A Leadership Framework to Help Executives Address the Challenge of Cybersecurity Governance

This article examines how business leaders manage cybersecurity governance (the policies and processes that control how organizations handle security) by interviewing 31 financial sector executives. It identifies three main challenges: unclear responsibility and decision-making authority, misalignment between overall strategy and day-to-day security operations, and confusion about roles and expectations. The authors propose a CROA framework (cybersecurity responsibility, ownership and accountability) along with seven recommendations and a self-assessment tool to help executives strengthen organizational resilience (an organization's ability to withstand and recover from security incidents).