Strategic Insights

Perspectives on governance, risk, and technology leadership.

Boards Should Ask this First

For years, the cybersecurity question at the board level, and often at the management level, was simply: are we secure? I've come to believe that's the wrong question to lead with. At minimum, it's an incomplete one.

READ ARTICLE →

Tech Risk is Business Risk

Twenty years ago, technology supported the business. Today, technology drives the business. This distinction matters for how boards govern.

READ ARTICLE →

The Difference Between a Plan and Readiness

A cyber incident response plan only becomes meaningful when it has been tested under pressure. For boards, the important question is what testing revealed and what changed as a result.

READ ARTICLE →

When Technology Risk Should Escalate

Most boards have a clear structure for financial reporting, audit findings, and regulatory matters. Technology risk often moves through a less defined path, leaving management to decide what rises to the board between regular reporting cycles.

READ ARTICLE →

What Tabletop Exercises Actually Teach Boards

Tabletop exercises test how governance works under pressure. They show who decides, who communicates, and whether the board knows when to engage or step back.

READ ARTICLE →

The Financial Risk Double Standard

Boards wouldn’t accept an unreviewed balance sheet. We wouldn’t tolerate undefined ownership of financial risk, or a review cadence that treats it as an annual event, regardless of what is happening in the business. Yet this standard is still common in technology governance.

READ ARTICLE →