Diligent & Fortune Director Roundtable: Cybersecurity and the Board
In recent years, cybersecurity has gone from a back-office function to a strategic priority. Cybersecurity attacks have more than doubled in the years since 2020, according to the IMF, leading to an increased risk of “extreme losses” from cyber incidents. The Crowdstrike outage in 2024, though not a cyberattack, forewarned just how damaging a major cyberattack could be. The failed software update cost partner companies millions, indicating that technology issues can cast a wide net of damage that spans outside the originating company. Today, with major cybersecurity threats within the United States government and new threats like AI-based cybersecurity attacks on the horizon, it is more important now than ever for the board to be well prepared and well educated on cybersecurity. As such, Fortune and Diligent hosted a panel with leading experts in the field to help us understand the board’s role in the rapidly changing landscape of cybersecurity. The conversation was moderated by Andrew Nusca, Editorial Director, Brainstorm, Fortune.
Monica Landen, Chief Information Security Officer, Diligent, who has been in cybersecurity for more than 20 years, has seen it evolve drastically over the years. “Cyber risk has become one of the most pressing governance challenges of our time,” she said. Cyber risk presents a very real threat to every business, she told us, as it has the potential to erode trust and damage business operations. Despite the pressing nature of the threat, Landen noted that oversight by the board is lacking. According to a recent Diligent report conducted in partnership with Corporate Board Member and FTI Consulting, “61% of directors do recognize and acknowledge a major cyber event could significantly impact their company strategy and commercial viability,” she said. At the same time, she added, only 25% of boards require or strongly encourage directors to obtain cybersecurity education. This means that boards are expected to oversee cybersecurity threats without proper knowledge or education, she asserted. “The consequences of an issue [with technology] are far, far greater than they ever have been in the past,” Grant Schneider, President and CEO, FGS, noted.
Inside the organization, CISOs tend to have the greatest responsibility when it comes to cybersecurity. That role is not getting any easier. “CISOs are dealing with a lot of things,” Lisa O’Connor, Managing Director, Accenture Security, Cybersecurity R&D, Accenture Labs. Among these, she said, are defending the enterprise in a changing threat and geopolitical landscape, managing internal programs, covering the right risks, and ensuring companies can take advantage of new tech opportunities like generative AI. Jason Lish, Global Chief Information Security Officer, Cisco, agreed, adding that the CISO’s role lies both in business enablement and risk management. Nusca asked what CISOs should be prioritizing in the new cybersecurity landscape. Both O’Connor and Lish agreed that resilience and readiness are key. CISOs, and in fact the entire organization, according to Lish, should be prepared for a cyberattack. “We can put in all the defenses in the world, but as we’ve talked about, those can be bypassed and we have to respond as an organization,” he said.
Thus, the connection between the board and the CISO is a crucial one. The CISO is largely responsible for the implementation of cybersecurity in the organization and the board is tasked with overseeing this organizational risk. Nusca asked the panelists what leadership and board structure would best enable resilience. “I would encourage people not to get too hung up on the structure. There are lots of different structures that can work well,” Schneider said. Instead, he emphasized the importance of communication between these roles. Lish underlined this point, stating that regardless of who CISOs report to, they should have direct access to the board. O’Connor added that the effectiveness of communication between the CISO and the board is paramount. Board packets contain an incredible volume of information, she noted, meaning there is little time to communicate on cyber risks. Therefore, she said, communications have to deliver the “right insights at the right time” without too much detail or technical jargon. Schneider agreed, adding, “being able to deliver that type of information in a really concise manner is going to make the board want to engage with the CISO more.”
Clearly, cybersecurity is a growing concern for boards. What steps should they, and the organization, take to defend themselves? Schneider highlighted that, in addition to basic cyber hygiene, it is important to have a plan for when something goes wrong. “There is no place where you are cyber safe,” he said. That means, even with the best cybersecurity programs in place, organizations can still be hacked and need to have a response plan. Lish also encouraged organizations to have benchmarks related to cybersecurity. “I think it’s important to regularly benchmark our programs and provide that transparency to the board,” he said. Landen offered that regular discussions about cybersecurity at all levels of the organization builds resilience.
In closing, Nusca requested that each panelist give board members one question to ask themselves or their organizations after this conversation. “Ask your CISO what they’re worried about. What are the things they feel they don’t have insider visibility into?” O’Connor said. She emphasized that this question will reveal the unknowns and gaps that need to be addressed in your organization. Schneider said, “[Ask] the CISO how they view where they are at on the risk continuum.” In addition, he continued, get a better understanding of where the CISO would be most comfortable on that risk continuum. Lish underscored the importance of having a dialogue about KPIs, rather than simply presenting them. The question he would ask is: “Does the management of the company have the confidence that they have the right metrics and measurements in place?”
Finally, summing up the conversation, Landen encouraged directors to ask themselves this: “What is your expectation as it relates to the security program and our risk appetite?” It is clear from our discussion today that cyber risks are on the rise and we cannot be completely safe from them. Therefore, we must have hard conversations about what risks we are willing to take on and how we will respond if something goes wrong.
The Cyber Leadership Playbook
Learn how to bridge the gaps between cybersecurity, legal and board leadership for smarter cyber risk management & governance. Download the guide today.
Future-proofing your cybersecurity strategy
In this episode of The Corporate Director Podcast, we welcome Timothy Youngblood, Chief Information Security Officer at Astrix Security. Timothy shares his insights on the evolving landscape of cybersecurity and its implications for corporate governance.
What Directors Think 2025
Read the 2025 edition of What Directors Think, conducted in partnership with Corporate Board Member and FTI Consulting, to find out what's on public company directors' minds for the year ahead.
