Boards should focus on increasing their knowledge of the topic and their level of comfort in dealing with it. First and foremost, to challenge their executive teams on the subject of cyberresilience, they need to arm themselves with a set of principles or good practices for dealing with the issue. Multiple general recommendations exist on how to act. BCG recently had the opportunity to support the World Economic Forum by creating a set of guidelines, designed for board-level use, that address these challenges. The Forum and its cross-industry working group have identified ten principles and backed them up with pragmatic tools to enable boards to institute them. The principles emphasize taking responsibility, becoming informed on the subject of cyberthreats, anchoring responsibility in the organization, and implementing plans for cyberresilience. Boards also need to join their executive team in a discussion of risk appetite, in order to define the current risk posture of their organization.
In addition, boards need tools for understanding, assessing, and quantifying the risk patterns that their organization faces today and may face in the future. A good first step is to identify the organization’s most important informational assets and to determine the biggest risks to these assets. A second step is to determine how the executive team aims to manage these risks and how much its plan will cost the company. The Forum's publication includes recommendations, in the form of a Board Cyber Risk Framework, for analyzing and understanding cyberrisk at the board level.
Emerging technologies create great changes and great opportunities, but they also expose companies to grave new risks. Examples of disruptive technologies are big data, the Internet of Things, and autonomous vehicles. Boards need to understand how disruptive technologies change their cyberrisk exposure. The Forum’s publication provides insights directed toward board-level stakeholders regarding challenges such as vendor management, technology life cycle security, and the ability to quickly adapt to change.
Although cyberresilience and cyberrisk management are still young disciplines in many organizations, they are gaining speed. Boards are in a unique position to support and accelerate their development—be it to derisk their organizations’ value creation or to make the world a bit safer for business partners and consumers. It is imperative that boards possess the tools necessary to increase their own understanding, to ask the right questions, and overall to develop cyberresilience.
The report by the World Economic Forum, The Boston Consulting Group, and Hewlett Packard Enterprise is available for download:
To Contact the Authors