Non-Executive Directors as Cyber Champions

A Personal View from the Boardroom

One of the most important questions I find myself asking in board meetings is: “Are we prepared for cyber threats, and how do we know?”

As a non-executive director (NED) who often represents cybersecurity and emerging technology interests on boards, I’ve learned that even without being a deep technical expert, I must challenge management and ensure our company’s security posture is sound. In today’s high-risk digital environment, boards can no longer treat cybersecurity as “someone else’s problem.” Directors cannot abdicate or simply delegate oversight of cybersecurity – we must instead become knowledgeable champions who prioritize cyber resilience and demonstrate commitment from the top.

The Critical Role of NEDs in Cyber Oversight

Independent oversight is at the core of a NED’s responsibilities. We are entrusted to provide a credible challenge to management and impartial oversight of risks on behalf of shareholders and stakeholders. Cybersecurity is no exception – in fact, it has become one of the most critical and complex risks boards oversee. High-profile breaches have shown that cyber incidents can result in massive financial losses, reputational damage, and even regulatory penalties for companies and their boards. Consequently, investors and regulators now expect boards to actively monitor cyber risk, not just leave it to IT departments.

From my experience, an effective NED approaches cybersecurity as a strategic, enterprise-wide risk, not merely a technical issue. This aligns with guidance from the National Association of Corporate Directors (NACD), which urges boards to treat cybersecurity as a strategic risk (not just an IT concern), ensure regular boardroom attention to cyber issues, and set the expectation that management establishes a robust cyber risk management framework with proper resources.

In practice, this means I insist that cybersecurity appears regularly on our board agenda and is discussed with the same seriousness as financial, operational, or strategic risks. As an independent director, I see my role as ensuring the organization has the right policies, people, and plans in place to manage cyber threats – and if not, pushing for improvements.

Asking the Tough Questions and Holding Management Accountable

Even without being a technical guru, a NED can be highly effective by asking tough, probing questions that get beyond buzzwords and complacent assurances. In my board work, I’ve found that simple, direct questions often reveal a lot. For example, asking “How do we know we are secure?” prompts management to provide evidence of cyber controls and not just say “trust us.” Good directors probe management to explain what frameworks or standards they use to assess cybersecurity, what the latest risk assessments show, and how they are closing identified gaps. We challenge whether the focus of security efforts is aligned with the company’s top risks, and whether independent assurance activities (like audits or security testing) back up management’s claims.

In my experience, some of the most effective questions a NED can ask include:

“What are our top cyber risks, and how are we mitigating them?” – Ensures management is identifying and prioritizing cyber threats as part of enterprise risk management. I look for clear answers on whether cyber risks are integrated into the overall business risk register (for instance, weighing the benefits of a new technology against its security risks).

“Are we prepared to respond to a cyber incident? When was our response plan last tested?” – Checks that the company has an up-to-date incident response plan and has conducted drills or simulations. NEDs should insist on seeing the results of cyber breach simulations or tabletop exercises and ask what was learned. This shows whether the organization is battle-tested or just assuming everything will work.

“Do we have the right expertise and resources?” – Probes if the company has skilled cybersecurity leadership (CISO or equivalent) and sufficient budget/staff for security. As an NED, I often have to gauge if management is underestimating the needed investment. Regulators like the Monetary Authority of Singapore (MAS) now explicitly expect boards to verify that senior managers in charge of IT and security have the appropriate experience and skills, and that adequate resources are allocated.

“How do we measure and report on cyber risk?” – Demands to see concrete metrics or reports: for example, frequency of cyber incidents or near-misses, results of vulnerability scans, employee cybersecurity training completion rates, etc. If the board only hears vague statements like “everything is under control,” that’s a red flag. I encourage boards to develop dashboards or key risk indicators for cybersecurity, so oversight is based on data.

“Have there been any cybersecurity incidents or near-misses, and what did we learn?” – This question reinforces a culture of transparency. NEDs should ensure that even minor incidents or close calls are reported to the board, not swept under the rug. It signals that the board will hold management accountable for continuous improvement in cyber defenses.

Asking these kinds of questions does two important things: it forces management to articulate their cyber strategy in plain language, and it sets a tone that the board takes cybersecurity seriously. In one case, our probing revealed that management had never briefed the board on the results of a third-party security assessment – an omission we swiftly corrected by scheduling a full review at the next meeting. NEDs don’t need to know all the technical details, but we do need to ask the right questions. By drilling down with follow-ups (“What was the outcome of that security test?” “Why did that risk remain unaddressed for so long?“), we can often uncover issues that warrant board attention.

