For years, cyber risk was relegated to the world of information technology (IT), managed by security and engineering teams as part of their operational responsibilities. However, as the digital world becomes increasingly interconnected and hovers with threats from nation-state adversaries, ransomware gangs, and other cybercriminals, this limited approach is no longer viable. Today, corporate leaders and board members are realizing that cyber risk is not merely an IT issue but a strategic enterprise risk that demands their direct oversight.
This shift reflects an urgent need for organizations to rethink how they approach cybersecurity. The stakes have never been higher: cyber threats not only harm company operations but also pose significant risks to national security and systemic resilience.
Recognizing this, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Association of Corporate Directors (NACD) and the Internet Security Alliance, has developed the NACD Director’s Handbook on Cyber-Risk Oversight. This handbook lays out a comprehensive framework for integrating cybersecurity into board governance and offers actionable guidance for leaders to foster a culture of sustainable cybersecurity.
Boards as Stewards of Cyber Risk
The NACD Director’s Handbook emphasizes a fundamental shift: cybersecurity must be treated as a core element of corporate governance. Board members hold the power to drive this change through their actions and decisions, ensuring that cybersecurity considerations are embedded in the organization’s strategic priorities.
But what does this look like in practice? Here are the key actions boards can take:
Empowering the CISO
Chief Information Security Officers (CISOs) are at the frontline of a company’s cybersecurity efforts. Yet, they often lack the authority or resources to make impactful decisions. Boards must ensure that CISOs are fully empowered to prioritize cybersecurity effectively. This includes providing them with the influence, budget, and tools necessary to address emerging threats.
Moreover, decisions that prioritize cost, speed to market, or product features over security should be made transparently. Such trade-offs must involve not just the CISO but also the CEO and board members, with full visibility for potentially impacted customers. Cybersecurity, as a matter of safety, cannot afford to lag behind innovation.
Educating Leadership on Cyber Risk
Cyber risk literacy is no longer optional for corporate leadership. Boards must ensure that their peers and senior executives understand the critical nature of cyber threats and the potential consequences of inadequate defenses. This includes integrating cybersecurity considerations into every business, technology, and software acquisition decision.
Additionally, boards should scrutinize decisions to accept rather than mitigate cyber risks and revisit these decisions regularly. To manage cyber risk more effectively, some organizations are establishing dedicated cybersecurity or technology risk committees—moving beyond the traditional audit committee approach, which often treats cybersecurity as a compliance issue.
Building a Cyber-Risk Management Framework
A strong cyber-risk management framework is essential for measuring and mitigating exposure to cyber threats. Boards should review and approve the development of standardized metrics and benchmarks to assess the organization’s cybersecurity posture.
These standards enable consistent evaluation and provide a clear picture of the company’s vulnerabilities.
Lowering Reporting Thresholds
One of the most overlooked aspects of effective cyber governance is the reporting of near misses. Often, thresholds for reporting malicious activity to senior management are set too high, leaving critical learning opportunities unaddressed. Boards should require regular briefings on both successful intrusions and near misses, as these incidents reveal gaps in defenses and test the organization’s response capabilities.
Fostering Collaboration Over Isolation
The cyber threat landscape is too vast and complex for organizations to tackle alone. Boards must champion a culture of collaboration, encouraging companies to share information about malicious activity with industry peers and government agencies. This proactive sharing can lead to quicker, more effective responses while fostering trust between the private and public sectors.
A New Model for Sustainable Cybersecurity
CISA and its partners advocate for a new model of sustainable cybersecurity—one that begins with a commitment from the top. This model requires CEOs and boards to view cybersecurity not as an isolated function but as an integral part of good governance. It’s about creating a culture where managing cyber risk is as ingrained in the organization as financial oversight.
As NACD notes, cybersecurity literacy should be treated like financial literacy: while not every board member needs to be a cybersecurity expert, all members should have a baseline understanding of cyber risks and their implications. Just as directors are expected to read financial statements, they must also grasp the fundamentals of cybersecurity to make informed decisions.
Corporate Cyber Responsibility: The Time is Now
In today’s environment, boards and CEOs must embrace corporate cyber responsibility as a non-negotiable aspect of governance. Every organization must safeguard its employees, partners, and customers against cyber threats. This commitment begins with holding senior leaders accountable for managing cyber risk and ensuring that they are directly involved in key cybersecurity decisions.
The NACD Director’s Handbook outlines actionable steps to achieve this goal, emphasizing the importance of:
- Empowering CISOs and aligning their efforts with organizational priorities.
- Educating board members and executives on the evolving threat landscape.
- Developing standardized frameworks for assessing and mitigating cyber risks.
- Encouraging information sharing and collaboration across industries and with government partners.
To Sum Up
The digital threats facing organizations today are not just operational challenges—they are existential risks that demand immediate and sustained attention from corporate leaders. By adopting the principles outlined in the NACD Director’s Handbook, boards can transform their approach to cybersecurity, ensuring that it is treated as a strategic priority.
The message is clear: cybersecurity is not just an IT function; it is a culture, a governance issue, and a shared responsibility.
The time has come for boards to step up, lead by example, and redefine what it means to be resilient in an interconnected world.
