What Boards Need to Know About Cybersecurity

Cybersecurity has evolved into a business-critical issue, impacting companies across industries, from retail to finance, to healthcare. The cyber threat landscape continues to expand, placing increasing cybersecurity responsibilities for board members to manage cyber risks effectively. While board members may not need technical expertise, they must understand the stakes, identify potential vulnerabilities, and ensure their organizations have robust defenses and incident response strategies.

As a cybersecurity professional, you play a key role in preparing your board to meet these responsibilities. Here’s how we, as cybersecurity professionals, can help boards fulfill their fiduciary duties while navigating the complexities of today’s digital threats.

The Board’s Cybersecurity Imperative

Boards are tasked with managing enterprise risk and maximizing shareholder value. Neglecting cybersecurity opens the door to reputational harm, financial losses, and legal liability. According to IBM’s 2023 Cost of a Data Breach report, the average global cost of a breach has risen to $4.45 million, with critical infrastructure organizations bearing even greater financial and operational impacts.

Cybersecurity professionals must ensure board members are sufficiently informed to oversee these risks. Effective board engagement begins with identifying a company’s crown jewels and assessing potential cyber vulnerabilities.

Key Cybersecurity Areas for Boards

This section lists 5 key cybersecurity responsibilities for board members.

1. Crown Jewels and Data Assets

Boards must understand what assets are most critical to their business operations. moreover, cybersecurity professionals need to assist boards evaluate risks through real-world examples:

• Insider Data: Consider the 2017 Equifax breach, where exposed proprietary algorithms and unpatched vulnerabilities led to the exposure of over 147 million individuals’ personal data.
• Personally Identifiable Information (PII): In the healthcare sector, ransomware attacks targeting patient data (e.g., the 2021 Colonial Pipeline breach impacting payment systems) illustrate the interconnected nature of operational and reputational risks.
• Intellectual Property (IP): Advanced persistent threats (APTs), like those attributed to state-sponsored groups, often target proprietary manufacturing processes or patents essential to industry competitiveness.
• Reputation: Trust that forms the bedrock of shareholder, customer, and employee confidence.

As a result, communicating the business impact of exposing such assets is key to spurring action at the board level.

2. Defining Risk Appetite and Cybersecurity Investment

Boards need to weigh cyber risk against potential returns on investment. Moreover, they need to articulate the balance between these factors with concrete metrics and benchmarks.

• Budget Allocation: Industry leaders like Gartner suggest allocating 10%-15% of the technology budget to cybersecurity. Assess whether this benchmark aligns with the company’s size, sector, and risk profile.
• Cost of Inaction: Use incidents like the Target breach in 2013, where a phishing attack on a vendor led to a $292 million loss, to underscore the cost of inadequate investment.

By understanding the financial and operational implications, boards are better equipped to prioritize cybersecurity spending.

3. Incident Response Readiness

An organization is only as prepared as its incident response plan. Boards should understand their company’s readiness, particularly in crisis situations. As a result, to be prepared an organization should have in place:

• Incident Response Documentation: Review decision trees for when to notify the board, internal steps for continuity, and external regulatory requirements.
• Tabletop Exercises: Demonstrate breach response scenarios, emphasizing timelines for containment, communication, and recovery.
• Case Studies: Analyze breaches like the SolarWinds attack (2020) to highlight the cascading effects on supply chains and how preparedness can mitigate long-term impacts.

4. Periodic Cybersecurity Training

Cybersecurity professionals must ensure board members receive regular updates and training. Thus, the recommended approaches include:

• Real-world simulations: Conduct phishing campaigns or ransomware drills to illuminate risks.
• Sector-Specific Threats: Illustrate unique vulnerabilities—like IoT threats in healthcare or insider data risks in finance—to foster sector-relevant awareness.
• Regulatory Requirements: Educate the board about emerging compliance standards, such as the SEC’s cybersecurity disclosure rules that require prompt reporting of material incidents.

Regular updates turn cybersecurity into an ongoing conversation, rather than a sporadic agenda item.

5. Establishing Robust Oversight Mechanisms

Cyber security professional should help their board define its governance responsibilities over cybersecurity programs. Essential measures include:

• Direct CISO Communication: Encourage routine board-level presentations from the CISO, covering threats, response readiness, and resource needs. Examples include the proactive posture taken by companies like JPMorgan Chase, where the CISO reports quarterly.
• Formal Reporting Mechanisms: Provide regular cybersecurity dashboards summarizing key metrics such as attack attempts, vulnerabilities patched, and compliance gaps.

As a result, this structured approach transforms cybersecurity discussions into actionable strategic planning sessions.

Cybersecurity’s Role in Business Continuity

Boards often underestimate the operational impacts of a breach. Highlighting the business continuity plan ensures alignment on critical functions such as:

• Backup and Recovery: Emphasize robust systems that minimize downtime. The example of the Maersk ransomware attack illustrates how data redundancy and preparation can lead to swift recovery, saving millions.
• Third-Party Partnerships: Recommend engaging trusted cybersecurity firms for threat assessments and incident mitigation to complement internal capabilities.

Driving Strategic Board Engagement

Cybersecurity professionals play a key role in fostering strategic engagement with the board. Hence, these final tips are worth considering:

• Clarify Responsibilities: Ensure board members understand the duty of care in the context of cyber risk, including compliance with disclosure laws.
• Involve the Board in Insurance Evaluations: Collaborate on assessing policies like Directors and Officers (D&O) and cyber insurance to evaluate terms that align with the company’s risk profile.
• Advocate for Cyber-Savvy Directors: Companies like FedEx and General Motors have introduced board members with cybersecurity expertise to navigate evolving threats. Propose similar approaches for your organization.

The Bottom Line for Cybersecurity Professionals

Our expertise, as cybersecurity professionals, can empower boards to protect their organizations against the ever-changing threat landscape. Besides, by delivering actionable insights, facilitating education, and demonstrating the intersection of cyber threats with operational and financial risk, we help boards align cybersecurity with their broader fiduciary duties.

Today’s boardroom conversations must incorporate cybersecurity not as a technical nuisance but as a fundamental aspect of risk management and corporate governance. Every day that passes without engagement leaves the door open for vulnerabilities, endangering the overall cybersecurity responsibilities for board members.

Note: This article is also published on Linkedin.