How to Set Board-Level Expectations for Cybersecurity Resilience

Boards can work with management to bring clarity and transparency to cybersecurity resilience within the organizations they serve by using this guidance. 

As cyber threats increasingly disrupt operations, forward-looking boards are shifting their focus from reactive crisis management to sustained organizational readiness. This evolution demands that directors set clear expectations for cybersecurity resilience, not only on what to ask management but also on what the organization must track, measure, and report. 

Embracing a Resilience-First Strategy

Historically, cybersecurity centered on prevention and remediation, using technology, people, and processes to stop cyberattacks, repair the impacts, and shore up defenses for future incidents. While prevention remains vital, modern cybersecurity resilience operates under a critical assumption that a breach or business continuity event is likely.

A truly cybersecurity-resilient organization is one that can recover quickly from a cyberattack, information technology failure, or other business disruption. This resilience-first strategy ensures that the business can continue operating, damage is minimized, and operations are rapidly restored.

The stakes of failure have become increasingly clear given recent major incidents. In some cases, businesses face months of downtime, lost productivity, and loss of competitive position before returning to normal operations. 

Data Integrity

Data are core to revenue, reputation, and decision-making across all organizations. Ensuring data are available is nonnegotiable; organizations must demonstrate a proven ability to restore the business to a known good point in time.

While data breaches are increasingly likely and recognized as a cost of doing business, targeted cyberattacks involving data integrity, such as changing, corrupting, or manipulating data without immediate detection, can trigger business interruptions and severely impact an organization.

When critical data are impacted and critical business services are disrupted, organizations can face operational, regulatory, financial, and reputational consequences. Ultimately, building cybersecurity resilience becomes synonymous with strengthening overall business resilience.

Cybersecurity Resilience Accountability

Boards are responsible for enterprise risk management, which brings cybersecurity resilience under their purview. 

In many organizations, the cybersecurity resilience ownership model is not clearly defined and is typically deferred to technology leadership, such as the chief information officer or chief information security officer, for accountability during times of crisis. As the cyber-threat landscape continues to evolve, organizations are beginning to address this lack of clarity around ownership. 

In some companies, this has led to the emergence of a chief or head of risk and resilience, with responsibilities distributed across the organization. While not all organizations are ready for this change, a cross-functional cybersecurity resilience committee could also meet expectations for accountability.    

To assess how this role or committee fits within an organization, boards and management should consider what the current authority and accountability is on cybersecurity resilience within the organization. If a major event that impacts data occurred today, is there a clear owner and directive in place to speed a resolution, or will the organization hit decision latency, spending a large amount of time identifying, educating, and involving cross-functional stakeholders to come to a decision? 

Without pre-authorized decision rights and escalation paths defined, every step can become a debate. Each hour of indecision increases business interruption losses, data exfiltration spread, regulatory exposure, customer and market confidence concerns, and long-term recovery costs.

Organizations that structure decision-making can recover faster, reduce costs of impact, and maintain customer and investor trust.

Four Board Actions to Validate Cybersecurity Readiness

To effectively carry out their oversight responsibilities, boards should move beyond reviewing high-level reports to proof of readiness by asking management to demonstrate how cybersecurity resilient the organization currently is. 

Four key questions board members can ask include the following:

1. Are all critical business services and the data they rely on clearly identified and recoverable in a timely, verifiable manner?
2. Is an independent third party confirming that data recovery is tested, trusted, and aligned with business risk expectations?
3. Are tabletop exercises conducted on a regular basis, and do they involve all core corporate functions that would participate in such a response, including the board?
4. Are best practices in place to ensure the organization’s critical data are securely backed up, isolated, and resilient against modern cyber threats, and treated as a source of business intelligence?

Quantifying the Financial Exposure of Cybersecurity Resilience

A critical function of board oversight is understanding potential financial loss. Financial loss in a cyberbreach comes primarily from business downtime, data recovery costs, investigation expenses, and civil costs, rather than from fines or ransomware. 

Boards don’t need technical details to assess maturity, but they should request clarity from management about areas of financial risk and exposure, the probability of downtime and loss, and coverage of existing resilience processes and investments. Areas to discuss include the following:

• What length of downtime is acceptable for technology and for the business?
• Do current capabilities allow for restoration within the required time? What is the cost of downtime per day if the organization is fully shut down?
• Are cybersecurity investments aligned to offset risk exposure by comparing the cost of resilience versus the cost of an outage?

Setting Board-Level Expectations

The core mandate for the board has shifted from reactive response to securing sustainable, evidence-based readiness. Cybersecurity resilience offers directors the opportunity to define the appropriate level of governance oversight and move from a prevention-centric model to a resilience-first strategy. 

By shifting the focus to resilience, directors move from governance oversight to fiduciary assurance. Data are the currency of revenue, reputation, and continuity, and protecting data are a solvency requirement, not just a security task. It is key to building a survivable business.

A Call to Action

To strengthen cybersecurity resilience, directors can use the guidance below to initiate immediate action.

1. Commission a gap analysis against known global regulatory resilience expectations, such as the European Union's Digital Operational Resilience Act, to determine whether critical business services are sustainable during a business interruption.
2. Ask management to quantify the cost of downtime in the event of a cyberattack in terms of daily cash burn or a similar financially measurable metric and report it for the most critical business services.
3. Consider formally designating a chief resilience officer with authority to direct recovery across legal, human resources, IT, marketing, lines of business, and operations functions.

A board-level focus on assessing cybersecurity resilience readiness is an important next step for organizations to take. Directors should work with management to conduct cybersecurity resilience scenario planning to enable more informed conversations about cybersecurity priorities based on the organization’s unique preferences and risk profile.

The views expressed in this article are the authors’ own and do not represent the perspective of NACD.

Rubrik is a NACD partner, providing directors with critical and timely information, and perspectives. Rubrik is a financial supporter of the NACD.