Source: Harvard Business Review
Author: Jeffrey Proudfoot
URL: https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity
ONE SENTENCE SUMMARY:
Boards increasingly prioritize cybersecurity but undermine governance by lacking expertise, ignoring AI risks, and equating compliance with resilient security.
MAIN POINTS:
- Cyber events impose severe operational, reputational, and financial harm, potentially threatening organizational survival.
- Despite heightened board attention, cyber risk mitigation capability has improved only marginally.
- FBI 2024 data shows cybercrime losses rose 33% year-over-year, worsening the threat landscape.
- Three governance failures dominate: limited expertise, AI discussions without security, compliance mistaken for security.
- Cybersecurity committees rarely include qualified experts; formal education and certifications are uncommon.
- Recruiting a “cyber-savvy” director provides limited value because threats and technologies evolve too fast.
- Governance should prioritize selecting, evaluating, and overseeing strong cybersecurity executives over board upskilling.
- Boards can assess leadership through breach responses, tabletop exercises, and cyber fire drills.
- AI boosts attacker capabilities via automated malware, spear phishing, and deepfake-enabled fraud.
- Regulations often lag and add little beyond market incentives; resilience and accountability drive better outcomes.
TAKEAWAYS:
- Shift board oversight from technical mastery toward rigorous governance of cybersecurity leadership performance.
- Make AI oversight a security, ethics, and operational resilience agenda—not just a growth strategy topic.
- Treat compliance as a baseline; measure security by business continuity and resilience outcomes.
- Strengthen executive reporting with clear, relevant briefings and a regular, strategic cybersecurity cadence.
- Address ecosystem risk by scrutinizing partners, integrating third-party threats into continuity plans, and building redundancies.