Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

Updated: April 5, 2024

How to avoid having a board that's a weak link

Keri Pearlson, executive director of cybersecurity at MIT Sloan, and her colleague Jeffrey Proudfoot had an interesting and provocative article recently in the Wall Street Journal, "Are Boards the Weak Link?"

The article points out that many boards do not “have a single director with a cyber background or with formal cybersecurity training.” 

Their article continues on to present four very helpful suggested actions that range from offering board members cyber training to one-on-one consulting.

File photo
Guest columnist Ward Graffam was the founding chairman of the Maine International Trade Center and is former chairman and CEO of Unum UK.

Here are some other ideas about what companies can do to strengthen a board of directors. 


When looking at a prospective board member, companies need to hone in on the desired skills and qualifications.

Ideally, there is a well thought-out skills inventory not only for key employees but also for board members. There should be documentation of necessary abilities, which should help in the process of recruiting board members. 

Cybersecurity prep

Companies should have an effective education process for the board, including a cybersecurity training program.

Your board may already have a a disaster recovery program — such as one designed for an immediate switch to an offsite location because of a physical disaster, such as a fire in the computer operations area.

By the same logic, it makes sense to have a cybersecurity equipment-and-protocol plan to protect the essential operations of your business against hackers. 

Parallel systems

Companies want to make sure critical system functions can be easily duplicated. If needed, could those systems be secured, populated and serve as a type of parallel system — separated, firewalled and stored in an accessible location?

Much has been written about the difficulties experienced by a variety of businesses when their systems have been hacked and they have been forced to pay ransom to “unlock” the hack. There are multiple social engineering techniques that scammers can use to gain control over your computer systems and individual computers.

Your organization should have someone knowledgeable enough about the variety of tools used by hackers to provide education and guidance to the appropriate employees, management decision makers and to your board.  

Without some cyber training, members of your board could unwittingly provide access to a part or all of your systems while they are logging into and on your company’s network.

One of the best ways to prevent such an unintentional error is to populate your board with at least one member who has computer security training. Provide incoming board members with a required short course on cybersecurity.

Another process that may be helpful to the board is to engage the services of a so called “white hat” hacker. That person would be an experienced IT hacking professional who has worked with a wide variety of systems and protocols at other companies in your industry.

To test the system, a white-hat hacker could be assigned to hack into an existing board members correspondence (with the prior knowledge of the individual and the board chair). 

The results would then be disclosed to the “hacked” board member — and to the rest of the board, if the hacked member agreed. 

Sign up for Enews

Related Content


Order a PDF