Following a string of high-profile data breaches and other cybersecurity failures, investors and regulators increasingly expect corporate directors to monitor cyber risk. But what does board oversight of cybersecurity look like in practice, and is it effective? In a recent study, we find that even motivated, well-intentioned directors often put form over substance, engaging in symbolic oversight when they lack expertise in cybersecurity.
The Expertise Gap at the Top
Despite the rising importance of cybersecurity, our analysis of 1,000 randomly selected U.S. public companies shows that fewer than 15 percent disclose having a board member with cybersecurity experience.
To understand how boards oversee cybersecurity and how expertise affects their ability to do so, we conducted 38 in-depth interviews across a diverse set of public and large private companies. Importantly, our analysis incorporates the perspectives of directors with and without expertise, as well as the cybersecurity experts who support boards (e.g., CISOs and consultants).
Symbolic vs. Substantive Oversight
We find that cybersecurity expertise plays a key role in determining the effectiveness of boards’ oversight. There is a clear consensus among our interviewees that cybersecurity risk is a top priority, and directors seek guidance on legitimate oversight practices from regulators, industry groups, and peer firms. However, we conclude that these oversight practices may lack substance and independence when performed by board members with low cybersecurity expertise.
For example, an emerging best practice is to receive cybersecurity reports during board meetings and ask questions of cybersecurity executives. Most of our expert participants said that when nonexpert boards engage with cybersecurity executives, their questions are often superficial (such as, “How are we doing?”) or reactive (such as “Could that happen to us?” in response to a cyber incident reported in the media). Directors without expertise may struggle to ask effective questions because they don’t know what they don’t know and don’t know what they want to know. Lacking expertise, directors tend to depend on lists disseminated by professional groups (e.g., NACD) for questions that directors “should” ask without fully grasping them.
Importantly, expertise affects whether a director is capable of holding a dialogue in response to questions. As one director said:
Frankly, CISOs and the typical [director] speak two different languages. The CISO speaks a systems engineering or computer science language…and the people typically on the boards are lawyers or MBAs. And they speak an entirely different language. So, a CISO can brief a board, and they all nod and thank him or her. And there will have been no communication because one is speaking and the other one doesn’t understand…it’s kind of a dialogue of the deaf.
Boards with cybersecurity expertise – typically through one or more technically trained directors – are able to move beyond surface-level questions to a more targeted, productive inquiry. As one consultant explained, “It’s not the first question that you ask… It’s the second, and third, and fourth, and fifth” that signal real understanding. These directors are better equipped to follow branching logic, challenge management’s framing, and engage in substantive dialogue.
In addition, we find that, rather than provide independent oversight, some boards that lack cybersecurity expertise rely heavily on the CISO – not just for coaching on cybersecurity concepts, risks, and program objectives, but also for guidance on the cybersecurity oversight process itself. This creates a form of circular governance, where the executives being monitored shape the criteria and processes by which they are evaluated. As one CISO put it:
[Y]ou typically don’t have to explain to members of the audit committee how a financial statement works. That’s just implied and understood that they are masters of that and have a tremendous depth of experience in how to look at that and ask the right questions related to it. [I]n comparison, [cybersecurity is] a topic that everybody’s trying to really figure out, “What does it mean?”
Our interviews suggest that without expertise, directors are less likely to recognize conflicts or limitations within the security team they oversee. For example, nonexpert directors generally do not perceive CISOs’ self-serving reports – which may filter and obfuscate information – as a barrier to effective cyber risk assessment and oversight. Some nonexpert directors believe that CISOs have little incentive to obscure the truth, while others are confident in their ability to detect when CISOs are not fully transparent. In contrast, expert directors, consultants, and even CISOs themselves widely view obfuscation as an important issue.
To corroborate those experts’ views, we surveyed an additional 33 CISOs. In response to the question “From your impression of firms in general, what percentage of CISOs filter their reports to the board to make themselves or their superiors look better?” the median answer was 40 percent, and only one responded zero percent. Describing these sorts of filtering efforts, a consultant said, “I have seen very talented CISOs outmaneuver, outtalk, outconvince boards. …They would just use their likability and personality to put the board at ease when things weren’t going well.”
Overall, we observe that nonexpert boards often adopt governance practices that are externally legitimating but may be internally ineffective. Previous research argues that directors may intentionally adopt symbolic oversight postures to give the appearance of legitimacy while avoiding the effort required to provide substantive monitoring. A novel insight from our analysis is that symbolic oversight does not always reflect strategic posturing; rather, it may stem from genuine uncertainty. Directors often believe they are acting responsibly, unaware that their oversight lacks efficacy. Our analysis offers a more nuanced view of symbolic governance: one where good-faith efforts are constrained by inexperience, not intentions.
Why Boards Don’t Simply Add Cyber Experts
If cybersecurity expertise is so consequential, why don’t more boards appoint qualified experts?
Part of the answer lies in supply constraints: there is a limited pool of cybersecurity professionals with the governance experience and general business fluency expected of board members.
But our analysis uncovers a more fundamental reason for the lack of urgency to add cyber experts to boards: Nonexpert directors believe that they can provide adequate oversight despite not having cybersecurity expertise. This is because they believe that their general business and oversight experience, coupled with following best practices, is enough to provide effective oversight. In contrast, expert directors perceive improvements in oversight effectiveness when boards have genuine expertise in and personal experience with cybersecurity, and this view is also shared by CISOs and consultants.
Overall, we conclude that when boards have cybersecurity expertise, they are more likely to provide substantive oversight. In contrast, when they lack expertise, their oversight is ineffective, even when they seek out and engage in best practices. In such cases, board oversight is likely to be symbolic and driven by a desire to demonstrate responsible actions to stakeholders.
Implications for Practice
Our findings have several important implications:
- For boards: Effective cybersecurity oversight requires expertise to assess risks and mitigation strategies. For companies with greater exposure to cybersecurity risks, the nominating committee may want to appoint a director with bona fide cybersecurity expertise and experience.
- For regulators and investors: Governance checklists are not enough. Effective oversight hinges not just on governance structures, but also on the board’s capacity to understand and act on domain-specific risks. Regulatory frameworks may need to better account for expertise.
- For researchers and policy analysts: Cybersecurity oversight offers a way to study broader governance challenges in areas like AI, ESG, and data privacy, where technical literacy is increasingly vital.
Conclusion
As cyber threats grow, the limitations of symbolic oversight become more consequential. While our study does not weigh all costs and benefits of appointing directors with cyber expertise, it does highlight an important risk: In the absence of relevant knowledge, directors may lack the ability to evaluate whether their oversight efforts are working. Without that capacity, boards risk getting stuck in a loop – reviewing reports about risks they cannot fully assess, potentially over-relying on the very people they are tasked with monitoring.
This post comes to us from professors Michelle R. Lowry, Anthony Vance, and Marshall D. Vance at Virginia Tech’s Pamplin College of Business. It is based on their recent paper, “Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity,” available here.