Cybersecurity and Governance: Today’s Boards Are Out of Alignment

A photo of the Night Dragon report cover about cybersecurity and governance.

New research from NightDragon and the Diligent Institute reveals only 12% of corporations have board members with cybersecurity expertise, leading to gaps in cybersecurity and governance.

Relentless technological advancements have increased the incidence of cyber threats, making cybersecurity a central concern for businesses. A survey by PwC reveals that 48% of CEOs plan to increase investment in cybersecurity despite tightened budgets in other business sectors. This is good news for increased protection as new regulations emerge.

But it also leads to a critical question: are enterprise governance boards ready to take responsibility for cybersecurity?

NightDragon and the Diligent Institute, endorsed by industry leaders such as the New York Stock Exchange and Moody’s, analyzed the Boards of the S&P 500 companies to identify potential educational and expertise gaps in mitigating cyber risk. Their goal was to scrutinize if the largest and most influential companies are strategically equipped from the top down to handle cybersecurity challenges.

The digital revolution continues to gain momentum, broadening the risk scope daily for potential attackers.

With technology interweaving through every aspect of our lives, a threat to digital infrastructure could have catastrophic repercussions, disrupting the lives of millions. The manifestations of these risks are evident in the increasing attacks on hospitals, financial organizations, and critical infrastructures, predicting a global loss of $10.5 trillion by 2025. Such impacts necessitate discussions about cybersecurity at the board level, embedding it as a crucial part of the company’s compliance and risk strategy.

Recognizing the amplifying power of cyber incidents due to innovations like Artificial Intelligence (AI), the federal government is intervening to mandate faster breach disclosures and risk mitigation strategies publications as part of annual regulatory reporting requirements. New regulations around cybersecurity have been adopted by the U.S. Securities and Exchange Commission, ensuring compliance and reinforcing the importance of cybersecurity.

Topline findings from the Leadership Analysis by NightDragon and the Diligent Institute.

The examination of S&P 500 organizations and their Board members’ backgrounds reveals that there is substantial room for growth in educating Boards and incorporating appropriate expertise for overall governance strategies.

Key Cybersecurity and Governance Research Findings


Companies that have at least one current
or former “cyber expert” on the board.


Companies that had technology expertise on their board,
but not necessarily a cybersecurity specialist. These individuals are likely
informed on cybersecurity and overall technology topics but are
less direct experts on the topic than those who fall into the preceding category.


Companies that have at least one board member with some adjacent
connection to the cyber world but no direct previous experience
in a practitioner cybersecurity or technology role.


Companies that do not meet any of the above criteria.

Corporate leaders need to prioritize cybersecurity education to help protect their companies.

This underscores the dire need for enhanced education and expertise within the Boards to mitigate cyber risks effectively. Corporate leaders must integrate informed and strategic approaches to cybersecurity to avert substantial financial losses and reputational damage. The increasing instances of cyberattacks on vital institutions such as hospitals and financial organizations necessitate a profound understanding of cybersecurity at the board level.

Companies must acknowledge the burgeoning cybersecurity threats and adapt their governance strategies accordingly. Board members must have direct or at least adjacent experience in cybersecurity to guide the company effectively against potential threats and to comply with evolving regulations. The amalgamation of technology expertise and cybersecurity specialization within the board is imperative for the nuanced handling of cyber risks.

Get a free copy of the report. Then start making changes.

The report goes on to showcase the point of view of several board members and looks at how AI will make the task even more important. 75% of those surveyed see AI playing a role in the boardroom in the future. It concludes with a six-point plan for helping advance the state of cyber awareness at the board of directors’ level. It also includes a short section on how CISOs can prepare to discuss cybersecurity with the Board.

The good news is that more and more boards are looking to add cyber expertise to their ranks or increase education amongst existing board members. For example, Spencer Stuart’s latest annual survey of nominating/governance committee chairs, conducted in the first quarter of 2023, shows an increase in respondents seeking cyber expertise (19% up from 8% in 2022). Additionally, 60% of respondents cited cybersecurity as a topic that would benefit director development, training, and education.


Read More
April 18, 2024
Reflections on Resilience: Digitalization and ‘Errors of the Third Kind’
Read More
April 2, 2024
What the Financial Services and Markets Act means for Technology Resilience
Read More
January 24, 2024
Meeting APRA CPS 230 and Adopting Operational Resilience as a Strategic Imperative

Timothy Eades

Chief Executive Officer