How Boards Can Set Enforceable Cyber Risk Tolerance Levels
DARKReading, Wednesday, May 10,2023
Boards love to say they have low risk tolerance, but are they willing to make the expensive and painful decisions to make it truly happen?
It is becoming common for boards of directors to choose a low level of risk tolerance for the enterprise. The problem is that the action typically stops there, with the absence of any new directives to the CEO or the CFO to make different decisions in support.
The optimum next steps don't necessarily involve more money, though increased cybersecurity funding is the most obvious and often necessary move. It can also involve granting authority to make the changes needed to upgrade the enterprise's risk position.