By continuing to access our website, you agree to our privacy policy and use of cookies.

Skip to Main Content

Press "Enter" to search


For Boards, the Best Cybersecurity Defense Is a Good Offense

September 8, 2023

Complex digital systems are the central nervous system controlling your company’s most vital assets and business outcomes. Their importance only exacerbates the growing complexity and rapidly changing nature of cyber risk. As boards face significant cybersecurity governance, disclosure, regulatory, and legal challenges, they often find themselves playing defense.

Cyber risk transcends typical business risk. Familiar defensive measures and compliance requirements are necessary but alone do not constitute effective governance. Further, they are often communicated using technical language that lacks the business context boards should demand.

To effectively govern, boards must go on the offensive by taking a proactive approach that centers on three core areas.


By solidifying an organizational hierarchy with clear roles and responsibilities, an enterprise establishes a foundation for processes that proactively protect against cyber threats. This also creates a knowledge base among leadership to drive education and culture.

Boards can consider the following actions:

  • Create a cybersecurity organization to fit the size of the enterprise. For smaller companies, that might mean outsourcing a chief information security officer (CISO). For larger enterprises, functions could be assigned to leaders of an in-house team, including a chief risk officer, chief information officer, or CISO.
  • Appoint a chief cybersecurity officer to lead the team. This person should be a peer of organization executives, to whom they may offer respected perspectives and directives across enterprise functions. They should have an independent reporting channel to executive leadership.
  • Establish an internal management and a chartered board risk committee to oversee enterprise and cyber risk.
  • Identify and evaluate existing baseline cybersecurity controls that impact all systems in the enterprise.
  • Establish a cybersecurity framework and procedures based on the cyber risk committee’s recommendations. Start with the National Institute of Standards and Technology’s cybersecurity framework and modify it as needed.


Cyber risk is a form of systemic risk. Controlling it requires a working knowledge of underlying systems. Otherwise, risk protection tools and methods lack context and can be suboptimal. Enterprises need to be defined within the context of a system—a regularly interacting and interdependent group of elements, subsystems, and assets. For example, the elements of enterprise as a system (EAS) include assets and processes that interact with one another both internally and externally and with people.

Boards can govern the EAS with the following process:

  • Phase 1: Produce a high-level business process map of the EAS using common business language.
  • Phase 2: Produce a detailed business process analysis and board summary. Break down the larger Phase 1 elements to better understand overall processes and interactions. Approach these elements incrementally based on relative importance.
  • Phase 3: Utilize outside advisors to identify and determine the efficacy of relevant cybersecurity controls against the specific elements identified in Phase 2. Provide recommendations to the board to remediate gaps.
  • Phase 4: Develop and articulate the risk appetite, risk indicators, and associated thresholds that the enterprise accepts in pursuit of value. Optimize the EAS to reduce the threat landscape and improve control efficiency, adjusting the use of cybersecurity tools accordingly.

Through these phases, the board and other executives share a contextualized picture of the EAS in understandable business language. The EAS should be reevaluated whenever changes are introduced, such as new digital systems or mergers and acquisitions.


Once the board signals its priority of cybersecurity through organizational and educational steps and has a business context for areas of greatest risk, it can do the following to ensure all constituents embrace this shared responsibility:

  • Emphasize the importance of addressing cyber threats before they become a reality.
  • Communicate emerging cyber threats and incidents through established channels.
  • Market the importance of cybersecurity and reward good behavior.

These initiatives, as part of comprehensive and thoughtful changes to the three focus areas, will put boards on the offensive against cybersecurity

Reprinted with permission from the National Association of Corporate Directors NACD after originally appearing in the summer (Quarter Three) 2023 issue of Directorship® magazine.

Download the PDF

Hylant is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how ​Hylant can assist you, please call 800-249-5268.

Related Insights