Assessing cybersecurity expertise on S&P 500 boards

November 16, 2023

This post is a guest-authored commentary piece discussing the findings of  Diligent Institute and NightDragon report, State of Cyber Awareness in the Boardroom.  This is the second blog in a series of global commentary pieces analyzing how the results on boardroom cyber awareness compare to other regions of the world.

In a recently published study of cybersecurity and technology expertise on S&P 500 Boards, only 12% of S&P500 companies had a cyber expert on the board, and only 31% had any board member with technology expertise. The study was undertaken by NightDragon and Diligent Institute and reviewed the S&P 500 organizations and the Board of Directors and their backgrounds. The report and results were endorsed by ISC2, NYSE, Glass Lewis, Moody’s, and Spencer Stuart. 

Just as financial literacy is considered an important qualification for board members, in 2023 cybersecurity and technology expertise is rapidly becoming a need-to-have on corporate boards. Today’s companies are not only technology driven, they are also increasingly under attack from cybercriminals. Corporations have an obligation to shareholders to mitigate risk to their organization, and managing cybersecurity risks is an important and essential part of corporate governance. 

The report findings suggest insufficient cybersecurity and technology proficiency in S&P 500 company boards

The larger the company, the larger the target for cyberattack. This month, MGM Resorts, an S&P 500 company listed on the NYSE, was the victim of a cyberattack that significantly affected its online business operations including hotel booking and gaming. The MGM Resorts portfolio includes over 31 hotels and gaming destinations, including the Bellagio, MGM Grand and Mandalay Bay in Las Vegas. It took the company 10 days to get services back online. While the attack is still under investigation, early reports point to social engineering being used to impersonate an employee and gain access to the administration of online services. The cost to MGM Resorts of the attack are significant, and still being assessed, however the losses have been estimated in the range of $80 million. 

Looking at the MGM Resorts Board of Directors, the 11 member board is dominated by accomplished business executives, however none appear to be technology or cybersecurity experts. Given the recent cyberattack, adding cybersecurity and technology expertise to the board should be a priority not only for MGM Resorts, but also the other 70% of the S&P 500 companies who currently lack board members with this expertise.  

There is some encouraging news from Spencer Stuart, who have seen an increase in the number of nominating/governance committee chairs seeking cyber expertise. In their 2023 survey, 19% of respondents (up from 8% in 2022) indicated they are seeking cyber expertise, and 60% of respondents identified cybersecurity as a topic beneficial for director development. 

Boards looking to augment their tech and cybersecurity expertise need to find board candidates who have a strong grasp of cybersecurity and technology combined with business and financial acumen. While CISOs are cyber experts they also need business expertise to take a board seat. C-suite executives from cybersecurity companies broaden the pool of board candidates and offer a strong combination of cybersecurity and business expertise. While it is beneficial for all board members to have a basic level of training in cybersecurity, given the sophistication of cybercrime it is important for boards to add board members with direct cybersecurity and technology experience. strongly supports the results of this new report by Diligent and NightDragon and the need to add cybersecurity and technology expertise at the Board level. Firstboard is a collective of highly accomplished female technology leaders, many with relevant cyber security expertise, who are ready to serve on corporate boards. 

We encourage any company looking to add cybersecurity and technology expertise to their board to reach out to +1 415-851-3446,

About the author

Related content

[rt_reading_time postfix=”minute read” postfix_singular=”minute read”]


Cybersecurity in Australian and Japanese boardrooms

The research team at Diligent analyzed whether the ASX 300 and Nikkei 225 Index have any

Learn more

[rt_reading_time postfix=”minute read” postfix_singular=”minute read”]


State of Cyber Awareness in the Boardroom

NightDragon, Diligent and our coalition of industry leaders analyzed the leadership

Learn more

[rt_reading_time postfix=”minute read” postfix_singular=”minute read”]


Cyber Risk & Strategy Certification

Get certified to oversee cyber risk & strategy with Diligent Institute, the leading

Learn more