Designing Cyber Governance: Board Structures and Practices for Effective Oversight

Written by Jordan Hardy

Designing Cyber Governance: Board Structures and Practices for Effective Oversight

Since the adoption of NIS2, which introduces potential personal liability for individual board members, we’ve observed a growing awareness among boards of the need to address cybersecurity more structurally—as a core governance responsibility.

 At the same time, many organisations are asking the same fundamental question:

How should we organise for cybersecurity governance at board level?

To help provide guidance, we’re pleased to share the article below, developed within the Cyber Sounding Board at Guberna, which our CEO Alex Driesen has the privilege of chairing.

The article outlines key considerations and practical recommendations for boards looking to strengthen their oversight of cybersecurity—not just to meet regulatory expectations, but to build long-term digital resilience.

Inspired by the INSEAD approach to sustainability governance, adapted to cybersecurity

  • Executive Summary

Cybersecurity is a governance issue. Boards are expected to oversee cyber risk as part of their fiduciary duties. Individual directors may face personal liability if they fail to exercise adequate oversight. At the same time, this oversight is not easy. Boards struggle due to a lack of cybersecurity expertise and what has been called the ‘paralysis trap’: the tendency to avoid action in the face of overwhelming technical complexity and rapidly evolving threats. Choosing an adequate governance model can help.

This paper adapts the INSEAD sustainability governance model to cybersecurity by presenting six board-level governance models and six governance-enhancing plug-ins. These tools help boards structure their oversight in line with the company’s risk profile, digital maturity, and regulatory environment.

  • Why Cybersecurity Is a Strategic Board Concern

Cybersecurity is no longer a back-office/technical issue—it has become a board imperative. The digitalisation of business models, evolving geopolitical threats, and the professionalisation of cybercrime have increased the scale and complexity of cyber risk. The World Economic Forum ranks cybersecurity among the top global risks. According to IBM, the average cost of a ransomware breach exceeded $4.5 million in 2022. Statista projects that the global cost of cybercrime will reach $10.3 trillion in 2025 and rise to $16 trillion by 2029—figures that approach 15% of projected global GDP ($111.3 trillion in 2024). Meanwhile, the cyber insurance market is tightening: premiums are rising and exclusions—especially for state-sponsored attacks—are becoming more common. As cyber threats grow and insurance protections diminish, boards can no longer afford to treat cybersecurity as purely operational. Individual directors may also face (Cfr NIS2) if they fail to exercise adequate oversight. In this context, the need for structured, strategic cyber governance is clearer than ever.

  • Why Structure Matters

Good intentions are not enough—effective cyber governance requires structured decision-making, clear responsibilities, and regular engagement. While no single model fits all boards, selecting the right approach to structuring and supporting oversight can significantly improve risk mitigation, crisis readiness, and board–management collaboration.

Six Governance Models for Cybersecurity Oversight

Model

Description

Best Fit

1. Fully integrated

 

Cybersecurity is embedded into every board-level decision. Strategic plans, M&A, and risk reviews explicitly address cyber.

Digital-native or digitally mature companies with high board literacy on cyber. Organisations for whom cyber is a strategic differentiator.

2. Dedicated committee

A board-level cybersecurity or technology risk committee oversees all cyber matters.

Large, complex, or regulated firms; companies with prior breach experience.

3. Audit/Risk committee extension

Cyber risk is formally included in the audit or risk committee’s remit. Often supported by regular CISO briefings.

Mid-sized companies or those starting formal cyber governance.

4. Distributed governance

Different aspects of cyber (e.g. compliance, HR, innovation, data ethics,…) are assigned to different committees

Boards with strong governance culture and multiple specialist committees.

5. Cyber champion model

One director is designated to lead on cybersecurity and acts as liaison with CISO and/or experts.

Smaller boards or organisations with limited resources

6. Minimalist/reactive

No formal oversight; cyber is addressed only during crises or audits.

Increasingly unacceptable. Transitional at best, negligent at worst.

Choosing the Right Model

  • Boards often begin with model 3 or 5. (as a proactive step moving out of 6)
  • Larger or regulated companies evolve toward models 1 or 2.
  • Models 4 and 1 work best where cybersecurity cuts across multiple boardthemes. In 4, watch out for silos, reintegrate.

Six Plug-Ins to Strengthen Oversight

Plug-In

Description

Use Case

a. Board cyber training

Structured learning sessions for directors on cybersecurity threats, regulation, and trends.

All boards; especially important in early stages of maturity AND when imposed by regulation

b. Expert briefings (ad hoc)

External experts update the board on threat landscape or review major incidents.

Enhances situational awareness and challenge capability.

c. Standing advisor or cyber council

Ongoing access to independent experts who support board or committee work.

Ideal for boards without internal cyber expertise.

d. CISO–board engagement

Regular, direct reporting from the CISO to the board or designated committee.

Essential for translating operational risk into strategic insight.

e. Board-executive  taskforce

 

Time-bound group of directors and senior leaders working on a specific cyber initiative (e.g., post-breach reform).

Agile response to high-stakes issues.

f. Simulations and tabletop exercises

Structured crisis scenarios that (or rather exec team with board oversight) and decision-making.[1]

Useful annually or pre-emptively in high-risk sectors.

[1] See also question 7 in https://www.guberna.be/en/know/seven-questions-any-director-should-ask-about-cybersecurity-regularly

How Plug-Ins Interact with Models

  • Plug-ins boost board capacity without altering structure.
  • For example, model 3 (Audit/Risk) plus plug-ins a, d, and f can be highly effective.
  • Model 1 (Fully integrated) typically uses plug-ins a through e.
  • Boards with limited structure should start with training (a) and championing CISO access (d).

Summary Recommendation

Boards should:

  • Select a base governance model aligned with company context.
  • Deploy plug-ins to build expertise, engagement, and responsiveness.
  • Review structure annually as threats, expectations, and maturity evolve.

Cyber governance is a matter of structure, not just awareness. By choosing and supporting the right model, boards can move from passive oversight to proactive leadership. As a director, you have an opportunity to put the topic on the agenda and use your reflections to move the board beyond Model 6.

More on the Cyber Sounding Board at Guberna can be found here: ​

Read more

References

  • INSEAD (2022). Designing Sustainability Governance
  • ecoDa (2020-2024). Cyber-Risk Oversight Handbook
  • European Union (2023). Directive (EU) 2022/2555 (NIS2 Directive)
  • National Institute of Standards and Technology (NIST). Cybersecurity Framework
  • Center for Internet Security (CIS). Top 18 Controls

Start typing and press Enter to search

Shopping Cart