Share with your friends
purple circles on green background

Understand, Guide, Act

Understand, Guide, Act

Cyber breaches continue to make headlines, and their impacts are increasingly being felt across industries. As organizations tackle these evolving risks, executives, directors, and committees of the board are facing pressure from shareholders and scrutiny from regulators to build robust cyber strategies.

While board members have an opportunity to defend their organization's interests by a prioritising sound and robust cyber defence, they may not know where to start. Understanding their organization's risk profile, their role in supporting and empowering leadership, and their own responsibilities to act can be daunting. To provide a perspective on how directors can become more effective on this front, KPMG built a straightforward framework informed by extensive global research: Understand-Guide-Act.

Understand-Guide-Act is the first framework of its kind, designed to provide directors and boards with actionable guidance to help them understand and discharge their responsibilities around cyber security. The scalable and industry-agnostic principles enable sound and risk-informed decision making, while championing the same pillars of good governance boards are familiar with.

And it all begins with understanding the risk.


No two cyber strategies are the same. While there may be some similarities within industries, each organization's approach is defined by its unique business priorities, risk appetite, and threat landscape. It is incumbent on boards of directors to look carefully at internal, external, and regulatory factors impacting their organization to inform their understanding of the overall risk profile. By consulting with tech, cyber, and risk leaders within their organization, directors may enhance and contextualize their understanding through the use of various tools. These may include:

  • Risk reporting: By conducting timely, actionable, and contextualized reporting on a recurring basis, security leaders can provide directors with a clear view of their risk profile and areas of focus. Effective risk reporting offers insight into how the organization's security programme is guarding against top risks, while informing the continuous development of relevant security strategy. Rather than simply reporting on performance metrics, risk reporting ties security initiatives and capabilities to their associated business risks, making plain the 'so what' of security investments.
  • 'Crown Jewels' Identification: In order to invest responsibly in effective security measures, it is important that organizations identify the information and systems which are critical to their business. Inventorying and prioritizing these assets is an essential step in designing and implementing an appropriate security strategy. Crown Jewels identification will also enable directors to meaningfully discuss priorities and risk areas with security, risk, and technology leaders in business terms.
  • Incident response readiness: Directors are increasingly facing pressure to ensure that their organization has and exercises a robust and holistic cyber incident response plan. While design and implementation may fall to the executive leadership team, oversight of the incident response plan as well as understanding their role in its execution is incumbent on the board.
  • Regulatory compliance: As with many other areas of their business, boards have a responsibility to understand their organization's regulatory requirements across jurisdictions when it comes to cyber and privacy. As these requirements shift and evolve, directors may wish to look to their executive leadership team, internal counsel, or external advisors to provide them with a point of view on how to meet requirements and demonstrate compliance.
  • Audit visibility: Regularly engaging with internal and external audit teams on cyber security matters provides directors with an understanding of how the organization's security controls and capabilities are performing. Boards or their audit committees should understand the broad scope of the cyber audit plan and schedule, and receive regular updates on the relative importance of open items.


By first equipping themselves with an understanding of the organization's cyber threat landscape, risk profile, regulatory requirements, and programme performance, directors are able to support executive leadership's cyber security efforts. Understand-Guide- Act outlines five areas where that board-level support is most valuable:

  • Risk management: Boards and their risk committees are in a position to provide guidance to senior management to enable them to develop a cyber risk management programme which is aligned to ERM and designed to safeguard the organization's most important assets.
  • Strategy development: Boards are able to provide guidance to senior management to enable the creation and execution of a cyber security strategy which is aligned to the broader business strategy. Working with executive teams, directors can assist in the development of a cyber strategy which is sustainable, and which has sufficient funding and resources.
  • Risk appetite definition: In order to enable appropriate resourcing for priority areas, boards can assist leadership teams in developing clearly articulated risk appetite statements. These statements, aligned to broader ERM, can help guide the prioritization of security efforts.
  • Accountability mapping: In order to clearly define roles and responsibilities, boards should provide guidance to senior management to identify levels of accountability for cybersecurity within the organization and should provide a forum or committee for board-level oversight of cybersecurity activities.
  • Partnership building: Boards should provide guidance to senior management to build strategic relationships with partners from government, regulators, law enforcement, and the private sector to proactively collaborate on security issues.


As with other areas of the business, it is incumbent on boards to provide responsible oversight and governance of cyber security activities. The Understand-Guide-Act framework describes five key areas across which boards can take meaningful action to enable corporate cyber governance:

  • Security culture: Boards should act to promote a culture of cyber security awareness across the organization by setting a tone at the top which promotes security considerations being embedded in day-to-day activities enterprise-wide.
  • Scrutiny and feedback: Boards and their committees have the opportunity to demonstrate due diligence by analysing and scrutinising cyber risk management updates provided to them by the executive leadership team.
  • Time allocation: In order to promote the effective rollout of a robust cyber security strategy and program, boards should act to ensure that cyber issues are given adequate time in committee and full board meetings. Additionally, there is value in creating opportunities for directors to interact with security leaders outside of these formal meetings.
  • Executive empowerment: As cyber security and risk leaders develop and implement a strategy to safeguard the business, boards should act to ensure that they are adequately empowered.
  • Expertise development: By taking action, including addressing potential gaps in board composition, individual directors' expertise, access to strategic advisors, and in-house cyber training, boards and their directors have the opportunity to enhance their overall cyber-awareness as well as that of the organization as a whole.

Directors will increasingly be called upon to understand and meet their cyber security responsibilities. As high-profile breaches keep making headlines, and as legislation continues to evolve across jurisdictions, shareholders and regulators alike are looking to boards to provide a sophisticated level of understanding and oversight of cyber security within their organizations.

By equipping themselves with the right tools and advice, boards can take concrete steps to promote their organization's priorities and safeguard their business.