June 1, 2015
Faced with the increasing threat of cyber attack, boards of directors and C-level executives of public and private companies alike are becoming increasingly aware of the need to establish and maintain strategies at the C-level for preventing, detecting, and containing cybersecurity threats. While high-level decision makers may not be directly involved with the day-to-day operations of their information technology or data assets, it is becoming increasingly clear that they must have at minimum a basic understanding of how company network systems susceptible to cyberattack are managed to fight cyberattacks. As Nick Milne-Home of the software lifecycle management firm 1E pointed out recently at the MIT Sloan CIO Symposium, "If you focus on security only, without systems management, it is like putting a state-of-the-art burglar alarm into your home while leaving the doors and windows open."
While federal policymakers have signaled deep concern about cybersecurity issues and the important role these issues play in the health of the nation's economy, Congress has not yet made any significant move to compel business practices in the area of cybersecurity. In lieu of legislation, several federal agencies have developed guidance as to what are considered "best practices" to reduce the risks associated with cybersecurity threats. However, much of the available guidance–for example, the February 2014 Cybersecurity Framework by the National Institute of Standards and Technology (NIST)–is aimed at IT experts, which makes it of limited use to audiences unfamiliar with technology industry jargon and other existing security standards that help to form the agency guidance.