- Board members often hesitate to ask critical cybersecurity questions due to a lack of technical expertise, weakening oversight and reinforcing dependence on CISOs and executives.
- Cybersecurity is treated primarily as a budget issue rather than as a strategic risk requiring in-depth engagement and risk appetite alignment.
- Effective oversight is hindered by communication gaps, limited board-level understanding of cyber risk, and a lack of formalized structures like cyber-specific subcommittees.
This qualitative study explored how cybersecurity risk is perceived and handled at the board level in some of the UK’s largest organizations. Through interviews with 18 C-level executives, CISOs, non-executive directors (NEDs), and consultants, researchers found that while cybersecurity is increasingly present on board agendas, it is commonly reduced to financial abstractions—mainly investment decisions—rather than being treated as a strategic risk. Boards rarely engage directly with the complexities of cybersecurity; instead, they rely heavily on reports from executives and CISOs, often without the knowledge or confidence to challenge the content. A fear of appearing uninformed causes many NEDs to refrain from asking deeper questions, ceding effective decision-making to CISOs and, in some cases, auditors.
The study highlights a troubling power imbalance between boards and cybersecurity leaders. CISOs shape both the agenda and the content of board-level cybersecurity conversations, effectively determining which risks and data are communicated. This undermines the board’s traditional oversight function. Compounding the issue is the failure to integrate cybersecurity into established risk management frameworks. Although “risk” is cited as a common language across business units, the translation of cyber threats into comparable risk metrics is often inadequate or overly simplified. In many organizations, risk appetite for cybersecurity remains undefined or poorly operationalized, further distancing cyber risk from traditional enterprise risk governance.
Participants emphasized the value of dedicated cybersecurity subcommittees, continuous board education, and third-party audits to improve board engagement. However, war-gaming exercises and regulatory pressures, while useful, were often seen as reactive or superficial. A few organizations had begun addressing these issues with targeted board training or by adding cyber-savvy NEDs, though the consensus was that a broader cultural shift is required. Regulatory bodies, while instrumental in surfacing cyber risk, typically lack the prescriptive detail needed to enforce meaningful board-level engagement.
Ultimately, the study calls for structural and regulatory changes to empower boards in their cybersecurity oversight roles. It suggests more standardized reporting requirements, industry benchmarking, and formal subcommittees to institutionalize cyber risk governance. The researchers also recommend improving communication channels between CISOs and boards by fostering a shared understanding of risk and bridging technical-business language divides. Without these changes, cybersecurity risk will continue to be managed in a reactive, fragmented manner, leaving organizations vulnerable despite growing awareness at the top.
Leave a Reply
You must be logged in to post a comment.