At this point, most boards recognize the necessity of cybersecurity investments, understanding that a cyber event can be costly, damaging to brand reputation, and disruptive to operations. However, are boards paradoxically becoming worse at governing cybersecurity despite increased attention?

The Growing Cybersecurity Threat

Year-over-year, the cybersecurity landscape continues to worsen. The 2024 FBI crime report revealed a 33% increase in cybercrime losses compared to the previous year. Extensive research, including interviews with over 75 directors and executives, indicates that boards’ ability to mitigate cyber risk has only marginally improved despite greater emphasis on the issue.

Three Key Areas of Failure

Observations of board cyber governance reveal three prominent factors driving this problem:

  • Lack of cybersecurity expertise
  • Ignoring security implications in AI discussions
  • Mistaking regulatory compliance for genuine security

These issues are not insurmountable, but their persistence courts disaster.

The Lack of Cybersecurity Expertise

Many boards acknowledge a shortage of cybersecurity expertise. A recent study of 62 firms with 239 board members on cybersecurity committees found limited formal qualifications: only one director had formal cybersecurity education, five had certifications, and just 16 had relevant practical experience.

While adding cybersecurity-competent directors seems logical, the rapid pace of change in the cyber landscape can limit the benefits. As one director noted, “I’m the tech and cyber guy on all these boards…this stuff, AI and cyber, is moving so quickly. I have a hard time keeping up with it.”

What boards should do: Instead of focusing on adding directors with cybersecurity expertise, boards should prioritize selecting and overseeing effective cybersecurity executives. Directors should leverage their executive experience to assess the effectiveness of cybersecurity leadership, observing performance during incidents or simulated exercises.

AI: Opportunity and Overlooked Risk

Artificial intelligence is a central topic in boardrooms, often focused on strategic opportunities like disruption, efficiency gains, and new products. However, this focus often overlooks the significant security risks AI introduces.

Malicious actors can leverage AI to streamline malware generation, increase the scale and speed of attacks, and create highly convincing phishing campaigns, potentially leading to multimillion-dollar losses.

What boards should do: Boards must treat AI as both a strategic opportunity and a cybersecurity risk. This means structured oversight of AI-driven threats, ethical implications, and operational vulnerabilities. Key questions include: Are we prioritizing AI integration based on value or simply following trends? Are we making unnecessary tradeoffs between AI adoption and risk? How are our processes changing with AI, and what are the implications of disruption?

Compliance is Not Security

The proliferation of cybersecurity regulations has led some boards to equate compliance with security. While board discussions around regulations are time-intensive, the connection between regulations and effective cybersecurity practices is often tenuous.

Organizations with sufficient resources often find limited value in cybersecurity regulations, as regulators may be poorly positioned to define best practices and bureaucratic processes can cause delays. One expert stated that regulations rarely add more than the existing threat of economic or reputational harm.

What boards should do: Boards should view cybersecurity as a competitive and operational resilience issue, driven by market incentives and organizational accountability, rather than solely a compliance matter.