Why Boards Need Collective Cybersecurity Literacy 

Rather than relying on one cybersecurity expert, boards should build a shared understanding of cyber risk to govern it effectively.

In the wake of the US Securities and Exchange Commission’s evolving cybersecurity disclosure requirements, many nominating and governance committees are moving quickly to identify directors with cybersecurity expertise and appoint them to the board. The mandate appears straightforward: demonstrate board-level oversight of cyber risk. 

It feels reminiscent of the early 2000s, when the Sarbanes-Oxley Act prompted boards to scramble for a designated “financial expert.”  While the comparison is tempting, treating cyber risk like financial reporting misreads both the requirement for collective oversight and the opportunity to force management to speak the board’s native language: business risk.

Financial risk is governed by standardized accounting rules and historical reporting. But cyber risk is an adversarial, adaptive contest against artificial intelligence-assisted human opponents who change tactics constantly. There is no generally accepted hacking standard for attackers, and no “quarterly closing” to cybersecurity resilience efforts. Appointing a director with cybersecurity expertise to the board can be a necessary first step, but it doesn’t complete the governance task.

When boards rely too heavily on a single designated expert, they risk creating a silo of one, or a governance dynamic in which the presence of one knowledgeable director unintentionally allows the rest of the board to disengage from one of the most consequential enterprise risks.

A Predictable Governance Failure Mode

The real risk emerges when expertise becomes a substitute for collective responsibility.

In the boardroom, this can manifest subtly. When management presents a cybersecurity briefing, directors may scan the room instead of interrogating the briefing’s meaning. If the cybersecurity expert nods, the board then infers comfort and proceeds to the next agenda item.

This creates a material governance gap. Under well-established fiduciary principles, including the duty of oversight articulated in Caremark-related case law, directors cannot delegate responsibility for understanding and monitoring enterprise risk. Advisors and experts may inform the board, but the obligation to question, challenge, and decide remains collective.

There is also a second, quieter risk: obsolescence. Technical knowledge has a notoriously short shelf life. A former chief information security officer who left the operational seat three years ago often relies on a snapshot of the past while the threat landscape has already moved on. 

Therefore, what is needed is not technical depth but instead collective literacy. The board does not need to learn the language of the server room; they need the confidence to reject it. Boards should insist that management checks the jargon at the door and reports strictly in the language of the boardroom: business impact, reputational risk, operational resilience, and regulatory exposure. 

From Individual Expertise to Collective Literacy

Boards should pivot from seeking individual expertise to cultivating collective cybersecurity literacy. This does not mean turning directors into engineers; it means ensuring every director can engage meaningfully in the conversation about the relationship between cyber risk and business consequence.

Boards with cybersecurity literacy interrogate assumptions and ask for clarity when jargon obscures material risk. They apply the same rigor to cybersecurity oversight that they apply to capital allocation, operational resilience, and regulatory exposure.

At a minimum, boards should be able to challenge management across the following three core governance dimensions:

• Risk tolerance. What loss, disruption, or exposure is the organization explicitly willing to accept?
• Resilience. How quickly can critical business services be restored when controls fail?
• Validation. How does the organization know its defenses work in practice, not just on paper?

This will require recalibrating the metrics management typically shows the board.

A Governance Translation Guide for Cybersecurity Metrics

When boards consistently ask these questions, a director with cybersecurity experience moves from being a crutch to being a catalyst for deeper, more rigorous oversight.

Making Collective Literacy Real

Cybersecurity literacy does not emerge from a single briefing or annual training; it is reinforced through governance routines.

First, boards should ask management to tie cyber-risk reporting to business services, not tools. Dashboards should map cyber threats and recovery objectives to revenue-generating and mission-critical services, using language directors already understand.

Second, directors should work with management to institutionalize independent challenge. Regular third-party testing, red team exercises, and recovery simulations, summarized in business impact terms, provide boards with evidence, not assurance theater. 

Third, board roles should be clearly defined before a crisis. Cyberattacks compress decision timelines and amplify ambiguity. Boards that have pre-agreed on a “noses in, fingers out” doctrine—where management leads the response while the board governs disclosure, liability, and reputation impacts—navigate incidents more effectively than those improvising under pressure. 

The Right Questions and Director Profile

The goal of the nominating and governance committee is not to find a director who can recite the NIST framework or “configure a server in the cloud”; it is to build a board with the confidence to interrupt a presentation and say, “I don’t understand this. Please explain it in terms of revenue risk, customer impact, or regulatory exposure.”

That single request does more to strengthen cybersecurity governance than any certification. It forces translation, invites participation, and it dismantles the silo of one.

A director with cybersecurity expertise can be a powerful force multiplier, but only when the board resists the temptation to outsource its own curiosity. True governance is not about having all the answers; it is about ensuring the board has the collective literacy and discipline to ask the right questions together when it doesn’t.

The views expressed in this article are the authors’ own and do not represent the perspective of NACD.

Rubrik is a NACD partner, providing directors with critical and timely information, and perspectives. Rubrik is a financial supporter of the NACD.