Most boards think they’re cyber-ready — Here’s why they’re dead wrong

As cyber threats escalate in scope and frequency, corporate boards face increasing pressure to safeguard enterprise value through meaningful cybersecurity oversight. Yet a growing body of research indicates that most boards overestimate their organisation’s cyber readiness while underestimating the strategic significance of their own role. A recent survey of 151 executives, highlighted in Harvard Business Review by Noah P. Barsky and Keri Pearlson, revealed a disconcerting disconnect: while 71% of executives believed their company’s cyber investments were adequate or high, only 39% characterised their board’s understanding of cybersecurity risks as proactive. Even fewer—just 31%—identified their organisation as a cyber “innovator” or “early adopter.”

This data paints a stark picture of complacency at the governance level. Boards are too often cast in the role of growth strategists rather than long-term stewards. However, in today’s digital economy, effective stewardship is no longer optional—it is fundamental to business continuity, reputational integrity, and competitive survival.

What Are the Strategic Risks of Underestimating Cybersecurity?

The consequences of poor cyber governance are costly and far-reaching. Invasive cyberattacks frequently exploit outdated systems and underfunded infrastructure, leading to devastating operational disruptions and regulatory penalties. The strategic and financial fallout from these incidents is increasingly cited in investor calls, earnings misses, and share price volatility.

High-profile breaches underline the risks of inaction. UnitedHealth’s subsidiary, Change Healthcare, suffered a major breach due to the absence of basic multi-factor authentication. The result: over $2.5 billion in remediation costs and regulatory scrutiny after the exposure of more than 190 million patient records. Similarly, a cyberattack on The Clorox Company during a $500 million IT upgrade severely impaired operations, eroded pricing gains, and precipitated a share price decline. Boards that fail to ask the right questions or adequately fund cybersecurity initiatives risk strategic derailment from such avoidable events.

Boards must reframe cybersecurity not as a compliance cost but as a business-critical investment. Inaction and insufficient oversight represent contingent liabilities that, when triggered, can destabilise the enterprise and reduce shareholder value.

How Does Technical Debt Exacerbate Cyber Risk?

Technical debt—unaddressed systems maintenance, outdated software, expired licenses, and deferred upgrades—is a silent enabler of cyber vulnerability. These unmitigated gaps become attack vectors for cybercriminals. Despite their invisibility on financial statements, such liabilities carry real strategic cost.

An apt illustration comes from Tenet Health, which was forced to temporarily shut down several facilities in 2022 due to outdated systems lacking redundancies. The incident delayed care, disrupted billing, and wiped out approximately $100 million in quarterly earnings. These losses, though operational in appearance, stemmed from unmitigated technical debt.

Boards should adopt a due diligence framework akin to M&A scenarios—evaluating asset impairment and contingent liabilities tied to cybersecurity. This approach ensures that digital infrastructure is not only compliant but strategically sound. The 2024 Snowflake breach—affecting over 150 companies including Santander Bank and Neiman Marcus—demonstrates the scale of exposure from under-monitored infrastructure. For AT&T, whose call and text logs were compromised, the expected legal and remediation costs are significant, yet largely avoidable.

Why Should Boards Treat Cyber ‘Bad News’ as Strategic Feedback?

Cyber resilience is not defined by the absence of incidents, but by the ability to detect, respond, and recover quickly. Unfortunately, many corporate cultures—especially at the leadership level—discourage candid discussions about near misses or unresolved vulnerabilities. The instinct to conceal weaknesses can blind boards to critical risks.

A striking example is First American Financial‘s 2021 breach, where nearly 800 million mortgage documents were exposed. Internal security alerts had been issued well before the board was informed. The SEC reprimanded the company, noting a lack of adequate disclosure controls. This incident underscores a dangerous cultural flaw: when cyber risk is not elevated to the boardroom, companies are left unprepared, both in response and in investor communication.

Boards must promote psychological safety and open reporting of cyber issues. Stewardship thinking embraces early signals of trouble as opportunities for proactive correction, thereby enhancing enterprise resilience.

How Can Directors Transition from Passive Advisors to Active Cyber Stewards?

To shift from strategy-centric to stewardship-driven cybersecurity oversight, boards can adopt five transformational practices:

First, they must embed stewardship as the default mindset in cybersecurity deliberations. This ensures that discussions are forward-looking, risk-informed, and oriented toward sustainable resilience rather than short-term metrics.

Second, they should compel executive teams to articulate not just the cost of cyber investments, but the consequences of underinvestment. This reorientation makes cybersecurity funding a strategic enabler, not a compliance checkbox.

Third, technical debt must be regularly assessed using M&A-style frameworks. Directors should demand visibility into deferred IT maintenance and outdated systems that pose hidden threats.

Fourth, they must position cybersecurity as a source of strategic advantage. Well-defended companies enjoy reputational strength, customer loyalty, and supply chain reliability—all of which can deliver valuation premiums.

Finally, boards must reframe cyber updates as learning forums. Depersonalising performance gaps and embracing a “fail fast, learn faster” culture can dramatically improve detection, response, and recovery processes.

What Role Can Boards Play in Shaping Cyber Resilience for the Future?

The rapid digitisation of industries has elevated cybersecurity from an IT issue to a board-level imperative. As threat actors grow more sophisticated, governance structures must keep pace. Directors must recognise that cyber readiness is not a static milestone but a continuous process of stewardship, learning, and improvement.

Institutions that thrive in the digital age are those where boards act not merely as overseers but as proactive co-creators of cyber strategy. They question assumptions, demand accountability, and champion resilience. This new mode of governance does not rely on technical fluency—it requires strategic curiosity, ethical clarity, and a willingness to confront uncomfortable truths.

When boards embrace stewardship, they transform cybersecurity from a reactive function into a foundational pillar of enterprise value. From investor confidence to operational continuity, the ripple effects are profound. As regulatory scrutiny intensifies and cyber disclosures become a mainstay of public filings, the cost of passivity will only grow. Future-proof boards are those that act today, not those that react tomorrow.