You’ve been there. You walk into the boardroom armed with detailed metrics on threat vectors, incident response times, and control effectiveness. You finish your presentation, and a tense silence is followed by a single question: “So, what does this mean for the budget?” – The crucial conversation about strategic risk gets lost in translation.
This gap between the security team and the board is one of the most persistent challenges in our field. A recent article in the International Cybersecurity Law Review confirms this, highlighting that boards often lack expertise, and cybersecurity isn’t always a top priority.
But the game is fundamentally changing. New regulations are shifting the responsibility for cyber risk directly into the boardroom, and CISOs who can bridge this gap will become indispensable strategic leaders. This isn’t just a challenge; it’s your opportunity to reshape your organization’s cybersecurity governance from the top down.
The Game Has Changed: Why DORA and NIS2 Are Your New Best Friends
For years, board-level attention to cybersecurity was a matter of “best practice.” Now, it’s becoming a legal liability. The article highlights how two key pieces of EU legislation are forcing a seismic shift:
- The Digital Operational Resilience Act (DORA): This regulation explicitly places ultimate responsibility for ICT risk management on the entire management body: including the supervisory board and non-executives.
- The Network and Information Security Directive (NIS2): This directive mandates that management bodies approve and oversee cybersecurity risk-management measures and can be held liable for infringements.
Crucially, both regulations require board members to follow regular, specific training to ensure they have sufficient knowledge to assess cyber risks. The era of delegating cyber risk entirely to the IT department is officially over. For CISOs, these regulations are a powerful lever to command the attention and resources you need.
From Reporting to Partnership: A CISO’s Guide to Better Cybersecurity Governance
With the board now legally on the hook, your role evolves from a technical reporter to a strategic advisor. The article outlines a powerful framework for this partnership, built on a “triangulation of knowledge, risk management, and information.” Here’s how you can lead in each area.
Drive Knowledge: End the “One Tech Expert” on the Board
The research points out that boards often over-rely on a single “digi-savvy” director. DORA and NIS2 make this model obsolete.
- Your Action Plan: Proactively facilitate board-level training. Move beyond technical jargon and frame education around business impact and strategic risk. The goal is to create a shared language of cyber risk across the entire board, not just with one member.
Shape Risk Management: Move from Security to Resilience
The conversation at the top is shifting from “how do we stop every attack?” to “how do we continue doing business during a breach and recover afterward?”
- Your Action Plan: Lead the dialogue on cyber resilience. Engage the board in defining the company’s risk appetite. As the article suggests, ask strategic questions: Is there a balance between preventive and corrective measures? How layered are our defenses? This reframes your role from a purely defensive one to a leader in business continuity.
Improve Information Flow: Prevent “Information Asymmetry”
A common failure point is “information asymmetry,” where the board lacks the quality and timeliness of information needed to perform its duty.
- Your Action Plan: Go beyond standard reports. The article suggests introducing up-to-date scenario manuals and practicing a cyber-attack in the form of a role-play with the board. This is an incredibly effective way to test and improve the quality of your incident response process and give the board a tangible feel for the risks they are now legally required to oversee.
Leading by Example: The Final Piece of Cybersecurity Governance
Ultimately, the article concludes that the most effective cybersecurity governance comes from leadership that practices what it preaches. It highlights a common “going wrong” example: board members printing sensitive meeting documents instead of using the secure digital environment created for them.
As a CISO, your role is to not only build the secure processes but also to champion the secure culture that starts in the boardroom. By empowering your board with the knowledge, risk frameworks, and information they need to meet their new responsibilities, you do more than just improve security: you build a truly resilient organization.
For Further Reading:
This blog post is based on the insights presented in the academic paper: Galle, A., & Vletter-van Dort, H. (2025). From cybersecurity to cyber resilience in the board room: key steps for supervisory board members and non-executives. International Cybersecurity Law Review, 6, 221–237. https://doi.org/10.1365/s43439-025-00151-7
