Cybersecurity Essentials for Boards of Directors

Reading Time: 4 minutes

In today’s world, cybersecurity threats pose a risk for organizations of all sizes and industries. Many leaders are aware of the danger. In fact, a recent OnBoard survey found that three-quarters of C-level executives, board presidents, general counsels, and corporate secretaries believe that growing cybersecurity threats and other technology-related concerns will have the most significant impact on their organizations.

As cyber threats continue to evolve, boards of directors must take an active role in guiding their organizations’ mitigation and response strategies. Yet, cybersecurity and digital risk management often aren’t a priority on the board’s agenda. That must change – and fast.

Recently, Chris Hetner, Special Advisor for Cyber Risk at the NACD and Chair of the Cybersecurity and Privacy Council for the NASDAQ Center for Board Excellence, to discuss the intersection of governance, regulatory compliance, and cybersecurity risk mitigation. He shared expert insights on topics including:

The current cybersecurity threat landscape and its implications for board-level risk management
How to identify key cybersecurity oversight and regulatory compliance goals, along with strategies for effective board engagement in security matters
How to integrate cybersecurity considerations into broader business strategy and decision-making processes

Here, we share top takeaways from this timely, compelling session.

When it Comes to Cybersecurity Threats, What’s Old is New

Hetner kicked off the session by discussing the current cybersecurity landscape. “I always say, ‘What’s old is new,’” he said. “We continue to see the same level of attack patterns, exploiting basic hygiene practices such as poor password security, weak authentication, perhaps systems aren’t configured properly in terms of applying the proverbial seatbelts to our technology environment.”

According to Hetner, neglecting basic cybersecurity hygiene – whether on computers, mobile devices, or cloud instances – can expose organizations to significant risks. Adversaries, ranging from nation-states and criminal organizations to insiders, competitors, and opportunistic individuals who are seeking financial gain, often exploit this “low-hanging fruit” to cause serious damage. “The common denominator is that they exploit fairly basic hygiene practices,” said Hetner.

In today’s world, cybersecurity threats pose a risk for organizations of all sizes and industries. Many leaders are aware of the danger. In fact, a recent OnBoard survey found that three-fourths of C-level executives, board presidents, general counsels, and corporate secretaries believe that growing cybersecurity threats and other technology-related concerns will have the most significant impact on their organizations.

Additionally, advancements on the geopolitical stage continue to persist. For instance, there are a wide range of nation-states actively seeking to execute cyberattacks on critical infrastructure within the United States, aiming to disrupt business operations. We’re also witnessing foreign adversaries steal “droves of data” including social security numbers, account information, and other personal details. “It continues to persist and reinvent itself over time,” said Hetner.

Board Meeting

Agenda Template

Ensure effective, efficient meetings with our comprehensive Board Meeting Agenda Template.

Artificial Intelligence Amplifies Risk

In the past few years, we’ve seen rapid advancements in artificial intelligence. While AI offers substantial benefits to organizations that use it strategically, it also makes cybersecurity attacks more feasible to adversaries.

“The rise of artificial intelligence, agentic AI, and advancements within our corporate landscape continue to create more targets and opportunities,” Hetner explained. “Adversaries are using artificial intelligence and other automated methods to be more successful in the execution of those attacks.”

Simple Steps Can Help Organizations Mitigate Risk

Organizations can’t simply stand by as the risk of cybersecurity attacks continue to grow. Instead, they must take proactive steps to mitigate risk.

“We’ve got to get back to the basics, with proper blocking and controls within our environment,” said Hetner.

One example is using multi-factor authentication, where you’re not just reliant on a password. Hetner said there’s also a growing trend toward passkeys, which essentially replace passwords.

Tending to Your Supply Chain is Critical

According to Hetner, around 70% of cyberattacks originate from an organization’s supply chain. Therefore, it’s critical for organizations to properly manage their supply chains.

“While a supplier may augment your capabilities, there must be guardrails wrapped around that relationship,” he said.

First, organizations should maintain a comprehensive inventory of their suppliers. This process must be ongoing, as suppliers frequently enter and exit the organization. It’s also important to understand what data each supplier has access to and what controls they have in place.

“You have to ask if you have the right suppliers in your portfolio that maintain proper cybersecurity and technology hygiene,” said Hetner.

He said there are scanning tools available to examine the integrity of your supply chain. He also noted a growing trend of organizations simulating cyberattacks with suppliers to practice response strategies and identify any gaps.

Boards Aren’t Discussing Cybersecurity Enough

A cyberattack can have a devastating impact on any organization, and technological advancements are making these attacks even easier for criminals to carry out. Yet, many boards remain largely uninvolved in discussions about cybersecurity and digital risk management.

“I’d say roughly 75% are still unclear as to how the company is performing against a particular cyber threat,” said Hetner.

But why isn’t cybersecurity talked about more in the boardroom? According to Hetner, there are many reasons.

“Maybe the board doesn’t have the operational and technical background,” he explained. “Even if there is an operational or technical expert on the board, it tends to be a one-sided discussion between the CIO or CISO and the board member. The rest of the board often checks out because the conversation becomes too technical.”

“There is a disconnect,” he continued. “We should be bringing the entirety of the board into the conversation. It’s really about how we contextualize those cyber events to business, operational, legal, regulatory, and financial impact.”

Hetner suggested that bringing in outside expertise can be an effective way to help the board understand the potential business impact of cybersecurity risks and how to properly mitigate them.

Another reason cybersecurity often takes a back seat in the boardroom is the sheer volume of topics that board members need to discuss. “The board is totally overwhelmed,” Hetner explained. “There are growth strategies, tariffs, ESG issues … cyber gets maybe 20 minutes per year.”

It’s important to give cybersecurity the focus it requires. Hetner shared some practical recommendations for accomplishing this, including forming a dedicated risk committee to “sink their teeth into this topic” or bringing in external expertise.

“You’re not going to totally eliminate risk exposure,” concluded Hetner. “But you can potentially suppress exposure in such a way that it fits within your risk tolerance practices.”

Board Management Software

Buyer’s Guide

The comprehensive blueprint for selecting a results-driven board management vendor.

About The Author

Adam Wire: Adam Wire is a Content Marketing Manager at OnBoard who joined the company in 2021. A Ball State University graduate, Adam worked in various content marketing roles at Angi, USA Football, and Adult & Child Health following a 12-year career in newspapers. His favorite part of the job is problem-solving and helping teammates achieve their goals. He lives in Indianapolis with his wife and two dogs. He’s an avid sports fan and foodie who also enjoys lawn and yard work and running.