Designing Cyber Governance: Board Structures and Practices for Effective Oversight

Written by Jordan Hardy

Designing Cyber Governance: Board Structures and Practices for Effective Oversight

Since the adoption of NIS2, which introduces potential personal liability for individual board members, we’ve observed a growing awareness among boards of the need to address cybersecurity more structurally—as a core governance responsibility.

 At the same time, many organisations are asking the same fundamental question:

How should we organise for cybersecurity governance at board level?

To help provide guidance, we’re pleased to share the article below, developed within the Cyber Sounding Board at Guberna, which our CEO Alex Driesen has the privilege of chairing.

The article outlines key considerations and practical recommendations for boards looking to strengthen their oversight of cybersecurity—not just to meet regulatory expectations, but to build long-term digital resilience.

Check out the latest Toreon Cyber Insights articles

Get in touch with our experts for a no-obligation advisory conversation.

Contact an expert

Six Governance Models for Cybersecurity Oversight

Model

Description

Best Fit

1. Fully integrated

 

Cybersecurity is embedded into every board-level decision. Strategic plans, M&A, and risk reviews explicitly address cyber.

Digital-native or digitally mature companies with high board literacy on cyber. Organisations for whom cyber is a strategic differentiator.

2. Dedicated committee

A board-level cybersecurity or technology risk committee oversees all cyber matters.

Large, complex, or regulated firms; companies with prior breach experience.

3. Audit/Risk committee extension

Cyber risk is formally included in the audit or risk committee’s remit. Often supported by regular CISO briefings.

Mid-sized companies or those starting formal cyber governance.

4. Distributed governance

Different aspects of cyber (e.g. compliance, HR, innovation, data ethics,…) are assigned to different committees

Boards with strong governance culture and multiple specialist committees.

5. Cyber champion model

One director is designated to lead on cybersecurity and acts as liaison with CISO and/or experts.

Smaller boards or organisations with limited resources

6. Minimalist/reactive

No formal oversight; cyber is addressed only during crises or audits.

Increasingly unacceptable. Transitional at best, negligent at worst.

Choosing the Right Model

  • Boards often begin with model 3 or 5. (as a proactive step moving out of 6)
  • Larger or regulated companies evolve toward models 1 or 2.
  • Models 4 and 1 work best where cybersecurity cuts across multiple boardthemes. In 4, watch out for silos, reintegrate.

Six Plug-Ins to Strengthen Oversight

Plug-In

Description

Use Case

a. Board cyber training

Structured learning sessions for directors on cybersecurity threats, regulation, and trends.

All boards; especially important in early stages of maturity AND when imposed by regulation

b. Expert briefings (ad hoc)

External experts update the board on threat landscape or review major incidents.

Enhances situational awareness and challenge capability.

c. Standing advisor or cyber council

Ongoing access to independent experts who support board or committee work.

Ideal for boards without internal cyber expertise.

d. CISO–board engagement

Regular, direct reporting from the CISO to the board or designated committee.

Essential for translating operational risk into strategic insight.

e. Board-executive  taskforce

 

Time-bound group of directors and senior leaders working on a specific cyber initiative (e.g., post-breach reform).

Agile response to high-stakes issues.

f. Simulations and tabletop exercises

Structured crisis scenarios that (or rather exec team with board oversight) and decision-making.[1]

Useful annually or pre-emptively in high-risk sectors.

[1] See also question 7 in https://www.guberna.be/en/know/seven-questions-any-director-should-ask-about-cybersecurity-regularly

How Plug-Ins Interact with Models

  • Plug-ins boost board capacity without altering structure.
  • For example, model 3 (Audit/Risk) plus plug-ins a, d, and f can be highly effective.
  • Model 1 (Fully integrated) typically uses plug-ins a through e.
  • Boards with limited structure should start with training (a) and championing CISO access (d).

Summary Recommendation

Boards should:

  • Select a base governance model aligned with company context.
  • Deploy plug-ins to build expertise, engagement, and responsiveness.
  • Review structure annually as threats, expectations, and maturity evolve.

Cyber governance is a matter of structure, not just awareness. By choosing and supporting the right model, boards can move from passive oversight to proactive leadership. As a director, you have an opportunity to put the topic on the agenda and use your reflections to move the board beyond Model 6.

More on the Cyber Sounding Board at Guberna can be found here: ​

Read more

References

  • INSEAD (2022). Designing Sustainability Governance
  • ecoDa (2020-2024). Cyber-Risk Oversight Handbook
  • European Union (2023). Directive (EU) 2022/2555 (NIS2 Directive)
  • National Institute of Standards and Technology (NIST). Cybersecurity Framework
  • Center for Internet Security (CIS). Top 18 Controls

About the Author:

Lorem Ipsum …

Contact us!

Get in touch with our experts for a no-obligation advisory conversation.


Contact an expert

Upcoming Events/Webinars

Connect-IT

You can find us at Connect-IT in May. Our HR team will help you explore new career opportunities and show you what working at Toreon is like.

FullLogo Transparent

Start typing and press Enter to search

Shopping Cart