Chapter 4: The Resilient Board, From Governance Frameworks to Governance Behavior

Cyber resilience has become one of the clearest tests of how well a board governs, and meeting it depends far more on how directors lead than on the controls the organization buys. 

Across this series, the throughline has been simple. Cyber resilience belongs in the boardroom, beside the oversight of finance, compliance, and operational risk that directors have handled for decades, and regulators now treat it that way. In February 2024, NIST added a sixth function, governance, to its Cybersecurity Framework 2.0, placing it beside identifying, protecting, detecting, responding, and recovering. In the United States, the SEC’s disclosure rules require public companies to describe how their board oversees cyber risk, and in the European Union the NIS2 Directive requires a company’s management body to approve and oversee its cybersecurity risk measures. The NACD and Internet Security Alliance reach the same view from inside the boardroom, treating cyber risk as an enterprise-wide responsibility the board owns. Boards now accept that they are accountable. The open question is how well they govern. 

How Are Boards Governing Cyber Risk Now?

The headline numbers suggest the structure is largely in place. Across S&P 500 proxy disclosures, the Audit Committee Transparency Barometer from the Center for Audit Quality and Ideagen Audit Analytics reports that 65% of S&P 500 boards now disclose a cybersecurity expert, a five-point rise on the year before, and that 90% publish a skills matrix mapping expertise against need. An earlier edition found 64% of companies had placed cyber risk oversight on the audit committee. The machinery of oversight is mostly built. Whether it changes how a board behaves is the question that separates resilient boards from compliant ones. 

What Is the Difference Between Compliance and Resilience?

That gap between structure and behavior is the gap between compliance and resilience. Compliance asks whether an organization has put the required controls in place, while resilience asks whether it will keep operating once those controls are tested. Having the controls on paper is a different thing from keeping the business running when they fail in practice, which is why plenty of fully compliant organizations have still been badly hurt. Peer-reviewed research on major cyber breaches reaches the same conclusion, finding that a proactive approach built on anticipatory risk management and board-level oversight holds up better over time than a reactive, compliance-led one. For a board, the practical move is to spend less time signing off controls and more time working through consequences. 

How Should a Board Govern Cyber Risk in an Age of Continuous Change?

Quarterly reporting was built for a world where the main assumptions held for years. AI has pulled that pace forward, and a new exposure can open in weeks. None of this turns the board into an operational body, but it does call for a governance rhythm closer to the speed of the environment around it, with cyber and AI on the agenda well beyond an annual review, attention on what is forming next rather than only what already happened, a short loop between executives and directors, and judgment rehearsed through scenario work before a real event. Gartner’s 2026 outlook points the same way, putting AI oversight and clearer accountability for cyber risk at the center of how security programs are run. NIST’s AI Risk Management Framework builds the same accountability into how organizations manage AI itself. 

A Maturity Model for Board Cyber Oversight

Knowing the destination helps a board place itself honestly. The model below adapts the four tiers in the NIST Cybersecurity Framework, which run from Partial through Risk Informed and Repeatable to Adaptive, to the work a board does. Academic work on board oversight frames that work as a capability the board builds over time, holding decision control over direction while management handles operations. NIST is clear that the highest tier is not the right target for every organization, and that a board should match its tier to its own risk and obligations rather than always reaching for the top. A board can read down each row, mark where it honestly sits today, and decide where it needs to be given its risk and its sector. 

The value is in the conversation the model forces. A board that finds it sits at Tier 1 on scenario readiness but Tier 3 on structure has learned something a dashboard would never show it. 

What Board Composition Should Look Like in the AI Era

The data on cyber experts points to a deeper change in how boards are built. Boards have long balanced finance, governance, industry knowledge, legal expertise, and general management, and AI, digital ecosystems, and cyber risk now widen the range of expertise they need to cover. Not every director needs to be a technologist. What matters is that the board as a whole can grasp what a technology means for the organization, test the assumptions behind it, and ask informed questions, which it reaches through a mix of directors with digital transformation experience, cybersecurity and risk specialists, external advisory input, reverse mentoring, and continuing education. The aim is informed oversight rather than technical mastery. 

How Leadership and Succession Planning Build Cyber Resilience

Composition is one half of capability; succession is the other. Planning for an AI-driven world widens what boards look for in their next generation of leaders, adding digital literacy, the habit of thinking in systems, judgment when the facts are incomplete, comfort with ambiguity, the steadiness to hold an organization together through disruption, and a clear ethical compass to the commercial track record that has always mattered. This applies as much to board succession as to executive appointments. If a major AI-related cyber crisis arrived tomorrow, would the next generation of leaders be better equipped to handle it than the current one? The honest answer tends to shape leadership assessment, executive search, and succession planning for years, because the capability a crisis demands cannot be created on the day it arrives. 

How to Build a Culture of Responsible Resilience

Structure, capability, and rhythm still depend on culture to work. Resilient organizations tend to surface risk early instead of burying it, treat raising a concern as useful rather than disloyal, hold people accountable without tipping into blame, treat incidents as lessons rather than embarrassments, and welcome challenge from within. Policy cannot mandate any of this; it grows out of how leaders behave and what boards expect, which is why a board influences culture as much through the questions it asks and the behaviors it rewards as through any formal program. 

Five Questions Every Board Should Ask About Cyber Resilience

1. Do we know which digital capabilities matter most to our future? 

2. Are AI and cyber resilience treated as board-level discussions, not technical updates? 

3. Can our leadership govern disruption and uncertainty? 

4. Does our board composition reflect a digital, AI-driven world? 

5. If a major cyber event hit tomorrow, could we lead through it? 

What the Resilient Board of the Future Looks Like

The boards that come through best are usually the ones that govern well, adapt their leadership quickly, and keep learning as conditions change, which matters far more than owning the most advanced technology. The structures are increasingly in place across large companies. The work now is to make sure they change how the board behaves, not only what it discloses.  

In the AI era, resilience becomes a defining characteristic of leadership itself, and it is what lets an organization turn disruption into a source of lasting value instead of merely surviving it. 

About the Author

Jan-Bart Smits is a Managing Partner at Stanton Chase Amsterdam. He began his career in executive search in 1990. At Stanton Chase, he has held several leadership roles, including Chair of the Board, Global Sector Leader for Technology, and Global Sector Leader for Professional Services. He currently serves as Stanton Chase’s Global Subsector Leader for the Semiconductor industry. He holds an M.Sc. in Astrophysics from Leiden University in the Netherlands.