Principle Three: Establish Board Oversight Structures and Access to Expertise

Effective governance requires the intentional integration of structured oversight and substantive cybersecurity expertise. Principle Three of the Director’s Handbook on Cyber-Risk Oversight defines success as a "trust but verify" culture where cybersecurity is a standing agenda item, and directors maintain an active relationship with the CISO. By prioritizing ongoing education, boards ensure their governance structures are equipped to provide independent, robust, and expert-led oversight.

Case for Action

Cyber-risk oversight requires the presence and integration of effective governance structures and cybersecurity expertise. In combination, these elements position the board to provide substantive cyber-risk oversight while fulfilling its fiduciary responsibilities. Well-crafted governance structures and practices provide the necessary scaffolding for proper oversight, but they remain hollow without the substantive board cybersecurity fluency and expertise required to challenge management’s technical assumptions. Conversely, isolated expertise lacks utility if it is not integrated into a practice of regular, structured boardroom deliberation.

Regulators, investors, and customers expect boards to demonstrate competence in cyber governance, and many boards, both public and private, are focused on improving cyber governance. For example, survey research shows roughly one third, 34 percent, of public company directors believe it is either “very” or “extremely important” to improve their cybersecurity expertise, while 40 percent say the same for improvements in assigning committee oversight responsibilities for cyber risk.

Directors See Room to Improve Board Cyber-Risk Expertise and Oversight Structures

Source: 2025 NACD Public Company Board Practices and Oversight Survey, n=158; 161. 2025 NACD Private Company Board Practices and Oversight Survey, n=85; 84. 

Q: How important is it that your board improves in the following areas related to cyber-risk oversight? 

Private company directors express a greater need for improvement, with 45 percent stating it is very or extremely important to improve board-level cyber-security expertise while 49 percent state improvements in committee oversight responsibilities for cyber risk. 

Without a structured approach to incorporate cyber knowledge and expertise—whether through directors, committees, or advisors—boards will lack the necessary understanding and processes to address the cyber risks facing the organization and align cyber strategy with broader organizational goals.

Board Activities

Define Necessary Cyber Expertise and Address Gaps

Boards should define the level of cybersecurity expertise and competence necessary for their specific situation informed by the organization’s strategy and level of risk. To help in this effort, boards can leverage a skills matrix to map directors’ cybersecurity knowledge and identify knowledge gaps for key areas such as cloud security, incident response, or regulatory requirements (e.g., GDPR, CCPA). If gaps are identified, the board should agree on methods to address these gaps, such as increasing overall board cybersecurity competency, recruiting directors with qualified or demonstrated cybersecurity expertise, or securing additional access to independent, third-party expertise.

Formalize Oversight Responsibilities Across Committees

The nominating and governance committee should define and document in committee charters the cyber-risk oversight responsibilities across relevant committees (audit, risk, technology, strategy, etc.), to ensure clarity and prevent overlap. The responsible committee should maintain an adequate level of cybersecurity expertise with cybersecurity as a consistent agenda item with a formalized cadence across these committees and at the full board-level, with regular updates from the CISO and risk management team.

Establish Access to Independent Expertise

Even with qualified in-house staff, cyber risk evolves faster than many organizations can track internally. Boards can consider retaining access to independent experts or third-party assessors who can provide technical and strategic evaluations of the company’s posture. This includes regular validation of the company’s cybersecurity programs, threat modeling, and risk assessments. Boards can also engage third-party experts to provide briefings on emerging risks and threats.

Enable Director Education and Maintain Board Cyber Literacy

All directors must build and maintain a foundational understanding of cyber risk. This process can include onboarding sessions with security leaders, regular management and third-party briefings, access to vetted resources, and opportunities to attend conferences or tabletop exercises. Directors should also regularly engage in cybersecurity education. Education can include sessions on emerging risks and regulatory and geopolitical developments in cybersecurity. Further, boards can consider recruiting directors with cyber expertise to ensure that the board’s level of cyber-expertise is aligned to both the strategy and the level of risk facing the organization. As many directors lack a background in cyber-risk assessment, annual or biannual training sessions may be an effective process to maintain the necessary board cyber competence.

Establish and Strengthen Communication and Verification Protocols

A “trust but verify” approach demands that directors validate information presented by management using objective benchmarks, performance dashboards, and third-party intelligence. Regular one-on-one briefings with CISOs and cross-functional leaders (legal, compliance, operations) enable directors to deepen their understanding of the organization’s cybersecurity.

The Question of Adding a Cyber Expert to the Board

Cybersecurity continues to be an in-demand area of expertise among the boards of many companies. For example, 86 percent of Fortune 100 companies disclose cybersecurity as an area of expertise sought on the board or cited in at least one director biography. However, the question of whether to add a “cyber expert” director is an open one for many boards and the right approach will look different for each board.

Ultimately, the board should evaluate its needs against its alignment to the organization’s strategy and the criticality of the risk. Board-level expertise also helps maintain the board’s independence, so they are not reliant entirely on management’s assessment and can practice healthy skepticism.

When evaluating whether to recruit a director with cybersecurity expertise boards should consider the following questions:

• Based on our strategy and risk profile, is our current board composition and expertise appropriate?
• What candidate profile do we need and how are we defining a “cyber expert”? For example, is the board looking to add a cyber expert only, or is broader technology expertise needed?
• What company factors are important? For example, the organization’s industry or sector, where the company is in its lifecycle, or the maturity of the company’s cybersecurity program and CISO
• Is this strategy really deferring to one individual a responsibility that the full board should undertake? The board should not view the addition of a cyber expert director as a reason to not maintain a foundational level of cyber-risk understanding and competence among all board members.
• Does placing a cyber expert on the board set a precedent for assigning seats to other specialized oversight areas?

Success Indicators

• Defined Oversight Structure: Clear committee charters or board policy outlining cyber-risk responsibilities, with regular updates to the full board.
• Cybersecurity Board Dashboard Review as a Standing Agenda Item: Including regular operational and business impact metrics-based reporting on attempted breaches, vulnerability status, third-party risk, and incident response readiness presented at least quarterly.
• Standard, Prioritized Agenda Item: Cybersecurity from a strategic and business perspective becomes a substantive agenda item at full board and committee meetings.
• Effective Questions: Board discussions include informed, specific questions to management reflecting competence.
• Timely Risk Identification: The board flags and discusses emerging risks before incidents occur, based on advisor or management input.
• High Director Engagement and Preparedness: Directors build a strong relationship with their CISOs, security team, and independent experts and can regularly articulate key risks.
• Ongoing Education: As cyber risk evolves quickly, cybersecurity education is built into the board’s calendar and is monitored and evaluated. Directors attend internal and external webinars, briefings, and conferences to maintain their knowledge.
• Formalized Management Reporting: A reporting line between the board and CISO or CISO equivalent is established and maintained.
• Director Onboarding Procedures: Cybersecurity is incorporated into the new director onboarding process including meeting with the CISO or CISO equivalent, reviewing the organization’s cybersecurity strategy, attending committee meetings where cybersecurity is discussed, and reviewing the major cyber risks facing the organization.
  
  

Previous: Principle TWONext: Principle FOUR