Principle One: Treat Cybersecurity as a Strategic Risk

Case for Action 

Cybersecurity is an enterprise-wide risk that can profoundly impact an organization’s strategic success, financial health, reputation, and operational continuity. Beyond direct costs, cyber-incidents and data breaches can erode customer trust, disrupt supply chains, and invite regulatory scrutiny leading to material impacts that can threaten core assumptions of the company’s strategy, its competitive position, and its legal and social license to operate.  

Technology is a fundamental driver of business model success and value creation. NACD survey data reveals that 72 percent of directors state they are likely to pursue technology investments as a growth initiative in 2026, ahead of other organic and inorganic forms of growth like introducing new products, M&A opportunities, and workforce realignment.  

Directors Expect to Pursue Growth Through Technology Investments in 2026

Source: NACD 2026 Governance Outlook, n=362
Q: What growth initiatives are your board and management team likely pursue in 2026?

AI provides another example, with survey data revealing that 76 percent of directors “probably” or “definitely expect” AI investments to factor into their organization’s growth strategy.

Expectations on How AI Investments Factor into 2026 Growth Strategies

Source: NACD 2026 Governance Outlook Survey, n=363
Q: Do investments into artificial intelligence factor into your organization's growth strategy in 2026? 

While directors correctly identify technology as a means to strategic success, failing to properly protect and secure these systems can quickly erode any expected growth based on these tools and investments.

Leading boards understand the risks and opportunities inherent in digital technologies, and approach cyber-risk oversight with the same rigor as any other top-tier strategic threat, ensuring oversight and response reside at the highest level of the organization. A well-governed and managed cybersecurity program helps an organization achieve business objectives through successful identification, management, and mitigation of cyber risks. This approach helps maintain cyber risk within tolerable levels so that the organization is better able to execute its strategy, allocate resources efficiently, and seize emerging technology opportunities faster and more confidently than less-prepared peers.

To do this, boards must understand how cyber-risk impacts the company’s strategy and core value drivers. In instances where cyber risks present a material business impact or threaten the viability of the company’s strategy, the board must engage with management to understand the risk and either adjust the strategy or allocate additional resources to manage the risk within accepted levels.

Treating cyber risk as a strategic imperative ensures that the organization’s pursuit of its strategic objectives and innovation does not outpace its ability to protect the value it creates.

Board Activities

To effectively govern cybersecurity as a strategic imperative, the board can actively drive impact through the following core activities:

Incorporate Cybersecurity in Strategy Development and Decision Making

Much like financial and legal issues, the board should ensure that cyber risk is deeply embedded into strategy development and execution. When strategy discussions are on the agenda, cybersecurity should be a component, including:

• Rigorously reviewing the company’s cybersecurity priorities.
• Ensuring cybersecurity priorities are linked to business objectives and organizational sustainability.
• Challenging management to detail the processes for identifying, measuring, and mitigating cyber risks across every business vertical.
• Assessing whether all departments and management are aligned to enable the organization’s cybersecurity priorities.
• Evaluating each major technology and digital transformation project through the lens of cyber risk from its inception.

Drive Strategic Value Through Security

Ensure the cybersecurity strategy supports business goals, such as digital transformation or customer data protection. Review budgets to confirm adequate resources for cyber defenses, balancing prevention, and response capabilities. Boards can challenge executives to find opportunities where robust cybersecurity, responsible AI stewardship, and secure ecosystem management can be leveraged as a market differentiator and a business driver to enhance trust and customer confidence.

Integrate Cyber Risk into Enterprise Risk Management (ERM)

Boards should ensure cybersecurity is a core component of the organization’s ERM framework, not siloed in IT. This involves aligning cyber-risk assessments with business objectives, such as protecting intellectual property or ensuring operational uptime.

Perform Data-Driven Cyber-Risk Decision Making Based on Quantified Financial Impact

Boards can request management to model the financial implications of potential cyber incidents, including direct costs (e.g., ransom, legal fees) and indirect costs (e.g., lost revenue, reputational damage). This helps boards evaluate strategic trade-offs, scrutinize budgets, and prioritize investments in cybersecurity.

Modernize Data and AI Security and Governance

Data has emerged as a critical value driver and strategic differentiator, and boards should review how management is modernizing the organization’s data security and governance frameworks to address AI-driven complexities as well as other new technology risks. Key board activities include inquiring about data access controls and the processes used to map how data is transformed by AI models, championing a shift to dynamic data classification and post-quantum encryption, and ensuring the ethical and privacy concerns arising from AI-derived insights are proactively addressed.

Success Indicators

Progress in governing cybersecurity as a strategic imperative can be measured by observing the following activities, behaviors, and information flows:

• Cybersecurity is a Recurring, Substantive Item in Board Strategy Discussions: Board conversations evolve from focusing solely on prevention and technical updates to in-depth discussions on resilience, recovery capabilities, and the impact of cyber risk on business strategy. These discussions should include the CEO and other C-suite members engaged in strategy setting with the expectation that management and the board understand strategically significant cyber risks and their potential impacts.
• Clear Cyber Reporting and Risk Metrics Detailing Impacts Aligned with Business Objectives: The board receives regular, digestible reports that show how cyber risk impacts business strategy and trends over time across critical business and performance metrics (e.g., dashboards that show key performance indicators (KPIs)).
• Data Driven Strategic Decision-Making: Major digital transformation initiatives, especially those involving AI or significant third-party dependencies, are not approved without a thorough cyber-risk assessment from their inception. Budget allocations reflect prioritized investment in cyber resiliency capabilities, not just preventative controls.
• Stakeholder Confidence: Positive feedback from investors, customers, or auditors on the organization’s cyber posture reflects board effectiveness.
• Security Culture Drives Greater Collaboration: Management actively fosters a culture where security is embedded by design into new strategic initiatives, products, and services. The “assumed breach” mentality is understood across the enterprise, leading to stronger collaboration between IT, security, and business units.
• External Communications and Market Position: The company can credibly and responsibly leverage its strong cybersecurity posture and responsible data stewardship practices as a competitive advantage and a reason for customers to place their trust in the brand.

Previous: Cyber-Risk PrinciplesNext: Principle Two