Your Board Is Spending More on Cybersecurity. It's Getting Worse at It.

Harvard Business Review published a piece in April titled "Boards Are Falling Short on Cybersecurity." The authors — Jeffrey Proudfoot of Bentley University and Stuart Madnick of MIT — asked a question that should make every board director uncomfortable: as boards become more focused on cybersecurity, are they paradoxically getting worse at governing it?

The data says yes. The FBI's 2024 crime report showed cybercrime losses increasing 33% year over year. More than 600 million cyberattacks are tracked each day. Losses are projected to approach $20 trillion annually in the coming years. Boards are spending more, paying more attention, and losing ground.

Three Reasons Boards Are Failing

The HBR authors identified three factors driving the problem.

First, boards lack cybersecurity expertise. This isn't new, but it's getting worse as threats evolve faster than board composition does. Most directors can evaluate a financial statement. Very few can evaluate a vulnerability scan or an incident response plan.

Second, board-level conversations about AI are ignoring security entirely. AI is the hottest topic in every boardroom right now, but the discussion is almost always about competitive advantage — how do we use it, how fast can we deploy it. The security implications of deploying AI tools, or of AI-powered attacks targeting the organization, rarely make it into the same conversation.

Third — and this one matters most — boards are mistaking regulatory compliance for security. You can check every compliance box and still be wide open. Compliance tells an auditor you followed a process. It doesn't tell you whether that process actually stops an attacker.

I wrote about this distinction at length in Cyber Risk Is Business Risk because it's the single most expensive misunderstanding in corporate cybersecurity. The companies that get breached aren't usually the ones that ignored security. They're the ones who believed their compliance program was their security program.

What "Getting Worse" Looks Like in Practice

Hasbro discovered hackers in its systems in late March 2026. Weeks later, the 103-year-old company was still largely offline — website unavailable, unable to serve customers. They were forced to delay their SEC financial filings. As of mid-May, Hasbro reported the hackers were no longer in their systems and recovery was underway, but the financial costs are expected to be substantial.

Aflac had data from nearly 22.7 million customers, beneficiaries, employees, and agents stolen in June. The company said it stopped unauthorized access "within hours" of discovery — but not before the attackers took documents containing insurance claims, Social Security numbers, and health details. Hours. That's how fast 22.7 million records disappear.

These aren't small companies with no security budget. These are large, publicly traded organizations with compliance programs, audit committees, and cybersecurity line items in their budgets. The compliance boxes were checked. The breaches happened anyway.

The NACD Is Trying to Help — Are Boards Listening?

The National Association of Corporate Directors released the fifth edition of its Director's Handbook on Cyber-Risk Oversight this year, with a foreword from CISA. The handbook provides six oversight principles and fifteen boardroom tools covering ransomware preparedness, quantum computing risks, cybersecurity reporting metrics, and third-party risk oversight.

It's a solid resource. The question is whether directors are reading it or treating it the way they treat most governance documents — downloading it, filing it, and moving on to the next agenda item.

The NACD handbook argues that boards need to incentivize a culture where managing cyber risk is treated as fundamental governance, with CISOs fully empowered and resourced to drive decisions. CISA's own guidance says the same thing: cyber risk needs to be owned at the board level, not delegated to a committee that meets quarterly.

What Actually Needs to Change

Stop asking "are we compliant?" and start asking "are we secure?" Those are different questions with different answers. Compliance is a snapshot of whether you followed a set of prescribed controls at a point in time. Security is a continuous assessment of whether those controls actually reduce your exposure to the threats you face right now.

Get specific about what your board is actually measuring. The NACD handbook includes board-level cybersecurity metrics designed to help directors evaluate organizational performance and benchmark against industry practices. If your board's cybersecurity reporting is still red-yellow-green dashboards with no decision points attached, you're measuring activity, not risk.

Connect the AI conversation to the security conversation. The next board meeting that discusses an AI initiative without a corresponding security assessment is a meeting that just created unmanaged risk. The White House issued an executive order on June 2 directing agencies to deploy AI-powered cyber defenses and establishing security frameworks for frontier AI — if the federal government thinks these two topics belong together, your board should too.

The HBR piece ends with a finding that should land hard: year over year, the cybersecurity situation keeps getting worse. More spending, more attention, more board engagement — and worse outcomes. That's not a resource problem. That's a governance problem. And governance problems get fixed in the boardroom, not the server room.