Cybersecurity and the Board of Directors

Kerie Kerstetter
The board of directors sits at the top of an organization and as such are responsible for knowing everything about their company  from how it operates to the risks that threaten its success. 

One risk that cannot be ignored is the growing threat of cyberattacks. A rash of high-profile data breaches and cyber threats have made headlines in recent years. Yet, a good deal of organizations remain in the dark about what they can do to protect themselves from digital threats.

There's no time like the present for your board of directors to educate themselves on good cybersecurity practices, including countermeasures they can implement now to avoid disaster later.

What Basic Principles Should Every Board of Directors Know About Cybersecurity?

First, boards should understand that good cybersecurity practices start from the top down. They need to appreciate the changes to the cybersecurity threat landscape and the limitations of conventional defenses. Only then can they start to shape advanced protections to protect their business.

Technology's rapid advance means the nature of cyber threats is in constant flux, but there are basic categories of attacks that bad actors continue to use. These include:
  • DDoS attacks: Short for "distributed denial of service," DDoS attacks are executed with the goal of rendering a service or website unavailable by disrupting its connection to the internet.
  • Malware: Malware is malicious software installed without the user's knowledge or through false pretenses such as a fake software update. Once installed, malware can do anything from logging keystrokes to sending personal information back to the hacker.
  • Ransomware: A type of malware, ransomware locks a user out of a system and destroys their files within a set period unless the user pays a ransom to the attacker.
Additionally, boards of directors should know that conventional firewalls might not be enough of a defense when a company is connected to clients and the public via the internet. Each one of those connections creates an opening for attack, and the more distributed the business (and its network), the more openings are created. Security measures should be distributed at these points, not centralized.

It's also a fact that no defense is airtight. The mindset shouldn't be to wait until the enterprise is completely secure before operating. Rather, it should be to make the business secure enough to operate successfully with minimal risk.

And finally, boards should understand that success with cybersecurity measures is local. Focusing on threats specific to your business will do the most good. Be mindful of what is happening to others who don't take security seriously, but use it as a learning experience instead of panicking.

What Cybersecurity Bases Would Every Board Cover in a Perfect World?

In a perfect world, boards would adopt a good cybersecurity posture in the following three areas:
  • Defenses
  • Customers
  • Response


To adopt defenses that are effective, boards must follow changes in the cybersecurity threat landscape and undertake due diligence to protect themselves in the event of a cyberattack.

Boards following this recommendation would not only have effective perimeter defenses in place, but also global security measures implemented via the cloud to protect assets and communications around the world.

Internal communications would be monitored, and the business would remain just as vigilant to internal threats as external ones. The board might, for example, implement secure messaging systems to keep sensitive information from getting out.

Most importantly, boards would hire experts regularly to test their defenses. If, and when, a weakness is exposed by a skilled penetration tester, it would be fixed immediately.


Customer interactions need to be constantly monitored to ensure they have a good and secure experience. An ideal board would make efforts to understand their customer's online behaviors and watch for signs of abnormal access.

Steps would be taken to ensure real humans, not bots, are the ones interacting with the business online. Customers would be notified if it appeared their data or identities were stolen. These steps taken to protect privacy and data would help maintain customers' trust.


Boards should make sure their business is ready to respond to a cyber threat, even in the worst-case scenario. Ideally, teams would be trained in countermeasures and mitigation steps in the event of a cyberattack or breach.

A plan would be in place laying out who the business will engage with and how. That plan would include the business's executive management and legal staff. Processes would be in place for evidence collection and conducting a forensic investigation.

Realistic response exercises would be conducted to make sure the team is ready to respond to a threat quickly. Proper incident response would be drilled repeatedly to increase staff response efficiency.

In a nutshell, boards should be able to say that their company is protected as well as possible, that their customers are protected as well as possible, and that their staff is ready to act and prepared for unexpected contingencies.

However, this isn't the case for a lot of companies.

What's Standing in the Way of Better Cybersecurity?

The reasons companies don't invest in better and more complete cybersecurity measures usually come down to:
  • Lack of funds
  • Lack of context
  • Lack of direction
It isn't always easy to determine what's an acceptable level of risk, or how protected a company really is from cyber threats. If you're not even sure what to look for in the first place, that gets much harder.

The people responsible for cybersecurity spending might have trouble justifying the expense. Cyber threats can often seem abstract and far-off if they haven't seriously affected your company.

To get a better idea of what the risk of cyber threats looks like for your company, CEO of Allure Security Josh Shaul recommends determining your business's "risk appetite." In other words, determine what your tolerance for risk is in certain areas and align your actions around that.

For example, the United States Treasury Department has zero risk appetite for unauthorized access to their systems. That means controls in that area must be absolutely airtight. The Treasury has a moderate risk appetite for using technology to meet customer demands, so they're more willing to experiment with controls at that level.

Developing Your Own Risk Appetite

When developing your risk appetite for cyber threats, it helps to look at industry benchmarks or general cybersecurity maturity models. Look at what the strongest members of your industry are doing  the ones with the most to lose  and adopt those practices as your own. 

Third-party organizations can assess your level of risk and determine where you could strengthen your defenses. You can also look at each area of your business yourself and decide what level of risk you're comfortable taking on. This can help identify actions you need to take and security measures you should put in place to protect specific aspects of your business.

Cybersecurity maturity models
generally have five levels, and when a company is assessed, they'll learn where they fit on that scale — their level of "maturity." A company that finds itself at level two, for example, would need to step up its countermeasures. 

Part of determining risk appetite is figuring out what you're willing to do without, or possibly lose, in the event of a cyber attack. Are you willing to cut off access to your site for 30% of users to contain a threat when those users expect access 24/7? What kinds of intrusion are you most at risk for, and how will you contain that risk?

An effective risk determination puts you in the attacker's place. What points of entry would they use? What areas of your infrastructure are the most vulnerable? What can you do to shore them up? What will you do if those measures somehow fail? All these things are key to determining your risk appetite, which drives the level of risk maturity your company will reach.

Visibility Is Key

Getting an accurate picture of your enterprise's network and computing infrastructure is one of the most important steps you can take toward better cybersecurity. Knowing all the access points  networks, servers, website URLs, computers  can be a daunting and time-consuming task. But it should be done, regardless. 

Communicate with your board and take an accurate inventory of all the networks, systems and data at your company. Know where the most sensitive data is stored, who's responsible for it and what security measures are already in place.

Look in every dark corner. Leaving problems unsolved and areas unexamined is not an option for good cybersecurity. During the WannaCry attacks, for example, many of the crucially important systems that were hacked could have been protected with a simple software patch no one bothered to install.


Boards of directors should be the ones to set the example for good cybersecurity at their companies. Start assessing the risk now, determine what the threats in your industry are, and implement the proper countermeasures. A multilevel approach to your "risk appetite" may be necessary depending on your industry.

Monitoring for internal risks is just as important as monitoring for external ones. If you haven't already implemented secure software solutions, it's time to start. Contact Diligent today to learn what we can do to help you build a more secure environment for your board communications.
Related Insights
Kerie Kerstetter
Kerie Kerstetter is a former Senior Director at Diligent and the Next Gen Board Leaders. She has done extensive work into how governance and ESG technologies empower leadership to make informed, data-driven decisions while mitigating cyber risk. Kerie was one of the founding members of Boardroom Resources, the premier educational resource for board members, acquired by Diligent in 2018.