Corporate boards have spent years getting smarter about cybersecurity. They’ve added technology expertise, convened risk committees, and engaged CISOs more directly in strategic conversations. But progress is uneven despite rising investment, according to the PwC 2026 Global Digital Trust Insights (DTI) report. While 78% of organizations expect their cyber budgets to increase, only 16% significantly measure the financial impact of cyber risks, and a mere 24% spend meaningfully more on proactive measures than on response and recovery.
Beyond the technical challenge that cybersecurity poses, these insights point to a governance challenge. Cyber readiness ultimately depends on the board’s ability to set expectations, pressure test assumptions, and hold management accountable for outcomes. And the urgency for boards to do this is growing as AI’s implications for cyber offense and defense become more apparent.
The broader governance picture underscores that gap. PwC’s 2025 Annual Corporate Directors Survey (ACDS) shows that more than half of corporate directors (55%) say at least one member of their board should be replaced — the highest figure in the survey’s history – and 78% say their board assessments don’t provide meaningful insights into director performance.
Link the two reports and a stark conclusion emerges: misalignment with the board has become a hidden cybersecurity risk.
Accountability starts with the board itself
ACDS data shows why. Directors say two-thirds of boards still lack the right mix of expertise in technology, risk, and AI, and instead prioritize legacy skill sets like industry, financial, and operational experience. That skills gap—unless addressed through training or outside expertise—often leads to reactive oversight. Without digital fluency, directors can struggle to probe cyber investment priorities and data governance choices. And it shows up in spending patterns: DTI finds that most companies split resources evenly between proactive and reactive measures, even though prevention delivers far higher ROI.
Leading boards are shifting away from compliance-oriented oversight to treating readiness as a driver of enterprise value. They’re asking management to quantify cyber risk in financial terms, pressure test scenarios that impact continuity, and link resilience metrics to business KPIs. They’re moving discussions from “Are we compliant?” to “How quickly could we recover?” Boards that take this forward-leaning posture and focus on resilience help shape market confidence, investor trust, and valuation — because markets reward companies that can withstand shocks and maintain continuity.
The CISO as a business accelerant — not the “department of no”
Effective CISOs translate technical cyber threats into cyber risk and, ultimately, business risk terms the board can act on — expected loss, recovery time, and resilience outcomes — and they do it early, when strategies are still being shaped. The goal isn’t perfection; it’s decision-quality quantification that explains how a dollar invested buys down specific risks and improves time-to-recover.
That translation works best inside a clear operating rhythm with the board: early involvement in major initiatives, periodic executive sessions, quantified risk discussions, and scenario-driven readiness.
What CISOs are up against — and how boards can help
CISOs are juggling competing priorities amid a dense threat environment and tight talent markets. The load spans third- and fourth-party risk, cloud migration complexity, identity-centric attacks, and connected-product/OT exposure — all while ransomware remains a top risk and disruptive technologies (AI now; quantum on the horizon) reshape the landscape. In such conditions, doing the basics, repeatably (strong identity and access management, MFA maturity, least privilege, patching, and zero-trust architectures) removes a large share of avoidable incidents and keeps attackers from gaining easy footholds.
A practical Board–CISO collaboration checklist:
- Invite the CISO in at the start of strategy and transformation discussions; make “security-by-design” a standing principle.
- Hold executive sessions with the CISO at least twice per year to foster candid dialogue and alignment on priorities.
- Ask better questions about basics: “Where don’t we have MFA and what are the compensating controls?”, “How are we reducing identity risk?”, “What operational technologies and critical business systems have dependencies that would cause them to be impacted during a ransomware attack?” “What can we do manually in the event of a disruption, and how long can we sustain that?”
- Rebalance spend toward prevention and preparedness with a focus on continuity, guided by quantified risk reduction and clear ROI logic.
- Institutionalize realistic scenario planning (including ransomware) across operational, executive, and board levels; rehearse communications, recovery, and decision rights.
- Elevate digital acumen across the full board, not just by adding a single subject-matter expert. Pair targeted education with refreshed composition where needed.
- Tie cyber to enterprise value, linking resilience metrics to business KPIs and investor-facing narratives.
The future is ours to shape
Cyber risk has become a barometer for corporate resilience and trust. As the landscape accelerates, boards are expanding how they engage with performance, talent, and technical insight to keep pace with rising expectations. In today’s environment, traditional rhythms are giving way to more dynamic approaches that reflect the speed of change.
A new model is taking shape.
Boards have an opportunity to model the agility, transparency, and accountability they expect across the organization. Cyber readiness is influenced at the top — as much in the boardroom as in the SOC — and it’s strengthened by a close partnership with a CISO who is empowered to translate risk into meaningful outcomes.
