How Should Directors Handle Cyber Risk?

Dottie Schindlinger

How Should Directors Handle Cyber Risk?

This blog is based on Episode 10 of the The Corporate Director Podcast, where we interviewed Peter Gleason, the CEO of NACD (the National Association of Corporate Directors).

>> Listen to Episode 10 on Apple Podcasts

Nearly six years ago, Target experienced a major breach of its customer data. That incident served as a major pivot point, causing boards to rethink their approach to cyber risk. The conversations in boardrooms about cyber risk today are drastically different from the ones happening just a couple years ago.

Back then, people were wondering: “Why should boards spend time talking about cyber risk?” No one is asking that anymore. Instead, the question has become: “How much time should the board spend talking about cyber risk?”

In this episode, we asked Peter Gleason, CEO of NACD (the National Association of Corporate Directors), to share advice for how directors can stay up-to-date on trends in cyber risk—especially with body blows to security constantly coming up in the news.

Start with the basics of cybersecurity

A year and a half ago, Diligent conducted a report with Forrester. We wanted to understand some of the behaviors in boardrooms around cyber risk.

The results were not good.

Around 57% of directors told us that they regularly use unsecured personal emails to conduct board business. This is terrifying. It means all of their sensitive board information is out there on Yahoo Mail and AOL and Gmail—all three of which have been compromised.

Certainly we have to make sure that our personal information is protected, but beyond that, we have to examine how our practices are potentially damaging to the companies we work for by opening them up to huge risk.

Why is cyber risk so much harder to mitigate than other types of risk?

“What you knew a year ago isn’t necessarily what’s going to propel you to success today.” – Peter Gleason

Assessing financial and legal risk is a common practice for most directors. They learned how to do it—and the importance of doing it—in school. Yet, digital technology is still somewhat of a terra incognita for directors. Why is this the case?

The most basic answer is that cyber risk is relatively new.

We’ve only been connected to the internet for about 25 years. On average, directors are in their late 50s and early 60s, so they didn’t necessarily grow up with this technology. They didn’t learn it during school; they’ve had to learn it at work.

Moreover, the technology itself is changing so fast that it’s incredibly hard to keep up with.

When you combine those two dynamics (i.e., the newness of cyber risk and the rapid change rate of technology), it makes sense that cybersecurity is a very difficult area for directors.

“You can never say you’re completely secured,” Gleason told us, “but you really have to be vigilant.”

It’s incumbent upon directors to focus on staying current. With all the demands on their time, this means utilizing the best resources available to get the best information. When it comes to cyber risk, you should always be asking whether the right people are presenting at the right time about the right issues.

How to keep up with cyber risks

How then should they keep abreast of changes? It’s not realistic to ask directors to become experts in cybersecurity. However, they do need to be conversant. They should understand the language and the risks present, as well as how those risks could lead to opportunity for the company.

“You’re not going to ask a whole lot of directors to become experts in cybersecurity—that’s an entire field—but you have to be conversant.” – Peter Gleason

But the core answer comes down to this: How do we continuously learn?

There are a variety of ways to go about that. A quick Google search will give you millions of articles on cybersecurity. You can’t digest all of that, and from a director’s perspective, you really want to understand the next level: not how to manage cybersecurity but how to ensure that management is happening. You want oversight.

There are other resources at your fingertips as well, ones that can provide more tailored information. If you’re at a big enough company, you might have a CISO. If not, you may have a CIO or CTO. Ask them to keep you abreast of relevant changes. Ask them what developments are happening in the cyber world. Have the CISO or CIO, on a monthly basis, aggregate what’s new in the marketplace and share it with directors—in a language that can be understood.

One other idea is to invite law enforcement, such as the FBI, in to talk about risks and response plans in a crisis situation.

The biggest impact in boardrooms 5 years from now

NACD polls directors annually about a wide variety of topics. This year, they focused in on the future of board leadership.

The most common response from directors about what will change about boards in the next five years was diversity. They expect that the composition of the board will change, whether that’s by age, gender, ethnicity, or all of the above.

Directors also think that AI is going to have a tremendous impact on the boardroom, enabling them to look at corporate performance in different ways.

And finally, of course, the explosive pace of change in the technology world is going to bring about more and more disruption, which will create new competitors with potentially drastic impact on industries and operations.

“Competitors are being created today that you don’t even know about, aren’t even in your industry, and will completely disrupt your marketplace.” – Peter Gleason


A few weeks ago, there was a major breach at Capital One. Security breaches are happening so frequently nowadays that it made a relatively minor blip on the news radar. There can be no doubt that the cybersecurity landscape is very different today than it was ten, five, or even two years ago, and it’s clear that there are more changes to come.

Nevertheless, with the right people on your team researching this issue, presenting to the board, and keeping the information the board receives up to date, your boardroom can effectively oversee and combat cyber risk. Continual learning is the best defense you have.

>> Listen to Episode 10 on Apple Podcasts

This post is based on Episode 10 of The Corporate Director Podcast, hosted by Dottie Schindlinger and Meghan Day, with guest Peter Gleason.