59 Pages Posted: 6 Dec 2014 Last revised: 31 Jul 2018
Date Written: January 2, 2017
Cyber security is an important strategic and governance issue. However, because most corporate CEOs and directors have no formal engineering or information technology training, it is understandable that their lack of actual cybersecurity knowledge is problematic. Particularly among smaller companies having limited resources, knowledge regarding what their enterprise should actually be doing about cybersecurity can’t be all that good.
My goal in this article is to explore the unusually complex subject of cybersecurity in a highly readable manner. First, an examination of recent threats is provided. Next, governmental policy initiatives are discussed. Third, some basic tools that can be used by boards and top management to improve the quality of discussions with their information technology executives are offered. It is likely that most top management and corporate directors have never heard of, let alone read: the SANS Critical Security Controls; OWASP Top Ten; CWE/SANS Top 25 Most Dangerous Software Errors; Presidential Executive Order 13636 (& Treasury Dept. Report); Quadrennial Homeland Security Review; or the NIST Framework. By offering suggestions about what top managers and boards can do to improve organizational cybersecurity awareness and readiness, this paper makes a worthwhile contribution to the literature of risk management and provides meaningful progress in strengthening the knowledge base and ability of top management and boards to govern enterprise cybersecurity.
Keywords: Audit Committee, Board Structure, Corporate Governance, Crime, Cyber, Data Breach, DHS, Directors, Enterprise Risk Management, Hackers, incentives, Information Technology, Internal Controls, Market Failure, National Security, NCCIC, NIST, OWASP; SANS, Sarbanes-Oxley, SEC, Strategy, US-CERT
JEL Classification: C88, G18, G28, G34, H56, H82, K14, K22, K33, K40, K42, L20, L86, L98, M10, M13, N40
Suggested Citation: Suggested Citation