why boards must oversee, not manage, cyber risk
why boards must oversee, not manage, cyber risk
Publish Date: 2026-02-12 13:37:00
Source Domain: nypost.com
New York Post newsroom and editorial staff were not involved in the creation of this content.
Boards face an increasingly urgent question: how should they engage with cybersecurity risk when it represents the single largest threat to most organizations? The answer, according to Joseph Steinberg, lies in understanding a critical distinction that many boards miss entirely. “Every company really needs somebody on their board today who understands how to oversee the management of cyber risk,” Steinberg explains, “but, while there are many people who know how to manage cyber risk far fewer know how to oversee the management of cyber risk.”
This distinction between management and oversight defines the fundamental difference between boards that provide effective governance and those that inadvertently undermine their CISOs while creating dangerous gaps in organizational security.
The Critical Difference Between Cyber Security Consultancy and Board Oversight
Many players within the cybersecurity consulting industry have conditioned boards to think about cyber risk through the wrong lens. Traditional cyber security consultancy focuses on helping CISOs implement defenses: acquiring, deploying, and configuring security controls, building incident response capabilities, and managing day-to-day security operations. These tasks are components of management—the active work of defending systems and data. Board oversight, by contrast, ensures that CISOs are doing their jobs effectively without the board attempting to do those jobs themselves.
“The difference is whether you’re actively doing it or making sure someone’s doing it the right way,” Steinberg clarifies. This mirrors how boards approach every other major business function. “It’s the same way that boards don’t manage accounting; they make
sure that the CFO is doing a proper job managing the accounting,” he explains. “It’s not my job to run the…
