---
id: "framework-board-cyber-engagement"
type: "framework"
source_timestamps: ["§ What boards should do:"]
tags: ["board-governance", "executive-oversight"]
related: ["concept-board-expertise-gap", "action-evaluate-cyber-executives", "action-hire-outside-consultants", "action-shift-to-resilience", "prereq-board-fiduciary-duties"]
steps: ["\\\"Evaluate the clarity", "relevance", "and accessibility of security briefings provided by executives.\\\"", "\\\"Confirm that the organization's cyber efforts and culture are focused on resilience and business continuity", "rather than a narrow emphasis on implementing technical controls.\\\"", "\\\"Establish a regular", "strategic cadence for cybersecurity interactions", "ensuring discussions are not merely reactive to incidents or alarming headlines.\\\"", "Bring in outside consultants to shore up the board's ability to provide proper governance without requiring directors to become subject-matter experts."]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Redefined Board Cyber Engagement Approach

## Purpose

Instead of trying to upskill themselves technically (a losing battle — see [[contrarian-recruiting-cyber-directors]] and [[concept-board-expertise-gap]]), directors should **reframe their proven executive experience to assess the effectiveness of their cybersecurity leaders.** This framework specifies the shifts boards must make in how they engage key executives on cyber risk. It presumes the fiduciary-oversight mindset described in [[prereq-board-fiduciary-duties]].

## Steps

1. **Evaluate the briefings.** Assess the clarity, relevance, and accessibility of the security briefings executives provide. Poor briefings are themselves a governance signal.
2. **Confirm a resilience orientation.** Verify that the organization's cyber efforts and culture are focused on **resilience and business continuity**, not a narrow emphasis on implementing and testing technical controls. → operationalized by [[action-shift-to-resilience]].
3. **Set a strategic cadence.** Establish a regular, proactive rhythm for cybersecurity discussions so they are not merely reactive to incidents or alarming headlines.
4. **Bring in outside consultants.** Retain external advisors to shore up the board's governance capability without requiring directors to become subject-matter experts. → [[action-hire-outside-consultants]].

## Related action

Use real or simulated crises to stress-test leadership: [[action-evaluate-cyber-executives]].

## Enrichment note

This mirrors mainstream board-oversight guidance such as the NACD *Cyber-Risk Oversight* handbook (questions to ask the CISO, reporting structures) and the oversight emphasis of the SEC's 2023 cyber disclosure rules.


## Related across articles
- [[framework-board-evolution-pyramid]]
- [[action-boards-demand-raw-signals]]
- [[claim-boards-failing-governance]]
