TLDR:
- Adding a CISO to a board is popular but not effective for improving cybersecurity.
- Boards need to elevate their collective knowledge on cybersecurity.
Boards are facing increasing expectations around cybersecurity governance, but most directors lack expertise in this area. While adding a CISO to the board may seem like a solution, it doesn’t address the fundamental role of the board as a collective decision-making body. Instead, boards should focus on elevating their collective knowledge on cybersecurity through strategies such as quality time with the organization’s CISO, executive education courses on cybersecurity risk, cyber learning forums, and bespoke board sessions dedicated to cybersecurity. By taking a comprehensive approach to improving board members’ cybersecurity expertise, boards can become more proactive in building cyber resilience and staying ahead of attackers.