Corix warns of board‑cyber misalignment
- CPO Magazine published an April 20 essay by PwC executives Tonya Ugoretz and Ray Garcia arguing that corporate boards and security teams still judge cyber readiness through different lenses. - The authors said directors often see “green” dashboards and compliance updates while operators track recovery, resilience, and business continuity, creating a gap that can hide real exposure. - The warning lands as boards shift from breach prevention toward resilience and recovery planning, with directors pressed to define what evidence of readiness should look like. (nacdonline.org)
Corporate boards and security teams are still talking past each other on cyber risk, according to an April 20 essay in CPO Magazine by PwC executives Tonya Ugoretz and Ray Garcia. (cpomagazine.com) Ugoretz and Garcia wrote that many boards have added cyber expertise and formal oversight, but still rely on reporting that does not show whether the business can actually withstand and recover from an attack. (cpomagazine.com) Their argument is that oversight can look stronger on paper than it is in practice. A board may get favorable status updates while the security team is measuring harder questions like restoration speed, operational disruption, and resilience under stress. (cpomagazine.com) That distinction has become more important as board conversations move beyond prevention. The National Association of Corporate Directors said in a January 26, 2026 piece that boards are shifting from reactive crisis management to sustained organizational readiness. (nacdonline.org) The same National Association of Corporate Directors article said a resilient company is one that can recover quickly from a cyberattack, information technology failure, or other disruption, with data restored to a known good point in time. (nacdonline.org) Corix Partners has been making a similar case in its own board-level cyber writing. In a 2025 interview with founder JC Gaillard, the firm said boards can no longer treat cybersecurity as an information technology issue buried below the executive level. (corixpartners.com) Corix has also argued that the old language of cyber “risk appetite” is colliding with a “when-not-if” view of attacks, pushing boards toward execution and recovery rather than abstract tolerance debates. (corixpartners.com) The practical fight is over what directors should ask to see. The National Association of Corporate Directors said boards need clear expectations for what management tracks, measures, and reports, instead of assuming a technical briefing equals readiness. (nacdonline.org) Ugoretz and Garcia’s warning is narrower than a generic call for more board attention. It says the hidden risk is misalignment itself: one group is governing cyber as an enterprise resilience problem, while another is still being judged through narrower program metrics. (cpomagazine.com) That leaves boards with a harder question than whether a company has bought enough security tools. It is whether directors and operators are using the same definition of readiness before the next incident tests it. (cpomagazine.com)
