Governing cybersecurity from the boardroom: Challenges, drivers, and ways ahead

Abstract

Overall, the responsibility to oversee cyber-risk management in modern organisations lies with Boards of Directors. However, evidence suggests that boards are not nearly as engaged in cybersecurity as they are in other areas of oversight. Through the lens of neo-institutional theory, we investigated key drivers and major impediments to directors’ engagement with cybersecurity. We conducted 18 interviews with non-executive directors from 43 organisations to cast light on current cybersecurity practices and on the factors that drive directors’ engagement. Our findings emphasise that regulations are the most influential driver (coercive pressures). However, directors are not always completely aware of their duties and liability concerning cybersecurity oversight. Further, our study highlights that personal experience and background shape a director's engagement with cybersecurity (normative forces). Our analysis also shows a frequent over-reliance on a single board member with cyber-experience. Lastly, the secrecy that characterises cybersecurity reduces the opportunity for directors to replicate best practices across organisations (mimetic forces). Directors’ engagement with cybersecurity is marginally driven by holding multiple board roles and by the influence of external consultants. A stronger role is played by the mediatic nature of some cyber-breaches and by a prominent “push reporting” approach in cybersecurity (organisational factors). We offer a series of evidence-based practical recommendations to enhance directors’ engagement in this crucial area, ranging from strengthening existing regulations, to codifying best practices in cyber-reporting.