Crucially, tough questioning should be constructive, not confrontational. The goal is to foster an open dialogue where executives feel accountable but also supported in managing cyber risks. A healthy board culture is one where management expects that NEDs will ask “What if…?” and “How do we know…?” – and comes prepared with substantive answers and evidence.

Becoming a “Cyber-Savvy” NED

Many NEDs come from backgrounds like finance, law, or operations, and initially lack cyber expertise. Yet boards without at least some cyber fluency may fall into “symbolic” oversight – following a checklist but not truly grasping the substance.

I believe NED’s have to upskill to an extent to be able to discharge their cyber risk oversight duties. They don’t need to become technical experts, but they must learn enough to have fluent conversations with our internal and external cyber experts. They should seek to stay updated through cybersecurity briefings, industry reports, and by attending seminars on emerging threats and technologies.

Moreover, boards can bring in outside expertise to educate and challenge themselves. On one of the boards I sit on, we invited an external cybersecurity consultant to conduct an annual workshop with the directors – a sort of cyber boot camp where we review current threat trends and practice responding to a mock breach scenario.

Upskilling also involves learning the “language” of cybersecurity so we can bridge communication gaps between the board and technical teams. I often act as a translator in board meetings – rephrasing a CISO’s highly technical report into business risk terms that my non-technical colleagues can understand, and vice versa, translating the board’s risk appetite and concerns into questions the tech team can act on. This translation role is vital. By improving our own literacy, NEDs can ensure we’re not just nodding along, but actually engaging in a meaningful dialogue.

Leveraging the Outsider Perspective

As independent directors, NEDs bring a valuable outsider perspective to the boardroom. We are not involved in day-to-day operations, which positions us to question assumptions and view risks objectively. I’ve found that this outsider viewpoint is especially useful in cybersecurity oversight, where executives sometimes can be too close to the issue or may develop blind spots.

For example, management might present a rosy picture (“We have 99% of our systems patched and have never been breached“), but a questioning NED can counter with an external reality check (“Industry data shows breaches often go undetected – how confident are we in our detection capabilities? When was the last time we independently verified our security measures?“). Our job is to ensure that the board is not taking management’s word at face value without scrutiny. In fact, research indicates that boards lacking cybersecurity expertise sometimes rely heavily on management (like the CISO) even to define their oversight process, resulting in a “circular governance” problem. Essentially, if the only information directors get about cyber risk comes from the executives in charge of cyber risk, the oversight can become overly deferential.

I counter this by leveraging my independent stance to seek third-party viewpoints. As a board, we might hire external firms to conduct cybersecurity maturity assessments or penetration tests, and then have those experts report directly to the board (or audit committee). This outsider audit can either validate management’s statements or uncover discrepancies. For instance, one penetration test at a company I advise revealed insecure configurations that the internal team had overlooked. As NEDs, we used that unbiased report to press management on a remediation timeline and to emphasize that independent assurance is a board expectation. Notably, regulators encourage this approach: the MAS Technology Risk Management guidelines explicitly call for the board to ensure an independent audit of the effectiveness of controls and risk management in tech domains. In short, an outsider perspective – whether from NEDs themselves or experts we bring in – is a powerful tool to hold management accountable for cyber risk management.

Additionally, our outsider perspective means we can draw on lessons from other industries and companies. Cyber threats are a global, cross-sector issue – what happens in one sector often has parallels in others. I often share with my board peers examples of incidents or best practices I’ve seen elsewhere. For example, a cyber breach in a retail company might carry governance lessons for a bank, or a new security approach in healthcare might inspire questions for a manufacturing firm. As NEDs, we typically sit on multiple boards or have broader networks, which allows us to import fresh perspectives and not get stuck in a siloed view of “this is how it’s always been done” within the company. This cross-pollination is one of the underrated strengths of non-executives in championing cyber resilience. We serve as a bridge connecting the organization to the wider world of emerging risks and practices.

Championing Cyber Resilience in the Boardroom

To truly champion cyber resilience, NEDs must go beyond oversight and contribute to shaping a resilient organizational culture and strategy. In my role, I see five key ways we can do this:

Set the Tone at the Top: We make it clear that cybersecurity is a board-level priority and an integral part of business resilience. By regularly talking about cyber risk in the context of strategy and performance, the board signals that security is everyone’s responsibility, not just the IT department’s. I have seen how a board’s genuine interest in cybersecurity filters down – management and staff take cues from the top. Simple actions, like the board allocating adequate time on the agenda for cybersecurity discussions, or ensuring cyber risk appears in annual reports and investor communications, send a powerful message that cyber resilience matters.

