Copyright forbes
Nancy Morgan, Dave Rankin, Niloo Razi, Leslie Ireland, and Georgianna Shea discuss the board's role in cyber resilience during "Cyber Strategy Meets Business Objectives" at The Cyber Guild's Uniting Women in Cyber conference. Aidar Gabdrakham At this year’s Uniting Women in Cyber conference – hosted by The Cyber Guild, a nonprofit dedicated to demystifying cybersecurity and broadening participation across sectors – leaders from business, government and academia agreed that cyber risk is not just a technical problem but a leadership and governance imperative. For boards, the conversation is about business continuity, brand trust and cyber resilience. Cyber Resilience as a Business Enabler Panelists across the “Cyber Strategy Meets Business Objectives” session emphasized that cyber resilience, not mere protection, is the new benchmark. Dr. Georgianna Shea, Chief Technologist at the Foundation for Defense of Democracies, was direct: “Cybersecurity is about detecting. You will be compromised.” Resilience is about continuing the enterprise when you’ve been compromised. Leslie Ireland, former U.S. intelligence official and president of Ultra I&C, referenced racecar driver Mario Andretti’s famous quote that many “think that the brakes are for slowing the car down,” when in fact, they are there to help the car go faster. Cybersecurity, she explained, is there to help your business go faster, be more competitive, and make information more reliable and accessible. That reframes cyber resilience as a business enabler – something that facilitates the business rather than inhibits it. G. Shea agreed, stating that leaders “need to understand what the mission is and what's good enough.” Cybersecurity professionals may be so focused on security that they prevent the mission from happening. It is the leaders’ and board’s role to find the right risk tolerance of cyber resilience and avoid over-securing an organization to the point of ineffectiveness. Embedding Cyber Resilience into Board Governance The shift to cyber resilience as a business enabler places cybersecurity oversight squarely within the board’s fiduciary duties. Niloo Razi, Distinguished Visiting Professor at Vanderbilt University, explained: “You can’t separate cyber and risk anywhere. Anything that touches technology becomes cyber risk.” She emphasized that setting the cyber risk appetite is a board function, and management’s role is to demonstrate they are meeting that risk appetite. “If the board sets the appetite and management isn’t taking it seriously,” she warned, “the board has a duty to act in their fiduciary role.” MORE FOR YOU Ireland agreed, encouraging boards to identify which systems and program elements are critical to the organization's functioning, then to define the risk tolerance for those systems. G. Shea communicated the need to take this further and understand the cascading effects and dependencies. “If something happens to a particular system, what is the residual effect?” she said. One panelist added that resilience metrics must be part of board dashboards, noting that they will vary depending on the type of company. Some may focus on 100% availability, while others may value mean time to respond or the time hackers spend in the network (dwell time). The key is a shared understanding of risk. The Human Factor at the Heart of Cyber Resilience Debbie Sallis, Founding Executive Director of The Cyber Guild, emphasized that cyber resilience depends on people as much as technology. “The nature of cyber threats has shifted from isolated incidents to persistent, systemic attacks powered by AI,” she said. “People are at the heart of a sustainable cybersecurity system. True resilience depends on informed, empowered colleagues who know how to respond and recover when incidents occur.” She added that boards must view cybersecurity through the same lens as financial or strategic risk. “Successful boards oversee cyber risk to manage business risk. They make business resilience a strategic imperative, and they cultivate a culture of engagement, not compliance.” Moderator Nancy Morgan noted that there is greater board-level attention and representation regarding cybersecurity. However “many prospective board members may claim they understand cybersecurity, but many don’t,” Razi cautioned. “Boards need directors who understand both cybersecurity and risk.” Translating National Security Lessons into Cyber Resilience Leadership The Cyber Guild Foundation Co-Chair and board director Teresa Shea. Aidar Gabdrakham Teresa Shea is co-chair of The Cyber Guild Foundation, former Signals Intelligence Director of the National Security Agency, and a board director. “Resilience isn’t a technology function, it’s a leadership mindset,” she said. “The same discipline that keeps nations secure – anticipating threats, rehearsing response and safeguarding continuity – are the ones that thrive through disruption. Cyber resilience is national security at enterprise scale.” Nation-states are targeting private companies in ways that “go beyond identity and intellectual property threats,” Razi said. “They are preparing to disrupt and destroy our systems.” Ireland confirmed that “the landscape has changed with regard to the information you need to protect. It is no longer passwords logins, and personally identifiable information. It’s the CEO’s voice and images,” which have been used to dupe employees for financial gain. Communicating Cyber Resilience with Clarity and Transparency Panelists were unanimous that clarity and candor matter more than technical depth in board briefings. “If you are briefing your board, give it to them straight,” Ireland advised. “Don’t hide anything. Boards’ diverse experience can be a resource if you trust them with the truth.” Ireland urges boards to understand dependencies with other stakeholders. Morgan agreed, encouraging a look at partners beyond the second and third orders to those even further from a primary vendor. Razi added that there are three lines of cyber defense: the chief information security officer, the audit committee, and the board. After-action reviews following an incident should be at the board and operational levels. But near-miss reviews should also become routine to build shared awareness of the potential impact. Leading Through Cyber Resilience The Cyber Guild’s UWIC conference made clear that the boardroom is now part of the cyber resilience line of defense. Directors who understand how technology, governance, and human behavior intersect will not only safeguard their organizations, but they’ll position them to lead. Did you enjoy this story on cyber resilience? Don’t miss my next one: use the blue “follow” button at the top of the article near my byline to follow my work, and check out my other columns here. Editorial StandardsReprints & Permissions
