I’ve watched a pattern over the years. When some boards feel nervous about cybersecurity, they lean in. They ask for more detail, more meetings, more involvement. It feels like diligence.
But it’s not.
The closer the board moves to the controls, the more management steps back. Ownership blurs. People start waiting to be rescued, instead of running their program.
Stronger oversight somehow creates weaker execution.

I used to do this myself, but then I’m lucky – I’m the auditor who spoke directly to boards. I’m the business owner who the FFIEC made retire.
And I learned that the best boards do the opposite of “strong oversight.”
- They establish the culture by attending the awareness training.
- They set expectations.
- They define risk appetite.
- They revere independent testing.
- Most importantly, they install awareness tripwires through clear reporting.
The board’s role works the same way.
The goal isn’t to manage the details. It’s to make sure the details are managed.
Because awareness is 9/11s of the battle.

Original article by Dan Hadaway CRISC CISA CISM. Founder and Information Architect, infotex
”Dan’s New Leaf” – a fun blog to inspire thought in IT Governance.