Board Governance of Cybersecurity Risk

Board Governance of Cybersecurity Risk


How can boards play a more strategic role in cybersecurity governance and oversight? Where is the state of the art, and where is it heading? These questions motivate CLTC’s research on board governance of cyber risk. Cyber risk requires a different and more dynamic governance model than is common among boards for handling other risks, a mindset we define as “resilient governance.” 


Resilient Governance for Boards of Directors

CLTC dynamic tensionsDrawing on insights gleaned from board members with 130+ years of board service across nine industry sectors, this report identifies four “dynamic tensions” likely to shape board governance and oversight of cybersecurity. Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk provides an innovative framework to help boards take a dynamic approach to cybersecurity governance and oversight.


Cyber Oversight Effectiveness Development (COED) Framework

The Cyber Oversight Effectiveness Development (COED) framework is designed to help boards of directors gain a deeper understanding of their current capabilities, including areas where they need to improve. Through structured activities, the framework can increase board members’ individual and collective self-awareness, and move from a reactive posture toward a stance that is both proactive and resilient.


merger puzzle pieces

Coming Soon: Cybersecurity in Mergers and Acquisitions

The current approach to mergers and acquisitions (M&A) underrepresents cybersecurity risk, eroding deal value and causing difficult-to-determine consequences for financial performance. CLTC is conducting research — including interviewing security organizations, board members, lawyers, technologists, bankers, consultants, and other actors — to develop a generalized framework for improving cybersecurity risk management and oversight in M&A.


Our research has been covered in a variety of outlets, including Politico, CIO Dive, CyberWire, Bloomberg, Journal of Cyber Policy, Yahoo! Finance, Tech Crunch, Executive Biz, MSSP Alert, Pittsburgh Post Gazette, Morning Star, and others.


We are grateful to the external partners with whom we’ve collaborated on this work, including Booz Allen Hamilton, Tapestry Networks, King & Spalding, and Cisco.