> "Boards are now retaining third-party technology expert-futurists, cyber risk experts, inventors--to make sure the board is kept updated and has access to outside perspective to help validate what they hear from management." > -- Dr. Richard LeBlanc, Professor of Governance, Law and Ethics

Something fundamental shifted in how boards must approach cybersecurity. It is no longer enough to hear a quarterly update from the Chief Information Security Officer and move on. Directors are now expected to understand cyber as a business resilience issue, a fiduciary responsibility, and increasingly, a personal liability concern.

The warning signs have been building for years. In October 2022, the U.S. Federal Trade Commission announced a settlement with alcohol delivery service Drizly and its CEO over a data breach affecting 2.5 million consumers. The agency required the company to implement a data security program--and bound the CEO personally to security requirements in future roles. Sanctioning the CEO personally was unusual, and it signaled something important: regulators would no longer treat cybersecurity failures as purely organizational problems.

Since then, the stakes have only risen. The European Union's NIS2 Directive, now being transposed into national law across member states, explicitly holds board members accountable for cybersecurity governance failures. In the United States, the Securities and Exchange Commission's 2023 disclosure rules require public companies to report material cybersecurity incidents within four days--and to describe their board's oversight processes. The Digital Operational Resilience Act (DORA) now imposes similar accountability on financial entities and their technology service providers.

What does this mean for directors in practice? It means the questions you ask, the expertise you access, and the rigor you apply to cybersecurity oversight must evolve. Here are the questions that should now be standard in every boardroom.

1. What Is Our Current Cybersecurity Posture, and How Mature Is Our Function?

This question sounds basic, but it remains the foundation of effective oversight. You need to understand not just what security controls exist, but whether they are proportionate to your organization's risk profile.

Ask your CISO for an honest assessment of the cybersecurity function's maturity. Is it reactive, responding to incidents as they occur? Or is it proactive, anticipating threats and building resilience before problems arise? Understanding the staffing structure, how many security professionals per thousand employees, how the function is funded, whether it can attract and retain talent, gives you critical context.

The CISO's role has become one of the most demanding in the executive suite. According to research by Nominet, the average tenure of a CISO is just 26 months. A quarter of CISOs surveyed reported that their boards did not accept that breaches were inevitable, and that boards would hold them personally accountable for incidents. This is unsustainable. When your CISO asks for resources, additional headcount, training budget, technology investments, assume they are asking in good faith. Underinvesting in cybersecurity is a false economy; the cost of recovery from a major incident almost always exceeds the cost of prevention.

2. What Are Our Biggest Cybersecurity Risks, and How Are We Mitigating Them?

Cybersecurity risks come from multiple sources: external attackers, supply chain compromises, human error, and increasingly, the AI systems your organization is deploying. The board needs visibility into which risks are most material to the business and what strategies are in place to address them.

Request regular risk summaries from your CISO that include not just identified threats but their potential business impact. A sophisticated ransomware attack does not just encrypt systems; it halts operations, damages customer trust, triggers regulatory investigations, and exposes the organization to litigation. Make sure risk assessments connect technical vulnerabilities to business consequences.

Pay particular attention to third-party risk. Most organizations rely on dozens or hundreds of vendors for critical services--cloud providers, payroll systems, customer relationship management platforms. Each represents a potential entry point for attackers. Ask how your organization assesses vendor security and whether you have visibility into their security postures, not just their assurances.

3. How Much Are We Spending and Is It Sufficient?

Cybersecurity spending is often opaque to boards. You may see a total IT security budget without understanding whether it covers the right things. Ask for breakdowns: how much goes to prevention versus detection versus response? What is the investment in security awareness training? How much is allocated to technology refresh versus maintaining legacy systems?

Legacy systems deserve particular attention. Many organizations continue to rely on outdated technology that vendors no longer support. In January 2023, Cisco warned of critical vulnerabilities affecting end-of-life routers, equipment last sold in 2020, with no patches forthcoming. These systems cannot be fully secured. Your organization should have a clear roadmap for retiring or replacing legacy infrastructure, with realistic timelines and budgets.

4. Do We Have a Tested Incident Response Plan?

Despite best efforts, breaches happen. The question is not whether your organization will face a cybersecurity incident, but whether you are prepared to respond effectively. Your incident response plan should be a living document, not a binder gathering dust.

The board has specific responsibilities during a crisis. You may need to decide whether to pay a ransom, my advice is almost always no, unless in truly exceptional circumstances with no alternative recovery path. You will need to liaise with major customers who may be affected. You must be available for emergency consultations with executives as the situation develops.

These decisions cannot be made in the moment without preparation. Insist on tabletop exercises that simulate major incidents. These exercises reveal gaps in coordination, clarify decision rights, and ensure that when a real crisis occurs, your team knows how to execute rather than improvise.

5. Are We Compliant With Evolving Regulations and How Are We Monitoring Changes?

The regulatory landscape has become significantly more complex. Beyond sector-specific requirements, organizations now face cross-cutting obligations: NIS2 for critical infrastructure and important entities across the EU; DORA for financial services; SEC disclosure rules for public companies in the U.S.; and AI governance frameworks and regulations.

Your organization needs processes to monitor regulatory developments and assess their applicability. This is not a set-and-forget exercise. Regulations change, enforcement priorities shift, and what was optional yesterday may be mandatory tomorrow. Ensure you have access to qualified legal and cybersecurity expertise to interpret these requirements for your board.

Building the Right Structure

Effective oversight requires the right committee structures. There is no single best approach, but several models work:

  • Governance and risk committees can oversee cybersecurity as part of broader risk management responsibilities
  • Audit committees can review whether security policies align with standards and best practices
  • Dedicated cybersecurity committees provide focused attention, typically led by the CISO with representation from IT, legal, and human resources
  • Technology committees ensure security considerations are embedded in technology strategy and investment decisions

The trend is toward greater board access to cybersecurity expertise. Whether through a dedicated committee chair, an independent advisor, or board education programs, directors need independent sources of insight, not just management's perspective.

Culture Is the Foundation

Ultimately, technology and processes matter less than culture. As I have written before, a strong cybersecurity culture requires four elements: commitment from leadership, obsession with prevention, collaboration across departments, and willingness to learn from mistakes.

This culture starts with the board. When directors treat cybersecurity as a strategic priority, ask probing questions, and hold management accountable for addressing gaps, they signal that security is everyone's responsibility. When boards treat it as a technical matter to be delegated, they create blind spots that attackers exploit.

The board's cyber agenda has indeed changed. The directors who adapt, who develop fluency in risk, who ensure their organizations are resilient, who treat cybersecurity as a governance imperative, will protect not just their organizations, but their own positions. Those who do not risk learning the hard way that in 2026, cybersecurity failure is board-level failure.

Published March 25, 2026 | Originally appeared in modified form in "The Book on Cybersecurity" (2023)