue, it is an enterprise wide risk-management issue. 
  2. Organizations must adopt a modern digital structure to deal with the uniqueness of the cyber age.
  3. Management must conduct a modern empirical and economics-based cyber risk assessment, identifying what risk to accept, mitigate, or transfer. 

The handbook also provides a series of tool kits that link the principles to specific operational steps management and the board of directors must embrace to promote enhanced cyber security.

NACD and ISA released the third edition of the handbook in February 2020. It is available for free at and

Stamp of approval

The handbook is endorsed by the U.S. Department of Homeland Security and the U.S. Department of Justice, and has been adopted by industry associations and governments in Europe, Asia, and Latin America.  

In addition to receiving endorsements from the U.S. government, the adapted versions have been endorsed by the German Office of Information Security and the Organization of American States.

Next article