board

Cybersecurity Oversight: A Board Primer

Essential framework for board-level cybersecurity oversight, including key questions and metrics that matter.

cybersecurityriskgovernance

Executive Summary

Cybersecurity is a board-level issue, not solely a technology problem. Directors must ensure management has appropriate frameworks, resources, and accountability to manage cyber risk effectively.

This memo outlines:

  • Core oversight responsibilities
  • Key questions for management
  • Metrics that signal risk exposure
  • Red flags requiring immediate attention

Board’s Role in Cybersecurity

The board’s job is oversight, not operations. Focus on three areas:

  1. Risk appetite: What level of cyber risk is acceptable given business model and industry?
  2. Resource allocation: Is management investing appropriately in prevention, detection, and response?
  3. Accountability: Is there clear ownership of cyber risk at the executive level?

Essential Questions for Management

Strategy & Governance

  • Who owns cybersecurity at the executive level? (Should be C-suite, ideally CISO reporting to CEO or CRO)
  • How does cyber risk integrate into enterprise risk management?
  • What’s our risk appetite for different threat scenarios?

Prevention & Detection

  • What are our crown jewels, and how are they protected?
  • How quickly do we detect unauthorized access? (Average is 200+ days—what’s ours?)
  • When did we last conduct penetration testing by a third party?

Incident Response

  • Do we have a documented, tested incident response plan?
  • When was the last tabletop exercise?
  • What’s our plan for board communication during an incident?

Third Parties & Supply Chain

  • How do we assess vendor security risk?
  • What percentage of critical vendors have been audited in the past 12 months?
  • Do contracts include liability for breaches?

Metrics That Matter

Avoid vanity metrics. Focus on these:

MetricWhy It Matters
Mean time to detect (MTTD)Faster detection limits damage
Phishing click rateHuman risk is the weakest link
Unpatched critical vulnerabilitiesKnown risks should be zero
Privileged account usageAdmin access is the highest risk
Third-party risk assessments completedSupply chain is often the entry point

Red Flags

Request immediate management briefing if you see:

  • CISO reports to CIO or has no direct executive access
  • No incident response plan or testing in past 12 months
  • No cyber insurance or unclear coverage limits
  • Critical vulnerabilities remain unpatched beyond 30 days
  • Board only discusses cyber after an incident

What I’d Ask For Next Meeting

  1. One-page risk summary: Top 5 cyber risks and mitigation status
  2. Incident response timeline: How we’d handle a ransomware attack in first 24 hours
  3. Third-party risk inventory: List of critical vendors and last assessment date
  4. Cyber insurance summary: Coverage limits, exclusions, claims history
  5. Executive accountability map: Who owns what in cyber risk management

Key Questions for the Board

  • Do we understand our cyber risk exposure relative to our business model?
  • Are we confident management has adequate resources and expertise?
  • Would we know within 24 hours if we were breached?
  • Is our incident response plan tested, or just documented?
  • Are we asking the right questions, or just checking a compliance box?

Bottom line: Cybersecurity oversight is about ensuring management has appropriate frameworks, not becoming technical experts. Ask hard questions. Demand clear accountability. Test the plan before you need it.