Embed Cyber into Risk Management and Governance: NEDs should insist that cybersecurity is woven into the enterprise risk management framework, rather than treated as a standalone technical issue. This means verifying the company has policies and structures (e.g. risk committees, reporting lines) that incorporate cyber risk. On one board, we established a dedicated board-level cyber risk subcommittee to dive deeper into technical issues and report back to the full board. In other cases, the audit or risk committee might oversee cyber – whatever the model, the important point is that there is clear board ownership of cyber risk oversight. A resilient organization integrates cyber considerations into business decisions (such as new product launches or M&A due diligence), and as NEDs we champion that integration. I often ask: “Does this decision account for cyber risks and are we within our risk appetite?” If the answer is uncertain, it’s a cue to rethink or add mitigating steps.

Ensure Preparedness and Incident Response Plans: Championing resilience means expecting not just prevention, but also preparedness for when incidents occur. I encourage my boards to adopt a “when, not if” mindset about breaches. We push management to maintain robust incident response and business continuity plans specifically for cyber events. Just as importantly, we insist on testing those plans regularly (through drills or simulations) and refining them. In one case, our board participated in a cyber crisis simulation which proved invaluable – it exposed gaps in our communication protocols and helped the directors understand their role during a real crisis. After that exercise, we were far better prepared, having clarified who would speak to regulators, how quickly customers would be notified, and how the board would convene urgently if a major attack struck. NEDs as cyber champions advocate for such proactive resilience measures rather than waiting to learn these lessons in the middle of a crisis.

Demand Accountability and Continuous Improvement: A champion doesn’t accept “good enough” if the threat landscape is worsening. Cyber risk is dynamic, so our oversight must be continuous. I make a point that after any cyber incident or audit finding, the board follows up to ensure lessons learned are implemented. We also set expectations that management will update us on progress of security initiatives. Around the world, regulators are raising the stakes for boards in this area.

Encourage a Culture of Transparency and Learning: Finally, championing cyber resilience means shaping a culture where cybersecurity is not shrouded in shame or secrecy. I encourage management to report issues promptly and honestly, and I ensure that when things go wrong, the board’s response is focused on solutions, not blame. This creates trust, so that if, say, an employee clicks on a phishing email, the incident is reported and addressed rather than hidden. Moreover, I advocate for celebrating proactive security efforts – for instance, praising the IT team for successfully thwarting an attempted intrusion or for rolling out multi-factor authentication company-wide. By highlighting positive actions, NEDs can reinforce that good cybersecurity is an enabler of business (protecting the company’s mission and reputation) rather than a hindrance. In my view, when employees at all levels see that leadership truly cares about cybersecurity (beyond lip service), they become more engaged in maintaining a secure environment.

Global and Cross-Sector Perspectives

What’s become evident is that cyber oversight is now a universal expectation for boards across industries and regions. My boards span different sectors, from financial services to healthcare, and regardless of the domain, the principles of good cyber governance apply. In highly regulated sectors like finance, the expectations are even more explicit.

Even in industries without specific cyber regulations, investors and business partners are calling for stronger board engagement on cybersecurity. There is growing recognition that companies with tech-savvy, cyber-aware boards are better positioned to navigate the digital economy’s risks. In fact, I’ve observed that during due diligence or investor meetings, questions about the board’s cybersecurity oversight are now common. Stakeholders want to know, does the board understand the cyber threats to this business? Are there directors who know what questions to ask? They take comfort if the answer is yes. A recent trend is that some boards are appointing former Chief Information Security Officers (CISOs) or technology leaders as NEDs – the so-called “cyber NED” – to bring in specialized expertise and plug knowledge gaps on the board. This is a positive development, but it doesn’t let the rest of us off the hook: every NED should attain a baseline of cyber competence and stay engaged, even if one expert is in the room.

Cross-sector collaboration is another perspective I value. Cyber threats do not respect industry boundaries, and I’ve seen benefit in boards sharing practices through inter-company forums or industry associations. For example, financial firms’ boards might learn from energy companies’ experiences with nation-state attackers, or vice versa. As a NED, I sometimes participate in cross-industry cyber oversight roundtables, and I bring back insights to my own boards. It’s about adopting a broad view – the global threat landscape and regulatory trends might hit different companies at different times, but eventually most organizations will face similar challenges. NEDs who keep a finger on the global pulse can better anticipate what’s coming.

NEDs Leading the Charge on Cyber Resilience

Reflecting on my journey as a NED focused on cybersecurity, I firmly believe that NEDs can and should be cyber champions in the boardroom. We add unique value by marrying our independent, big-picture oversight with a willingness to dig into tough questions on tech risks. We act as the bridge between technical details and strategic implications, ensuring that our companies not only stay compliant with emerging regulations, but more importantly, stay protected and resilient in the face of evolving cyber threats.