skip to content

How to bridge the cybersecurity knowledge gap with your board of directors: Six effective strategies


Cybercrime is on the rise, from ransomware and malware to phishing and account takeovers.

In fact, 83% of organizations questioned in IBM’s Data Breach Action Guide have had more than one data breach. Identifying and containing a cybersecurity breach isn’t easy. It takes 277 days on average to do so.

To mitigate cybersecurity risks, organizations need greater involvement and support from the board of directors in managing the company’s cybersecurity posture. Frequently, board members don’t have the depth of knowledge regarding modern cyber threats to help inform appropriate risk management strategies and to make educated decisions. Just 51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience, while only 9% of Fortune 200 and 500 companies have board members with cyber experience.

As stewards of the business, boards cannot afford to overlook cyber risk. With technology now underpinning nearly every corporate function, a major data breach or ransomware attack can directly impact revenue, reputation, and shareholder value. Boards that fail to adequately oversee cybersecurity are not completing their fiduciary duties while also putting the organization at risk.

The board’s role in cybersecurity is more than just about providing oversight. It’s the board's responsibility to assess and determine whether the organization's security posture and risk level align with its risk appetite. However, many boards lack a comprehensive understanding of both the organization's cyber risk appetite and the cyber risk environment it operates in. As a result, organizations are experiencing a rise in cybercrime, highlighting an urgent need for technology teams to address this knowledge gap and take decisive actions to enhance their board’s understanding of cybersecurity issues.

Large group of board members having a meeting at conference table in the office.
Female and male technology professionals having a meeting in a conference room in front of a large screen.

How should boards oversee cybersecurity?

Board members need to be able to challenge technology leaders to speak in their language and translate technical issues into a business risk discussion, so they can properly assess and evaluate the organization’s security posture. Bridging this communication divide is crucial for aligning the perspectives of technology professionals and board members and fostering a more collaborative approach to cybersecurity governance.

For example, rather than discussing highly technical security controls, the conversation should focus on the risk level of corporate digital assets and the appropriate metrics that can be used to measure their security posture. This simple shift in focus—from technical to risk—enables both technology leaders and board members to converse along the same plane and see each other eye to eye. It allows the board to effectively challenge and question technology leaders and gives technology leaders the opportunity to fully explore cybersecurity in terms that resonate with the board.

The key challenge cybersecurity leaders face with board members

While a lack of cyber literacy is a common issue among boards, what is even more pressing is the breakdown in communication between technology professionals and board members.

In essence, boards are focused on business objectives, generating revenue, and growing operations. By contrast, technology leaders often focus on highly technical subjects and are sometimes considered siloed and not focused on the business. This mismatch in priorities and language can lead to misunderstandings, making it difficult for cybersecurity leaders to effectively convey the importance of their initiatives and investments to the board. Neither group—board members nor technology leaders—focus the security conversation on business risk, which is where it needs to be to have a productive discussion on how to improve cybersecurity.

A man and woman using a digital tablet while working in a data centre

Strategies to improve board oversight of cybersecurity

In order to bridge the cybersecurity knowledge gap of the board of directors and shift the conversation to a risk-based discussion, there are several communication-based strategies organizations should consider putting in place.

Board education sessions don’t happen enough. By meeting quarterly, technology leaders can share the top cybersecurity threats facing their industry and their organization specifically. Topics of conversation should also include where the company is lacking in security measures and whether it has had any close calls with cybersecurity breaches. These sessions will provide the board with an opportunity to learn more about the cybersecurity landscape while asking technology leaders business risk questions to assess what the company needs to do to minimize threats and close calls.

Boards should be asking questions like, what are the top three current security incidents in the industry, could they apply to us, and how are we mitigating those risks for our company? By fostering strong communication and knowledge-sharing between your board and cyber teams, you can build a solid foundation for robust cybersecurity measures that protect your organization from evolving threats.

If you’re wondering how to better explain cybersecurity measures to the board, using common-sense, risk-based metrics is a good option. Boards require metrics that will help drive actionable decisions around cybersecurity. Instead of complicated dashboards with dozens of KPIs, it’s important to focus on key metrics such as:

  • How much has the company spent on cybersecurity per employee and how does that compare to industry benchmarks?
  • How many cybersecurity close calls have occurred?
  • What were the lessons learned from these close calls?
  • How many cybersecurity issues have occurred relative to industry averages?
  • How many cybersecurity issues have been repeat incidents?
  • When a security issue occurs, how quickly has the organization been able to recover?
  • What are the number of human hours spent on security issues?
  • What is the mix of spending relative to mitigation of top industry threats?
  • What is the organization’s security posture and how will it evolve with upcoming business initiatives?
These metrics allow technology leaders to paint a realistic picture of the company’s security posture, giving boards an accurate depiction of the current threat landscape. Comparing company metrics to industry averages is key to getting an understanding of how the organization fares alongside its peers.

The threat landscape has become unmanageable and technology teams need to be able to communicate their experiences and provide a realistic view of the current situation with the board—this requires a safe space for open discussions about risk.  

This strategy involves a cultural shift within the organization, starting with setting the tone at the top and trickling down to every level. Technology leaders and board members need to be able to speak transparently about pressing cybersecurity issues, openly acknowledge risks, and collaboratively develop solutions to enhance the company’s security posture. Without these open conversations board members won’t be able to determine whether the company is investing adequate resources in the right areas.

After all, nothing is ever perfect, and in the world of cybersecurity, risks should be expected. If everything appears perfect, it begs the question: what is the most likely area of exposure? And what are we doing about it?

It’s important for organizations to have an industry benchmark of cybersecurity spending to determine if they’re keeping pace with their peers and making adequate investments in security measures. Spending on cybersecurity doesn’t have to be linear along with company growth, organizations do have to adjust their spending when there are major changes in the business, such as the addition of new employees or entry into new geographical markets. Strategic investments should target what is most valuable and what is most likely to be targeted by cyberattacks to maximize security effectiveness.

Discussions around the cost of a cyber breach are also important to have with the board. Consider conducting an analysis of the cost of a breach in comparison the cost of security investments. Factors such as reputational damage, the cost to remediate, and potential lost sales should be carefully considered to make informed decisions on cybersecurity spending.

The board of directors should fulfill a supportive role during cybersecurity incidents. They should be regularly updated on the progress of the incident and have a clear understanding of key decisions being made. In the event of a breach, the board can offer invaluable guidance regarding the risk appetite for the company. Organizations that involve the board in discussions around financial implications, systems availability, paying ransomware, hiring additional IT employees, or buying additional cybersecurity products benefit greatly from the board’s business expertise.

This strategy can completely transform how you discuss cybersecurity measures with the board. As technical backgrounds are lacking in most boards today, we advise organizations to prioritize tech and cyber competent individuals when it is time to select a new board member. As a result, the conversation can take on both a risk and technical focus.

How BDO can help

BDO offers a holistic approach to cybersecurity with its perpetual defence framework. We enable organizations to elevate the cybersecurity conversation with the board, so technology leaders and board members can have a productive discussion that involves the risk appetite for the company.

Our approach includes comprehensive preparation; 24x7x365 monitoring, detection, and response; and operational and offensive security testing. As a Microsoft Global Security Partner of the Year, we have extensive experience helping clients reduce and mitigate security risks while adopting new cloud-based systems.

Explore our Cybersecurity services

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close