Unfortunately, the Board of Directors for most enterprises don’t have a grasp on the risks brought on by information/cyber security. In this aspect, they are still operating in an environment that existed 20 years ago.
These risks most often continue to remain unaddressed at the Board level. Typically there are two contributing factors: 1. The Board is unaware of their liability; 2. There is management standing in the way of this matter reaching the Board. In either sense, a solid breach will correct both of these problems.
But what is the point of the current Board and Management being the stakeholders if they are not going to actively (pre-breach) seek out those risks and actively bring those experts into the Board who are capable of providing guidance on what information is needed in order to make relevant decisions to mitigate, remediate or transfer risk to a level within the risk appetite of the enterprise? Have they even established a risk appetite?
The first step is to create an Information Security Committee on the Board and see how many Board Members feel comfortable with providing meaningful contribution.
In the same way that off-shoring was not a silver bullet solution to expanding IT spend; cyber risk insurance is not a way to avoid security responsibility.
The goal should never be to outsource accountability. This is not possible.
The goal should always be to architect your own future.
Security should be in your design methodology's DNA.
However, a lot of it is not complex to achieve if you consciously tackle it head first.
The basic fundamentals provide a great deal, of assurance, when executed well.
It is unfortunate that some Board of Directors still operate with the same governance risks today as yesterday. The advent of cloud hosted Board of Director management solutions won't solve all of their issues. Especially considering some board members still communicate via personal email. Any work conducted on personal devices (including personal email) is still considered discoverable in a litigation case.