Unfortunately, the Board of Directors for most enterprises don’t have a grasp on the risks brought on by information/cyber security. In this aspect, they are still operating in an environment that existed 20 years ago.
These risks most often continue to remain unaddressed at the Board level. Typically there are two contributing factors: 1. The Board is unaware of their liability; 2. There is management standing in the way of this matter reaching the Board. In either sense, a solid breach will correct both of these problems.
But what is the point of the current Board and Management being the stakeholders if they are not going to actively (pre-breach) seek out those risks and actively bring those experts into the Board who are capable of providing guidance on what information is needed in order to make relevant decisions to mitigate, remediate or transfer risk to a level within the risk appetite of the enterprise? Have they even established a risk appetite?
The first step is to create an Information Security Committee on the Board and see how many Board Members feel comfortable with providing meaningful contribution.