By Chuck Gallagher – Business Ethics Keynote Speaker | AI Speaker and Author
The Disconnect That Matters
Harvard Business Review’s recent piece argues that many corporate boards overestimate their cybersecurity readiness and underplay the board’s own strategic role. In a survey of 151 executives, 71% believed their cyber funding was sufficient or strong, yet only 39% described their board’s “understanding of cybersecurity opportunities and risks” as proactive. Even more telling: just 31% saw their companies as innovators or early adopters in cyber preparedness (Harvard Business Review).
This isn’t a funding shortfall—it’s a leadership gap. As someone who emphasizes the human dimension of cybersecurity, I see this as the fault line where technical investment meets ethical accountability.
Why Boards Must Go Beyond Budgeting
1. Governance Is Not Glorified Delegation
Too often, boards view cybersecurity as a technical issue delegated to CISOs and IT experts. But breaches are organizational—and ethical—crises that demand governance-level oversight. Cipher budgets don’t build trust; board engagement does.
Although 71% say funding is adequate, the same respondents acknowledge that board-level understanding is more common than deep, strategic oversight. Effective governance requires actively shaping priorities—not just approving them.
2. Proactive Oversight Requires Specificity
Describing cybersecurity readiness as “proactive” is much different from being a proactive board member. That distinction shows up starkly: only a third of respondents see their organizations as innovation leaders—a figure that signals caution, not confidence.
Leading on cyber isn’t about having a plan—it’s about knowing what questions to ask, when to ask them, and whom to hold accountable.
3. Cybersecurity as a Continuous Ethical Imperative
Cyber resilience isn’t static—it evolves constantly. Boards can’t treat cybersecurity as a check-box. The article and related research emphasize a shift from “protection” to resilience—planning for recovery, adaptation, and ethical incident response. That requires human-centered scenarios, table-top exercises, and ethical clarity.
Aligning Board Oversight with Ethical Leadership
Having spoken about ethics and cybersecurity extensively, I can’t stress enough that technology decisions are moral decisions. Here’s how boards should transform from passive sponsors to active ethical stewards:
1. Redefine Board Metrics
Ask for dashboards tied to impact, not just completion. Encourage CISO updates that translate technical exposure into business and ethical terms: “What’s keeping you up at night?” and “How quickly can we return to trusted operations if compromised?” These aren’t IT questions—they’re governance ones.
2. Mandate Scenario-Based Accountability
Boards should require regular tabletop exercises connecting cyber failures to governance escalation. When scenarios unfold without clear escalation or responsibility, it reveals a system that prioritizes optics over outcomes. Ethical readiness is born in the messy rehearsal room—not in sanitized reports.
3. Demand Triaged Expertise
Board compositions should include individuals trained to ask critical questions about cyber risk. Whether through standing committees or rotating seats, governance bodies must reflect specializations that span law, ethics, technology, and business.
Data shows boards struggle at meaningful cyber conversations. Empowering them with experts and diverse insights enables robust oversight and moral clarity.
4. Bridge Tech and Trust
Cyber incidents erode trust—but communication deficits erode it faster. Boards must insist on transparent disclosure policies that inform and guide stakeholders—without sensationalism. Ethical leadership demands telling the truth swiftly, responsibly, and consistently before a crisis dictates terms.
The Human-Ethics Edge
Throughout my speaking engagements, I emphasize: breaches are symptoms—people make them possible. Teams misconfigured security tools, failed to push updates, ignored phishing alerts. Boards must be equipped not only with financial oversight, but with empathetic visibility into these behaviors—and the ethical frameworks that guide responses.
An ethical approach treats cyber strategy as more than risk mitigation. It’s about stewarding trust—customer trust, employee trust, investor trust. The choices boards make in cybersecurity shape reputation in silence and in crisis.
Action Framework: Board-Level Cyber Ethical Maturity
| Priority | Description | Actionable Steps |
| Resilience at the Core | Cyber readiness isn’t just a firewall; it’s recovery and moral clarity under pressure | Require evidence of incident response, recovery timelines, and ethical communication protocols |
| Board Expertise | Generic board composition falls short; real skill matters | Recruit or upskill board members in cyber and tech risk |
| C-Suite Accountability | CISOs need authority—not just visibility | Embed cybersecurity as a performance metric; align incentives with vigilance |
| Human Scenario Planning | Prepare for worst-case tech failures—and ethical failures | Conduct regular tabletop exercises with real stakeholders and real moral dilemmas |
| Transparent Governance | Trust is fragile—stakeholders deserve honesty | Develop public disclosure frameworks tied to SEC rules and ethical standards |
Final Thoughts
The HBR article is timely—and necessary. But its core revelation isn’t technical—it’s moral. In today’s digital landscape, board engagement in cybersecurity isn’t optional. It’s a fiduciary and ethical imperative.
Boards that fail to ask the hard questions leave their organizations vulnerable—not just to breaches, but to breakdowns in trust, reputation, and responsibility. It’s time for boards to move from passive monitors to purposeful ethical leaders in cybersecurity—a shift that safeguards not just systems, but society’s trust in them.
