How the ISACA Board and Executive Management Address Cyber Risk

Notes from the Boardroom: vol. 6

Editor’s note:“Notes from the Boardroom” is a series of blog posts from ISACA board directors providing transparency, context and perspective on how the ISACA board is carrying out its governance responsibilities. In this installment, we address how ISACA tackles cyber risk. The nomination period for ISACA’s board of directors is open through 1 January 2025. Do you have relevant experience and a passion for serving the ISACA community or know someone who does? Consider nominating yourself or a colleague.

Cyber risk is a major risk facing virtually all organizations, including ISACA, and the ISACA Board of Directors and executive management, particularly, acknowledge their fiduciary duty to govern cyber risks effectively. ISACA leadership realizes that our management of the broader portfolio of risks, including cyber, demonstrates to our members, customers, staff and partners that digital trust is not only a commitment that we promote commercially, but it’s also an internal ethos that guides our business.

In this blog post, I will discuss several elements of how board directors contribute to setting the organization’s cybersecurity strategy and engage with key stakeholders to address cyber risk. The overall objective is to describe what is expected from board directors as it relates to cybersecurity board governance, while at the same time provide advice to leaders throughout the ISACA community who are seeking to better understand their organization’s current posture, execute their oversight functions and set long-term objectives.

Integrate cyber expertise into board governance

Several of ISACA’s directors are cybersecurity leaders in their respective organizations, and other board directors with non-technical backgrounds have undertaken relevant training or actively seek guidance from fellow directors, third parties and internal resources to effectively oversee the organization’s cybersecurity within the structures created for effective oversight. These structures include the Audit & Risk Committee and the Innovation & Technology Committee. Taking into account the rapidly changing cyber landscape, board directors are encouraged and supported in their continuous professional development in the area of cyber risk management.

Key areas of focus:

• Cybersecurity leaders on the Board provide strategic guidance on cybersecurity decision-making across ISACA.
• Formalized opportunities are available for non-technical board directors to increase their knowledge of cyber risk.
• The knowledge and experience of chapter leaders, members and external experts – who engage with board members regularly – is sought out to ensure effective oversight of management.
• Periodic audits and reviews of security controls are conducted by independent third parties (e.g., external auditors and ISO 27001 assessors).
• Regular sessions between the board and management are undertaken, covering recent cyber incidents, risk metrics, supply chain issues and related trends.

Recognition of cybersecurity as a strategic business enabler

Cyber risks are strategic as well as disruptive risks for ISACA. The perspective from the Board and executive management is that cybersecurity directly contributes to both value creation and value preservation for ISACA and its community of digital trust practitioners. Effectively mitigating these risks requires a strong tone from the top and a firm commitment to integrating cybersecurity and risk management into decision-making.

Key areas of focus:

• Operational and strategic decision-making processes most often include cyber risk considerations.
• The organization’s digital transformation strategy over the past few years has consistently factored in cyber risks.
• The Audit & Risk Committee has the main responsibility for cyber risk governance. The Innovation & Technology Committee covers cyber risk on a programmatic basis.
• All merger and acquisition (M&A) activities include due diligence on cyber risk.

Understanding the economic drivers and impact of cyber risk

Several business decisions that reduce costs or drive profitability can also increase cyber risk. Trade-offs between digital transformation and cyber risk are routinely considered in ISACA’s continuous push to leverage IT to improve the value of membership. Executive management – with oversight from the Board – measures cyber risk vis-à-vis strategic priorities, legal and regulatory requirements, business objectives and the impact of risk mitigation, transfer, or acceptance.

Key areas of focus:

• The Audit & Risk Committee has approved ISACA’s risk appetite and risk tolerance, considering cyber risk among the broader universe of risks, the organization’s risk profile and strategic objectives.
• Continuous reporting of key performance indicators (KPIs), key risk indicators (KRIs) and metrics for cyber risk. COBIT 2019, ISO 27001 and other industry-accepted frameworks are used to guide data-driven decisions, aligning risk appetite with organizational goals and strategy.
• Cyber-risk management decisions are based on the potential impact and likelihood of risk events as well as financial, legal, operational and other exposures.

Alignment of cyber-risk management and strategic business objectives

Cyber risk treatment plans are key to ISACA building a security posture that is optimally aligned with business requirements and the organization’s defined risk appetite. Effective board governance has made certain that strategic management of risks is integrated into all elements of decision-making, including business transformation, innovation, mergers and acquisitions, product development, market expansion and pricing.

Key areas of focus:

• Executive management reports to the Board on relevant cyber risks, risk ownership and the overall enterprise risk management (ERM) program, including cyber risk monitoring and remediation.
• Executive management reports to the Board on security incident response and applicable testing (e.g., tabletop exercises and business continuity/disaster recovery readiness drills).
• Executive management has furnished the board with a privacy roadmap on how ISACA maintains compliance with ever-increasing regulatory obligations across the globe.

Ensure that the organizational structure supports cyber risk management

ISACA has continuously enhanced its internal governance structure to improve cyber risk management across the enterprise. KPIs, KRIs and risk and control self assessments (RCSAs) are required from all individuals with risk management and risk reporting responsibilities. The organization is committed to alignment with the 3 Lines of Defense (3LOD) risk model.

Key areas of focus:

• Restructured the organization to ensure that the cybersecurity function is adequately resourced.
• The role of Senior Director – Enterprise Cybersecurity has the requisite authority and responsibility for coordination of cyber-risk strategy throughout ISACA and the business has a clear plan in place for data governance.
• Inculcate a cybersecurity culture that encourages cooperation between the cybersecurity function and all cyber risk owners across ISACA (e.g., IT, product, finance, legal, etc.).
• The Board has set expectations that cybersecurity is to receive adequate staffing and financing and this is monitored through the Audit & Risk Committee and Technology & Innovation Committee.

Encourage systemic resilience and collaboration

The high degree of interconnectivity amongst modern organizations means that contagion from a single enterprise can potentially impact entire industries and economies. Cyber resilience demands that ISACA work collaboratively with other organizations. Recognizing that only collective action can effectively counteract systemic cyber-risk challenges, ISACA’s advocacy work and partnerships are within its own industry as well as with public and private stakeholders to ensure that everyone is dedicated to the overall resilience of the interconnected whole.

Key areas of focus:

• A 360-degree perspective on the organization’s risk and resilience maturity is fostered to enable ISACA to operate as a responsible partner in the larger environment in which it operates.
• Member, chapter, and other key stakeholder relationships are leveraged to share best practices across institutional boundaries.
• The organization has clear plans for effective advocacy, especially with the public sector, on improving cyber resilience. This also promotes greater cross-sector collaboration.
• The Board and executive management take into account risks inherent to ISACA’s broader ecosystem (e.g., third parties, vendors and partners).
• Board and executive leadership contribute to industry groups, academic publications, media platforms and information-sharing centers.