In their recently published article “Boards Are Falling Short on Cybersecurity” by Jeffrey Proudfoot and Stuart Madnick, Harvard Business Review highlighted a growing consensus across leading research: corporate boards are not failing due to lack of awareness, but rather due to structural and capability gaps in how they govern cybersecurity risk. This trend is supported by McKinsey & Company’s “Boards of Directors: The Final Cybersecurity Defence” by Ayman Al Issa, Jim Boehm, and Mahir Nayfeh, which argues that boards are uniquely positioned to define strategic direction but often fall short of leveraging that role effectively.

Two additional articles reinforce these findings: IMD Business School’s governance research, including work by Didier Cossin and Yukie Saito, similarly emphasises that boards must rethink composition, expertise, and engagement models to build true digital resilience. Concurrently, Deloitte’s 2026 global cybersecurity insights further highlight that even as cyber risk is widely recognised as critical, many organisations remain woefully underprepared, relying on basic defences rather than comprehensive, board-driven strategies. Across these diverse perspectives, it seems that three systemic issues consistently emerge.

First is a capability gap. Boards often lack sufficient cybersecurity fluency to challenge management or interpret risk meaningfully. Second is role confusion.

Boards should define strategic direction and risk posture, yet many drift into either passive oversight or technical micromanagement. Third is an information and translation gap, where boards receive data, but not decision-ready insight, limiting their ability to act strategically. Interestingly, IMD’s research frames this as a broader governance issue, where effective oversight depends on aligning people, processes, and information architecture, not just bolting on additional reporting.

Deloitte’s findings further underscore that many firms still rely on “first-line” defences and incomplete strategies, revealing a disconnect between perceived importance and actual preparedness. Also Read: Thailand’s cybersecurity boom has a weak core When viewed holistically, these collective insights pinpoint a fundamental paradigm shift – cybersecurity is no longer an operational issue delegated to IT, but rather a core board-level responsibility tied to enterprise value, resilience, and trust. The most effective boards are not those with the most dashboards, but those that actively shape risk appetite, ensure the right expertise is present, and foster deeper engagement with management and, in particular, CISOs.

As discussed in McKinsey’s broader board-level discussions, stronger interaction and shared understanding between boards and security leaders significantly improves organisational resilience and strategic alignment. What makes this particularly critical is how closely cybersecurity governance mirrors challenges seen in adjacent domains, such as artificial intelligence. A recent Axios analysis shows that only a minority of boards have meaningful oversight of emerging technologies, creating similar gaps in expertise and strategic direction.

This parallel suggests that the issue is not cybersecurity-specific, but indicative of a broader governance lag in responding to fast-moving, technology-driven risks. In both cases, boards are being asked to oversee domains that evolve faster than traditional governance models can accommodate. Recent cyber incidents further reinforce this urgency.

In one example, the European Commission suffered a major breach of its cloud-hosted platform (Europa.eu), exposing sensitive internal data, including credentials and configuration files. Attackers reportedly accessed an AWS environment, potentially via credential theft or weak access governance. This is a supranational governance failure, affecting multiple EU institutions and demonstrating that even highly regulated environments struggle with board-level oversight of cloud and identity risk.

Also Read: Digital Growth, fragile defences: Inside Philippines’s cybersecurity gap In another example, the Coupang breach exposed data from 33.7 million users, with regulators explicitly concluding the root cause was management failure – not a sophisticated attack. This is one of the clearest modern examples where regulators directly attribute a breach to governance and leadership failure, aligning with Harvard Business Review’s thesis on board accountability gaps. High-profile breaches and increasing regulatory scrutiny have made it clear that accountability ultimately sits with the board, not just management.

Yet, as highlighted in governance and academic research, boards often lack the tools and frameworks to translate cyber risk into business terms, leading to decisions that are either overly cautious or dangerously superficial. The clear implication is – absent a fundamental change in board capability, structure, and engagement, organisations will c