What Boards Should Know About Today’s Threat Actors

As cyber risk demands board-level oversight, directors should recognize these threat actors and the potential impact of a cyberattack on operations.

Concerns over cyber risk in the age of artificial intelligence have risen to the boardroom. As digital threats become more sophisticated and cyberattacks more frequent, directors should elevate their understanding of current threat actors to effectively oversee risk and ensure the long-term stability of the organizations they serve.

While board members don’t need to become cybersecurity experts, they do need to grasp the essentials of who is targeting their business and why, along with how to best respond. Understanding why these actors matter provides the foundation for recognizing the categories of threats directors must be familiar with.

Why Boards Should Care About Threat Actors

The modern cyber-threat landscape is dynamic and complex. High-profile cyberattacks, data breaches, and regulatory scrutiny have made it clear that cyber risk is a strategic business risk, not just a technical one. Boards are increasingly held accountable for the consequences of cybersecurity incidents, including through financial loss, reputational damage, and legal penalties. Understanding the key types of threat actors and what motivates them is essential for effective governance and risk oversight.

Types of Threat Actors

Threat actors are individuals or groups that seek to exploit vulnerabilities for various motives. Boards should understand the following primary categories:

• Nation-state actors. These are highly sophisticated groups backed by governments. Their motivations include espionage, intellectual property theft, and disruption of critical infrastructure. They possess significant resources and advanced capabilities, making them formidable adversaries.
• Cybercriminals. Driven by financial gain, cybercriminals use tactics such as ransomware, phishing, and data theft. Their sophistication ranges from opportunistic hackers to well-organized criminal syndicates.
• Hacktivists. These actors are motivated by ideology or political beliefs. Their goal is to promote their cause, often through disruptive attacks, such as website defacement or denial-of-service campaigns. While their cyberattacks are generally less sophisticated, they can still cause significant reputational harm to an organization.

Each group’s motivation, intent, and capability shape the threat they pose. Boards should understand these broad categories and their potential impact on the business.

What Boards Should Know

Cybersecurity oversight is as critical as financial or legal governance. Boards should treat cyber risk as a core enterprise risk, ensuring that it receives the same level of attention and rigor as other strategic priorities. This responsibility extends to understanding the organization’s attack surface, the full set of the company’s digital assets, and entry points that could be exploited.

Rather than focusing on technical jargon, boards should concentrate on the business consequences of cyber threats. This involves asking management essential oversight questions, such as: Which assets and data are most critical to the organization? How would a cybersecurity incident disrupt operations, reputation, or finances? What level of downtime or data loss is acceptable from a business-impact perspective?

Effective boards also oversee risk management strategies, approve cybersecurity policies, and ensure adequate funding for defenses and training. Regular risk assessments, conducted at least annually but optimally twice a year for high-risk environments, and supplemented by reviews following any significant business or technological change, are necessary to identify vulnerabilities and prioritize remediation efforts.

With increasing regulatory scrutiny, boards should stay informed about evolving cybersecurity laws and reporting requirements, as noncompliance can result in hefty fines and reputational fallout. They can do this by having quarterly briefings from the chief information officer (CIO) or chief information security officer (CISO), external cybersecurity advisors, or legal counsel on regulatory developments.

Finally, boards should create a culture of transparency and preparedness by encouraging open communication about cyber risks, including near misses and vulnerabilities, from management and across all organizational levels. Embracing bad news as an opportunity for improvement is essential for organizational resilience.

Moreover, regular tabletop exercises and incident response drills, formally conducted at least twice a year, with continuous operational drills for technical teams, can further ensure that the organization is ready to respond effectively to emerging threats.

Practical Steps for Boards

Boards should maintain consistent, structured dialogue with the CIO or CISO, ensuring he or she has direct access to the board and operates independently from traditional information technology reporting lines. This open communication helps bridge the gap between technical cybersecurity concerns and the board’s strategic oversight by translating technical risks into business terms, including financial, operational, and regulatory impact, which promotes mutual understanding and trust.

Investing in ongoing cybersecurity education tailored for directors is also essential, with the most effective approach being customized briefings by external cybersecurity and legal experts delivered directly to the board. This enables board members to grasp the basics of threat actors and common cyberattack methods while empowering them to make more informed decisions.

To effectively monitor the organization’s cybersecurity maturity, boards should leverage established frameworks and maturity assessments, such as the National Institute of Standards and Technology Cybersecurity Framework or ISO/IEC 27001. The decision on which framework to adopt should be based on industry regulatory requirements and alignment with overall business strategy.

Requiring cybersecurity updates from the CISO or other head of information technology in clear, business-focused language ensures directors can focus on risk, readiness, and incident response capabilities, aligning cybersecurity strategy with overall business objectives. 

Boards should also solicit feedback, particularly objective assessments from external auditors and candid input from the CISO or executive team on resource sufficiency and strategic alignment, to identify gaps in understanding and encourage transparent discussions about cyber risk (e.g., the risk of sustained operational disruption or material financial loss), ultimately strengthening the organization’s resilience and ability to respond to emerging cyber threats.

Looking Ahead

Boards don’t need to know every technical detail about today’s threat actors, but they must understand who poses a risk, why, and what is at stake. By focusing on business impact, regulatory obligations, and a culture of preparedness, directors can fulfill their fiduciary duties and help ensure the organizations they serve bolster resilience in the face of evolving cyber threats.

Cybersecurity is more than just avoiding breaches; it is about safeguarding the organization’s future. For boards, that means asking the right questions, demanding accountability from management, and leading by example.

The views expressed in this article are the author's own and do not represent the perspective of NACD.

Optiv is a NACD sponsor, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.