Foreword

This foreword, featured in the NACD-ISA Director's Handbook on Cyber-Risk Oversight, delivers a call to action for boards to exercise strong cyber-risk oversight amidst a new and evolving threat landscape. 

Managing cyber risk is no longer just an information technology concern, it is an enterprise-wide and boardroom issue. Delaying or ignoring your organization’s cybersecurity posture can lead to major financial exposure.  

Since the last version of this handbook in 2023, global losses from cyberattacks have continued to rise as attackers remain relentless and artificial intelligence broadens the surface of exposed vulnerabilities. Across the United States and the world, small and medium-sized businesses are broadly exposed, and large enterprises continue to face targeted, persistent attacks. These risks can impact stakeholder confidence, market stability, continuity of service, and long-term viability. 

Chief among cyber risks, technical debt has become a serious national liability. Legacy systems are ticking time bombs: easy targets for attackers and the biggest challenge for defenders. Time after time, organizations postpone modernization efforts and, as a result, the inherent risk from outdated systems grows into a matter of national security as the potential impact of a cyberattack extends beyond an individual company into their supply chains, partners, and even end consumers. The time to modernize is now. Not next year, or deep in your long-term plan, but right away. Every moment of delay opens the risk window just a bit wider for a bad actor to gain access to your legacy systems. 

Board members and senior executives must set the tone. Decisions to invest in secure technologies and modernized IT infrastructure not only reduce an organization’s risk but can also positively impact thousands of people in ways that may not be immediately apparent.  

Boards determine priorities, boards decide investments, and boards signal what matters. When cybersecurity is prioritized at the highest level, organizations behave differently. They patch faster, implement security-forward policies, and modernize quicker. Cybersecurity must be a standing item on the agenda every quarter and across every sector.  

Board members don’t have to be technologists to have an immense impact on their organization’s cyber-risk posture, but they drive the expectation that cybersecurity is integrated into every decision at every level.  

The good news is that boards, CEOs, CISOs, technology leaders, and investors have become frontline defenders in ways that were unimaginable a decade ago. We have seen leaders begin to shift the entire ecosystem by demanding accountability and visibility. When boards make cybersecurity a standing agenda item, executives prioritize it.  

The threats we face are real and daunting, but manageable through proactive leadership. Our national cyber defense posture depends on your judgement, your investment, your coordinated priorities, and the tone that you set from the top.  

While the risks certainly keep us busy protecting networks and systems, they have also opened new doors and created opportunities to work together and strengthen our collective defenses. 

America’s cybersecurity depends on you. Technical or not, if you’re reading this, you’re one of our nation’s cyber leaders and it is up to you to lead. Lead by example. Lead non-technical executives toward understanding cyber risk as critical infrastructure risk. Lead your organizations into partnerships that raise the collective cyber defense of our nation and global allies. 

You don’t have to do it alone. CISA is here to help. 

CISA remains dedicated to working hand-in-hand with organizations of all sizes across industry, government, and critical infrastructure, recognizing that no single entity, not even the Federal Government, can address these risks alone.  

For example, in September of 2025, CISA, in collaboration with the National Security Agency and 19 international partners, launched a A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity enabling organizations to identify components, assess risks, and take informed action to protect critical systems. As modern software increasingly relies on third-party and open-source components, a software bill of materials is essential for managing vulnerabilities. This guide not only strengthened relationships, but it also further secured the IT and software systems being deployed across our critical infrastructure. 

CISA also continues a proactive approach to strengthening our collective cybersecurity defenses and working with our industry and government partners to safeguard the systems we rely on every day. Together, we’ve exposed nation-state intrusions, AI-enabled ransomware operations, and ever-evolving threats targeting critical infrastructure. We have delivered actionable insights and technical guidance to help partners navigate an increasingly complex threat landscape, protect critical systems, and ensure operational continuity. 

That is the power of partnership. 

The importance of partnerships cannot be overstated, because we can all agree that we are operating in an environment where the threat landscape is more dynamic, more complex, and more unforgiving than ever before. 

I ask that you, as leaders of your respective organizations, reach out and invite us to your investment summits, governance forums, technical conferences, and other cybersecurity-related events. We can provide the latest briefings on emerging threats, systemic risks, trends intelligence, and known vulnerabilities across the cyber community, and provide guidance to inform your cybersecurity and modernization efforts. 

Our collective cybersecurity is not just about protecting networks, devices, and accounts, it is about protecting the stability and resilience of the critical systems every American relies on. CISA stands ready to support you every step of the way.  

Find out more at CISA.gov. 

Nick Andersen currently serves as Acting Director and Deputy Director at the Cybersecurity and Infrastructure Security Agency (CISA).

Return: To ReportNext: Introduction