The search for a Cyber NED.
How effective Cyber NEDs blend technical expertise with strategic, business, and cultural awareness.
Should cyber experts be appointed to the Board? Yes, if they also understand corporate strategy.
Cyberattacks on companies are rising at an alarming rate. Amazon reported a staggering 750 million daily attacks in 2024, a figure expected to increase. The “Scattered Spider” attack on UK retailer Marks & Spencer captured vital customer data and disrupted supply chains, leaving empty shelves. Corporate cyber-attacks are big business – bigger probably than the global drugs trade, say analysts.
Some attacks do little worse than take down a website for a few hours or days. Others, involving state actors such as China, Russia, North Korea or Iran, seek to incapacitate a country’s transportation, telecommunications and utilities companies. Western governments seldom help their own corporate victims who are left to fend for themselves.
Artificial Intelligence is expanding the volume of cyber-attacks exponentially. Attacks that might have been complex and expensive to launch can now be done at scale. Credential Stuffing or Spear-phishing, which target specific departments or individuals (in an attempt to convince them, for example, to pay out a bogus multimillion dollar invoice) can have a higher return if deployed en-masse.
According to the National Association of Corporate Directors (NACD), Boards need to “consider cybersecurity as a matter of strategy and enterprise risk, rather than simply as a technology issue.” It reports that around 16% of Fortune 500 companies in the US have technology committees to deal with such threats.
Should Cyber experts now be brought onto the Board? Currently, most Boards still prefer to hive off technology issues onto Risk or IT sub-committees, and expect a Chief Information Officer or Chief Risk Officer to report back. “Some 99% of tech-related conversations, including cyber security take place in a Digital and IT sub-committee of the Board,” says one Board Chair at a major South African financial services company with operations throughout Africa, India and Malaysia. Others “bring in expert outsiders to talk to external leads in private and then present together to the Board on a combination of what is happening externally and what is happening internally.”
A Scandinavian firm cautions: “one committee cannot handle a topic alone. Cyber/AI goes alongside Risk management, Technology, Innovation and new business models… [There] needs to be one or two people on the Board who have broader understanding of technology, business-enabling activities, including ability to challenge associated risks.”
In the worst cases, eyes glaze over, minds tune out, and few directors know how to ask a relevant tech question or what tech topics should even be discussed.
Currently, there is little appetite among European companies to bring a cyber expert onto the Board. “Someone needs to bring this together,” says Ms Denzel, and that is not easy. Whoever that is would be “presenting to a Bell curve of [tech] outsiders, technology immigrants and early adopters, and … [the occasional] digital native. That’s a diverse and challenging set of personas for any topic,” she says. Few digital experts can do it. In many cases, they are prone to jargon, or may lack a full sense of the company’s overall strategy. They are not always interested in the rest of what we talk about”, according to one Odgers client.
Board members do not always help the situation. In the worst cases, eyes glaze over and minds tune out. Sometimes, directors don’t know how to ask a relevant tech question or what tech topics should be discussed, say observers.
“Finding people with broad enough digital experience who can also contribute to the wider Board agenda is the difficult part,” reports one Board Chair. An Africa-based Odgers client says its digital Non-executive Director (NED) has had a massive impact. As well as the tech skills, the NED is viewed as “a thought leader and the single biggest source of talent. Management love him.”
Such rarities may be found among executives who have run tech-based companies previously. They already understand how to scale an enterprise and are familiar with IT-related risks. In short, they must be comfortable discussing strategy.
Culture trumps all
Adam Banks, a Digital expert with deep cyber security skills, sits on and advises numerous Boards. He agrees that Boards should seek out a generalist not least because cyber defence is largely about personal qualities and company culture. Tech experts may not typically work directly for an Executive Board member, so they don’t pick up the language of business. He advises companies to bring their tech lead to Board meetings for at least two years – not as a member or even adviser but to observe and learn about the company, its strategy and its culture. Then they could assume a Board level role.
A culture of awareness must run from the Board to the most junior employees. Matt Rogers, an independent director for US energy company Exelon, speaking at a recent McKinsey event, notes: “We need a whole set of leaders throughout the organization who provide the first line of defence. … people at the front line who really understand AI and can raise the right issue. Otherwise, we won’t see it until it’s too late. And you need people at the top who listen, understand, and take appropriate action based on the input of their teams.”
The risk environment is changing so much and so fast (See lead story). Do not rely on knowledge of today’s technology to stay safe. Build the ability to face new challenges, positively and optimistically. The real quality that Boards need, says Mr Banks, is the self-awareness to learn, adapt and see a bigger picture.”
Cybersecurity & AI as Top Trends for Directors, 2025
Source: 2025 NACD Trends and Priorities Survey
www.odgers.com