Skip to content
Home » What Corporate Boards Need to Do for Cybersecurity

What Corporate Boards Need to Do for Cybersecurity

Previously, we gave 5 simple tips for board members to promote cybersecurity. However, why exactly should you act upon these tips? Why is cybersecurity so important, and how does it affect your entire organization? Corporate boards oversee their organization’s overall management. This includes the IT and cybersecurity strategy of their company.

In this blog, we analyzed PWC’s 2020 Annual Corporate Directors Survey to find corporate boards’ perspective on cybersecurity. We provided suggestions on how corporate board members should proceed with their company’s cybersecurity strategy. We also discussed why it is important for board members to be familiar with their organization’s cybersecurity.

Corporate Boards Understanding Cybersecurity

Many executives and board members hold the misconception that cybersecurity fully depends on and only affects the IT department. In truth, cybersecurity affects the entire organization including other departments such as the finance and marketing. It also negatively reflects the board of director’s reputation. This is especially important to consider if your company is a publicly traded company. This is because the government penalizes board members of a public company after a cyber breach occurs. Nevertheless, if you are a board member of a private company, cybersecurity is still an important matter for the safety of your organization’s sensitive information.

In PWC’s 2020 Annual Corporate Directors Survey, 66% on the board of directors believe a recent cyber breach will negatively reflect the board of directors. (20% said “very much” and 46% said “somewhat.”)

However, despite this concern, many corporate boards have not implemented or enforced their company’s cybersecurity strategy. This is likely because board members like yourself are uninformed of the situation, or you simply have not been given a thorough report on your company’s cybersecurity.

32% believe they understand their company’s cybersecurity vulnerabilities “very well.”

It is not enough for board members to only “somewhat” understand cybersecurity vulnerabilities. While board members do not need to be experts in the cybersecurity landscape, you must understand how your company is protected digitally.

To do this, have company executives or an IT committee report to you with specific KPIs that everyone on the board will understand. Furthermore, figure out the KPIs you want reported to you. CISOs and other security professionals should be able to measure these KPIs often, which will allow them to keep you updated on the cybersecurity landscape of your institution.

As a board member, you are also responsible for asking relevant questions regarding cybersecurity. Relevant questions are not limited to cyber threats or solutions that the IT department works on. Rather, as a board member, you need to ask about the budget and outline of the IT department’s cybersecurity solution.

Corporate Boards Prioritizing Cybersecurity

Corporate boards are not prioritizing the importance of cyber risk enough. Only 22% of board members in PWC’s survey selected “cyber risk expertise” as “very important.” With the increasing number of cyber threats, more board members should support the development of cybersecurity.

Cybercrime costs are predicted to total at $6 trillion USD globally in 2021 (Morgan). Clearly, cybercrime is a major threat to corporations all around the world. So why have board members not put more importance on cyber risk expertise? The total damage caused by cyber threats exceeds the costs from natural disaster damages.

Furthermore, hacking is expected to become more profitable than the global trade all major illegal drugs combined. Cybercrime will only continue to grow, and if corporate boards are not emphasizing the importance of cybersecurity now, it will be too late later when their corporations suffer severe losses.

“Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups.” – John Noble (Lund, 2021)

With more cyber criminal groups forming, corporations need to improve their cybersecurity systems to combat the threats. Cybercrime is a rapidly growing illegal operation that threatens the safety and security or your organization’s information and system. With criminals flocking towards cybercrime, board members must prioritize cybersecurity and act now to prevent severe damages caused by cyberattacks.

Corporate Boards Engaging in Critical Conversation

While the board does not create or implement their company’s cybersecurity plan, they must properly prepare executive teams for a potential cyberattack. Be sure to discuss your company’s cybersecurity strategy with your executives so that everyone is aware of the process and plan.

Board members are held responsible when a cyber breach occurs. As a board member, you hold fiduciary responsibility on establishing and overseeing business policies and practices which includes cybersecurity measures. Good cybersecurity practices will drive your company’s performance and growth, improving the safety and trust in your organization.

Not everyone in the board will have an in-depth understanding of cybersecurity, which is fine. You do not need to be a cyber expert to understand the importance of cybersecurity. However, you should be aware of how cyber breaches affect your entire organization.

To do this, have your CISOs or the IT committee report specific metrics on the cybersecurity risks and threats. This will help you better understand the effects of cybersecurity on your organization. However, these metrics must be more than just “50% of malware incidents blocked” or “50% of phishing emails filtered.”

Make sure whoever is reporting to the corporate boards on the company’s cybersecurity gives useful KPIs that will indicate how the company can improve. Furthermore, as a board member, you can ask for specific details on the cybersecurity strategy. Additionally, ensure the KPIs use terms that non-technical people will understand. This includes the mean time to detect (MTTD) and the mean time to resolve (MTTR) a security threat or incident.

Corporate Boards Raising Awareness

It is not enough for board members to simply speak about cybersecurity every now and then. Corporate boards must regularly bring up and discuss their cybersecurity measures. This is because cyber criminals’ techniques are constantly evolving, so to best protect your system, you must regularly update your cybersecurity systems.

Emphasize the importance of cybersecurity in board meetings and by implementing cybersecurity policies. Show the people in your company why cybersecurity is so important by actively discussing the cyber threats and what your company can do to combat them.

Additionally, board members should bring this up with management and not just IT. By bringing this up to more than just the security and IT executives, corporate boards raise awareness of cybersecurity among the other departments. In cybersecurity, all employees must exercise caution to have an effective cybersecurity strategy.

Corporate Boards and Cybersecurity

Cybersecurity defense does not guarantee protection from cyberattacks. Rather, with cyber defense, you and your company will detect cyber threats and react appropriately when a cyberattack infiltrates your system. This minimizes the impact of a cyber threat on your organization by having a fast response time to the cyber threat.


  1. Lund, Frithjof. McKinsey & Company. (Host). (2021, February 2). Boards and cybersecurity [Audio podcast transcript]. In Inside the Strategy Room. McKinsey & Company.
  2. Morgan, S. (2021, April 27). Cybercrime To Cost The World $10.5 Trillion Annually By 2025. Cybercrime Magazine.
  3. PwC. (2020). PwC’s 2020 Annual Corporate Directors Survey.

If you found this blog useful, please share with others: