When a company is breached, the board is not a bystander. It is part of the story. For years cybersecurity lived quietly in the IT budget, a technical cost handled by technical people, somewhere well below the board's line of sight. In many boardrooms it still has a parking space: the audit committee, twice a year, a heat map with reassuring green squares. That era is over. Cyber risk is enterprise risk, and overseeing enterprise risk is the board's duty. Treating a breach as an IT failure rather than a governance failure is itself a governance failure.
Why "IT handles that" is no longer a defense
Regulators and shareholders now expect directors to demonstrate that they oversee cyber risk, not merely that the company owns the right tools. Since 2023, the SEC has required public companies to disclose material cybersecurity incidents within four business days and to describe, every year, how their boards oversee cybersecurity risk. And the logic is sound. A serious breach is not a technical inconvenience. It is lost trust, legal exposure, halted operations, and damage that lands on customers and shareholders alike. Those are business outcomes. The board owns business risk. There is no version of fiduciary duty that excludes the single threat most likely to take the enterprise offline.
The risk also reaches everywhere the enterprise does. It reaches strategy, because the company you acquire comes with every network it ever neglected. It reaches talent, because your defense is only as strong as the people running it. It reaches disclosure, because regret is not a filing. And it reaches operations, because for many businesses an extended outage is not an inconvenience. It is an existential event. A risk that touches every committee cannot be governed by one.
Security is architecture, not addition
I spent years as a network architect before I ever sat in a boardroom. The lesson that carried over is simple. Security that is designed in costs less and protects more. Security that is bolted on later costs more and protects less. Every engineer knows this about systems.
The same is true of governance. Oversight retrofitted after an incident is the most expensive kind. The board that builds security into its regular rhythm, its strategy discussions, and its deal diligence is doing the cheap version. The board that waits is choosing the expensive one without knowing it.
The security leader should not be a stranger to the board
Here is a simple test. If the first time your directors hear directly from security leadership is in the middle of an incident, the board has already failed. Security belongs on the agenda as a standing item, presented in plain business language, long before anything goes wrong. Not as a one-time briefing after a scare. As a regular conversation the board actually understands.
Demand it in business terms
The problem is rarely that directors lack technical depth. It is that security gets presented to them in technical terms no director can govern. Packet this, endpoint that. A board cannot oversee what it cannot follow. So the board's job is to insist on translation, and to ask questions that have honest answers.
- What is our actual exposure, stated in business terms?
- If our core systems went down today, how long until we are operating again, and how do we know that number is real?
- When did we last rehearse a serious incident with the executives who would actually manage one?
- Who has the authority to make decisions in the first hour, and does the board know its own role before the bad day?
- Which third parties hold our most sensitive data or access, and what happens when one of them fails?
Those are governable questions. Demand answers in that form.
Plan for resilience, not perfection
The mature posture is not "we are unbreachable." Anyone who promises that is selling something. The mature posture is resilience. When something fails, and eventually something will, here is how we contain it, disclose it, and recover. Directors should ask to see the incident response plan before they need it, not discover during a breach that one was never tested.
The deeper exposure is reputational. Trust is the one balance sheet item no one books, and a breach handled badly draws it down in a way that takes years to rebuild. Customers rarely remember the technical details of an incident. They remember whether the company treated them with care while it happened.
Cybersecurity belongs in the boardroom, not just the server room. Protecting the people who trust you with their data is not compliance. It is care, exercised at the level of governance. Treat it as the fiduciary duty it has become, and the organization is more resilient for it. Ignore it, and a preventable failure becomes the board's failure too.