The Board's Changing Role in Cyber, Risk, and Strategy

Dottie Schindlinger

The Board’s Changing Role in Cyber, Risk, and Strategy

Listen to Episode 17 on Apple Podcasts

Nelson Chan, board chair with Adesto Technologies and board member for Deckers Outdoor Corp; Merline Saintil, board member with Banner Corporation and Nav, Inc.

HOSTS: Dottie Schindlinger, VP of Thought Leadership, Diligent; Meghan Day, Director of Directors’ Experience, Diligent


  1. How Can Boards Build Tech Expertise? Seek out expert resources and embrace an innovation mindset, says Saintil.
  2. How Can Boards Prepare for an Incident Like a Cyber Attack? A playbook and the right board composition are critical, according to Chan. 
  3. Preparedness Begins at the Top. Board chairs play a powerful role in setting the tone—including an environment conducive to tough discussions.


Digital transformation fuels efficiency and innovation—but presents a range of risks in everything from ESG to cybersecurity. In response, boards have found themselves pressed to look forward as well as review the past, shaping long-term strategies for global differentiation, capital allocation, while navigating uncertainty and complexity.

How can boards stay up to speed and ahead of risk and opportunity, particularly given today’s accelerating pace of change?  

In this podcast episode, two technology professionals who are now professional independent directors share their unique perspectives on these issues. Nelson Chan provides insight from his role as board chair, and Merline Saintil shares her thoughts from her work as an operating executive and director with several technology companies. Their findings: Staying sharp and upping your game in a digitally transforming work all begins with expertise, preparation, and culture. 

1. How Can Boards Build Tech Expertise?

Saintil emphasizes the value of resources from organizations like the National Association of Corporate Directors (NACD). In Governance in the Digital Age, she talks about the NACD Cyber-Risk Oversight Handbook, and here she talks about NACD’s certification program in cyber risk. Saintil is one of only a handful of directors worldwide who has completed the full program.

Both codify best practices to follow as a board member and provide guidelines for moving forward. The NACD framework, for instance, follows five principles:

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  • Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 
  • Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

“I think the framework helps give a holistic thinking of not to be afraid of something that I think a lot of board members have a lot of angst about,” Saintil says.

Further, directors must embrace change and commit to continual learning, she adds. “Staying relevant in technology really requires an understanding that what works today might not work tomorrow, especially in such a fast-paced innovation cycle.”

“Having an open mindset and having a willingness to learn and disrupt yourself, that’s how you stay relevant.”

– Merline Saintil, board member with Banner Corporation and Nav, Inc.

2. How Can Boards Prepare for Crises Like a Cyber Attack?

Although it’s impossible to anticipate every risk, especially in the sophisticated and swiftly evolving landscape of cybersecurity, thorough preparation can help, according to Chan.

This includes a comprehensive risk assessment, mitigation of the major risks facing the company, and a playbook with steps to take if something happens. Rather than let this playbook collect dust on the shelf, the board and management need ongoing training on crisis response.

Such empowered decision-making also requires a proactive focus on board composition. “I think it’s critical to have the right board with the right skillsets, making sure you have diversity, making sure you’re refreshing the board at the right pace,” Chan says. “The skill set of the board and board refreshment should be front and center.”

“You look at the skill sets of the board—what’s missing, what you might need in the future—and you plan accordingly.”

– Nelson Chan, board chair with Adesto Technologies and board member for Deckers Outdoor Corp

3. Culture Remains a Constant

Even as technologies and threats evolve, one powerful tactic for keeping up with change and managing risk is evergreen: culture.

The board chair plays a pivotal role, recruiting directors and the CEO with the right skill sets, setting a productive agenda, and making sure the board is focused on the most critical risks. 

“The tone is set at the top and starts with the chair, setting and continually reinforcing the culture,” Chan says. This is particularly important given the weighty decisions board members must make and the increasing complexity—and decreasing time frames—for making these decisions.

“It’s important to create an environment where the board member feels comfortable to give and receive feedback and any perspective is considered,” Chan says. “As you build trust, despite disagreements, you can still problem-solve toward a common goal.” 

“You want to have good, healthy, but tough discussions.”

– Nelson Chan, board chair with Adesto Technologies and board member for Deckers Outdoor Corp

Also in this episode: Chan talks about the power of “connectional intelligence” and Saintil shares how she’s “sending the elevator back down” for the next generation of women in technology. 

Episode Resources: