Foreword
As a Board Member and a CISO, we frequently engage with company leadership across sectors
on cybersecurity and technology risk. In these engagements, it is clear that cyber is top of mind for
every organization.
As such, we thought it would be timely to share our perspective on how the Board can best address
cybersecurity and risk along with ways to take a moreproactive role in these areas – now and in the future.
One lesson we’ve learned is that Board awareness and subsequent guidance in this area is absolutely
critical to every organization’s long term success.
When we engage on these issues, Board members often ask: what types of conversations should we
be having about cybersecurity and what types of questions do we need to be asking our C-Suite?
The answer is that Boards should work to ensure that security management teams inventory critical
assets and business processes, convey top risks and mitigations (and measure their success), and
communicate accepted residual risk. Above all, Boards, CEOs and other executives should ask probing
questions about technology and digital capability, not just review what are often lagging indicators of cyber performance.
To help with this effort, we’re releasing the first edition of the Google Cybersecurity Action Team’s
Perspectives on Security for the Board report. This report series is intended to help Board members
sharpen their cybersecurity knowledge – including how to address cyberattacks and understand how
likely they are to impact their organization – and prepare them for potential regulatory obligations.
In this inaugural report, we (1) cover the Board’s roles and responsibilities in cyber risk oversight; (2) provide guidance on how Boards should navigate the cyber threat landscape; and (3) explain how Boards should engage on emerging issues surrounding artificial intelligence (AI) and cybersecurity. We hope you find it informative and look forward to connecting with you more on these important topics.
Betsy Atkins (Chairman, Google Cloud Advisory Board) Phil Venables (CISO, Google Cloud)
The Board’s Role in Cyber Risk Oversight
Cyber-related risk remains one of the top concerns facing organizations today. Addressing cyber risk is
a challenge for nearly any company and its Board, so it is increasingly important for Board members
to conduct relevant oversight and help guide risk management priorities. Governments globally are
increasingly implementing regulatory measures to raise compulsory cybersecurity baseline standards,
including requirements to report cyber incidents to the relevant government authorities. In recent weeks,
we’ve seen two such initiatives from the U.S. Securities and Exchange Commission, which contain hundreds of pages of proposed rules on cybersecurity, incident reporting, and systems integrity.
To be effective, Boards should view cyber risk through the lens of overall business risk. This requires that
Boards integrate cybersecurity and resiliency into their business strategy, risk management practices,
budgeting, and resource allocation to underpin that cyber risk is everyone’s responsibility.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) (CSF) can
be a useful tool for Boards when thinking about cybersecurity. The NIST CSF is designed for use across
multiple industries of different sizes, and provides a structured way and a common taxonomy for Boards
to have more impactful discussions with their CISO and cybersecurity teams. What the NIST CSF and
other frameworks can do is enable us through their structures to achieve better cybersecurity outcomes.
The Framework is made up of five functions – Identify, Protect, Detect, Respond, and Recover.