Boards are spending more time on cybersecurity but still struggle to show how investments improve business performance. The focus has shifted from whether to fund protection to how to measure its return and ensure it supports growth.
AI, automation, and edge technologies are reshaping operations, and directors now deal with faster, more complex risks that demand oversight. A report from Google Cloud’s Office of the CISO outlines how boards can adapt by strengthening governance in three areas: AI, cyber risk strategy, and edge security.
Agentic AI early adopters report greater security improvements from GenAI (Source: Google Cloud)
AI governance moves into the boardroom
AI has moved beyond predictive models into “agentic” systems that act on their own, execute tasks, and make decisions under human oversight. This evolution creates both opportunity and exposure. Boards are being asked to guide how organizations adopt these systems responsibly while still realizing business value.
88% of organizations that deployed agentic AI for security use cases reported a positive ROI. They also saw gains such as an 85% improvement in threat identification and a 65% reduction in time to resolution. These results help justify investment in AI governance frameworks and formal oversight from the board.
78% of companies with defined C-level sponsorship for AI initiatives report ROI, underscoring the need for leadership and accountability to scale AI responsibly.
Directors should formalize AI oversight, ensure data privacy and security remain central to all deployments, and confirm that early successes can be repeated across the enterprise.
Cyber risk as a business strategy
Boards are being called to move beyond a compliance mindset and see cybersecurity as a source of business value. CISOs should present performance in financial and operational terms that show how protection supports growth, not just through technical measures.
The aim is to show how cyber programs reduce risk and protect revenue. Security investments should be discussed in the same language as other major business risks, such as financial or supply chain exposure.
Boards can help management by reviewing three areas:
- Risk accountability: Ensure that business unit leaders accept ownership of the security risks tied to their operations.
- Program health: Track metrics that connect security controls to outcomes such as uptime or fraud reduction.
- Resilience: Confirm that the organization can recover and adapt quickly after an incident.
Reframing oversight in these terms allows boards to allocate capital more strategically and assess whether investments are reducing enterprise risk.
Balancing innovation and risk
Boards should make sure innovation moves forward with the right guardrails. That means asking management how new tools, especially AI and automation, are deployed and secured.
Discussions should center on how technology choices support business goals rather than compliance checklists. Directors also need visibility into how the organization measures control maturity and tracks weaknesses before expanding new systems.
Oversight depends on trust between the board and the CISO. When that relationship works, boards can make faster, better-informed decisions about which innovations are worth the risk.
The perimeter under pressure
Attackers continue to exploit routers, VPNs, firewalls, and email gateways to gain initial access to networks. Endpoint detection tools cannot protect these systems, making them attractive targets for both criminal and state-backed actors.
Google Cloud’s Mandiant unit found that roughly one-third of breaches over the past three years began with exploitation of a vulnerability in public-facing infrastructure. Zero-day exploits are also rising. Campaigns such as the BRICKSTORM espionage operation, linked to China-based groups, show how attackers use unknown vulnerabilities in edge devices to gain network footholds.
Boards should view proactive defense as cost avoidance, not just an IT expense. Three priorities stand out:
- Prioritize patching: Guide vulnerability management with threat intelligence, focusing on systems under active attack rather than only those rated as critical.
- Enhance detection: Support stronger logging and monitoring to spot intrusions once attackers move beyond the perimeter.
- Harden critical assets: Ensure that high-value systems, such as virtualization environments, are segmented and protected to limit the impact of breaches.