3. Boards must focus on risk, reputation, and business continuity.

Sound cybersecurity practices and risk management are a differentiator for many non-regulated companies and are table stakes for highly regulated organizations. Enterprise customers are demanding and driving the conversation around cybersecurity.

They are demanding to understand how their vendors could potentially impact their customers and their

What does a security leader want from a security program?

• The Board must meet regularly with the security leader formally and informally. Security programs are extremely nuanced, and board members (maybe not all of them, but at least the head of whatever sub-committee oversees technology and information risk) must take the time for confidential