For further enquiries, questions, admission, etc.
Contact the registrar:Dr. John O.L Registrar


Resource Center: Emerging Issues
This resource center offers members insights into a dynamic set of emerging issues, organized into several categories with guidance about their implications for boards, leveraging materials from AID Directorship magazine, the AID Board Leaders’ Blog, and NACD’s weekly Weekend Reader emails.
Getting the Right Cybersecurity Metrics and Reports for Your Board
June 22, 2018  Published by Jack Jones and James Lam
In the, 22 percent of corporate directors said they were either dissatisfied or very dissatisfied with the quality of cybersecurity information provided by management.
We’re not surprised. In most cases, management still reports on cybersecurity with imprecise scorecards like red-yellow-green “heat maps,” security “maturity ratings,” and highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.
Boards deserve better. We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake. Management can and should deliver reports that are:
•    Transparent about performance, with economically-focused results based on easily understood methods.
•    Benchmarked, so directors can see metrics in context to peer companies or the industry.
•    Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation, security controls, and cyber insurance.
While that level of reporting may still be aspirational for some companies, directors can drive their organizations forward by asking the following five questions, and demanding answers backed by the sorts of metrics and reports that we suggest below.
Before we get to the questions, there’s an over-arching prerequisite for sensible reporting: Every key performance and risk indicator should be tracked against a target performance or risk appetite, respectively.
That means defining risk tolerances in an objective, clear, and measurable way—for instance, “our critical systems downtime should always be less than one percent”—so that an analyst’s gut feelings aren’t determining results.
1. What is the threat environment that we face?
The chief information security officer or chief risk officer should paint a picture of the threat environment (cybercriminals, nation-states, malicious insiders, etc.) that describes what’s going on globally, in our industry, and within the organization. Examples of good metrics and reports include:
•    Global cyber-related financial and data losses
•    New cyber breaches and lessons learned
•    Trends in ransomware, zero-day attacks, and new attack patterns
•    Cyber threat trends (information sharing and analysis centers)
2. What is our cyber-risk profile as defined from the outside looking in?
Boards should get cyber-risk assessments from independent sources. Useful sources of information include:
•    Independent security ratings of the company, benchmarked against peers
•    Third-party and fourth-party risk indicators
•    Independent security assessments (e.g., external consultants and auditors)
3. What is our cyber-risk profile as defined by internal leadership?
Management should provide assessments with tangible performance and risk metrics on the company’s cybersecurity program, which may include:
•    NIST-based program maturity assessment
•    Compliance metrics on basic cyber hygiene (the five Ps): passwords, privileged access, patching, phishing, and penetration testing
•    Percentage of critical systems downtime and time to recover
•    Mean time to detect and remediate cyber breaches
4. Are we making the right business and operational decisions?
Cyber is not simply a technology, security, or even risk issue. Rather, it is a business issue and a “cost of doing business” in the digital economy. On the opportunity side, advanced technologies and digital innovations can help companies offer new products and services, delight their customers, and streamline or disrupt the supply chain. As a top strategic issue, management should provide the board with risk and return metrics that can support effective oversight of business and operational decisions, such as:
•    Risk-adjusted profitability of digital businesses and strategies
•    Return on investment of cybersecurity controls
•    Cyber insurance versus self-insured
We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management. Based on our own observations of board reports on the quality of cybersecurity reporting, there remains significant gaps. We hope our article will serve as a framework for directors and executives to discuss ways to close those gaps.

© 2018 Africa Institute of Directors. All Rights Reserved. Designed By