In times of accelerated digital transformation, cybersecurity is no longer a topic restricted to the IT area. Failures in this area represent real risks to reputation, business continuity and market confidence. Therefore, it is important and urgent that boards of directors – many of which are unaware of the seriousness of the issue, without assuming the responsibility that is theirs – review their strategic role in digital protection, becoming guardians in this area.
The warning and the path to a change of perspective on the subject are in the article Boards Need a More Active Approach to Cybersecurity (Boards Need a More Active Approach to Cybersecurity), by Noah P. Barsky and Keri Pearlson, published by Harvard Business Review. The text, based on a survey of 151 executives, shows that, for most board members, investments in cybersecurity are adequate. Few are actually aware of the risks involved or act proactively to mitigate them.
Preventing crises and building resilience
Making long-term governance a central part of boardroom governance is essential to preventing avoidable cyber crises and building digital resilience across the organization, the authors argue. Cybersecurity is not a cost, it is a strategy, they argue, advocating a change in mindset based on a reflection on three common mistakes related to the topic:
1. Underestimating the cost of inaction: Cyberattacks can paralyze operations for days, affect customers, generate fines and tarnish reputations.
2. Ignore technical debt: Outdated infrastructure, out-of-date systems, and lack of maintenance create silent vulnerabilities.
3. Avoid bad news: Cultures that hide near misses or minimize failures inhibit learning and prevention.
Advisors who want to evolve from simple observers to protagonists of digital resilience, the authors suggest, should follow five steps, starting with the centrality of stewardship – responsible administration.
• Put the mindset of stewardship in the center: Treat cybersecurity as a board responsibility. This changes the level of questions asked and the quality of decisions made.
• Encourage in-depth analysis of the risks of inaction: What happens if the system goes down for 24 hours? What about for a week? These questions should guide the council's debate.
• Do due diligence to reduce technical debt: Identify bottlenecks, anticipate vulnerabilities and address hidden risks as if you were evaluating a strategic acquisition.
• Seeing investment in cybersecurity as a competitive advantage: More than avoiding losses, protecting systems can generate value: consumer trust, solid reputation and differentiation in the market.
• Turn updates into learning moments: Each cybersecurity report should be treated as input for continuous improvement, not as a technical formality.
The authors’ conclusion is that long-term governance requires more than strategic vision. It requires active responsibility in preventing avoidable risks, including digital ones. The Board of Directors is a key player in ensuring that cybersecurity, an issue of reputation, sustainability and viability, is at the center of the agenda.
. Read more about the challenges faced by board members in the series Reputation on the board: José Monforte: Stakeholders require reputation to be loyal to companies; Dan Ioschpe: Speed and complexity require more care with reputation; Leila Loria: board needs diversity and someone who has already been through a crisis; Osvaldo Schirmer: reputation is built with all stakeholders
