Rob Sloan is VP of Cybersecurity Advocacy at Zscaler, where he helps organizations navigate cybersecurity risk and business resilience.gettyBoards increasingly say cybersecurity is strategic, but many still govern it mainly as a reporting and assurance topic. That mismatch matters more than ever.Cyber risk no longer sits neatly inside IT or compliance. It shapes how confidently a company can adopt AI, scale digital operations, manage third-party dependencies, protect customer trust and recover from disruption. Cybersecurity now affects not just business protection, but business execution.At Zscaler, we analyzed the most recent S&P 500 governance disclosures (10-K and proxy statements, along with committee charter documents, as of March 1, 2026) and found that 79% of those companies now assign primary cybersecurity oversight to an audit committee, up 8% from two years ago. At the same time, direct full-board oversight has fallen to 3.8% from 8.2%. Dedicated technology or cybersecurity committees remain relatively rare at 6.2% currently.There's nothing inherently wrong with audit committees overseeing cyber risk, and many likely do it well. But the trend raises a bigger question: What happens when a risk that shapes strategic execution is handled primarily through a structure designed for controls, compliance and disclosure?From Reporting To Decision MakingToo often, cyber is framed as a quarterly update rather than a board-level decision domain. Directors receive dashboards, maturity scores and policy summaries. Those have their place, but they aren't the same as governing the real business questions cyber now creates.Those questions are more consequential than many board processes still assume. How would a major cyber event interrupt revenue? Which business functions would fail first? How dependent is the company on a small number of critical platforms, cloud providers or software suppliers? What trade-offs is management making between speed, cost and control as it rolls out AI across the enterprise? How quickly could the company recover?Those are operational, financial and strategic concerns, not just security or technology issues.This is where many boards still fall short. The issue isn't a lack of interest; it's that the conversation is often structured around information, not decisions. A board can leave a cyber briefing better informed and yet still be no better prepared to govern through a serious incident.That's why the format of cyber communication matters so much. In previous writing on board briefings, I argued that the most effective 15-minute discussion a CIO or CISO can deliver is built around the few risks that matter most to the enterprise, a plausible disruption scenario, evidence of preparedness and a clear decision or trade-off requiring board attention. Too often, that time is still used for a technical download with metrics that don't always help directors govern. The point isn't to make directors more technical. It's to help them make better decisions about resilience, risk acceptance and business trade-offs.The strongest boards are moving away from treating cyber as a self-contained compliance topic toward connecting it to AI adoption, transformation programs, concentration risk, resilience investments and risk appetite. They ask not only whether controls are improving, but whether the enterprise can continue operating under realistic stress. And they expect proof, not just assurance, through tabletop exercises, recovery drills and scenario-based reviews.Boards with more mature cyber governance models also treat cyber incidents at peer companies as governance case studies, asking how similar failures could affect their own business model, operations or customer commitments.Why AI Raises The StakesAI only increases the urgency. It's expanding companies' attack surfaces while also helping adversaries increase the speed, scale and sophistication of their operations. Frontier models are beginning to uncover new vulnerabilities in software and operating systems, while enterprise AI deployments introduce new governance challenges around data exposure, third-party access, model usage and agentic behavior. At the same time, employees are adopting AI-enabled tools and risking data exposure faster than most organizations can govern them.For many boards, where cyber oversight sits may feel like settled business, but how cyber is governed isn't. The governance model should force the right conversations: whether it reflects how AI is changing both the threat landscape and the company's own risk surface, whether it surfaces trade-offs rather than updates and whether it keeps the full board engaged on the biggest decisions around resilience, risk acceptance and business dependency.Cybersecurity is still about reducing risk, but it's also part of how strategy gets executed—or stalled. Boards that continue to treat it primarily as an oversight formality may find they're governing yesterday's problem while underpreparing for a faster, more AI-shaped era of disruption.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Why Cyber Isn't Just A Risk Issue—It’s A Strategic Execution Issue
What happens when a risk that shapes strategic execution is handled primarily through a structure designed for controls, compliance and disclosure?









