Board Governance - Bridging the Expertise Gap: When Technology Demands a Dedicated Board Committee

In an increasingly digitized world, the strategic use of technology has become fundamental to sustained growth and business success.  The NACD’s 2025 Governance Outlook contained a quote from a survey respondent who noted that “technology literacy is becoming as important as financial literacy.”  I think this quote nicely sums up how important it is to have a tech savvy boardroom(1).  In fact, my experience, and a steadily growing body of research, call for more board-level engagement in technology governance because there are real consequences for organizations when the board is not involved.

Technology has become pervasive, impactful, and mission critical.  Boards miss out on big opportunities when they operate without members who have relevant technology experience.  That is where intimate, deep experiential knowledge comes from; that is where an ability to understand an enterprise’s current state technology infrastructure comes from; and that is where powerful insights and questions come from.  Confucius was right: “I hear, and I forget. I see, and I remember. I do, and I understand.”  It is the “doing” that imparts the experience and deep knowledge required to oversee how effectively management is using technology to create business value.

Additionally, modern boards face expanded responsibilities that now encompass oversight over digital transformation, cybersecurity resilience, and an expanding array of technology-driven operational risks.  However, when you review the research, you find that the majority of boards focus on security risks through the risk or audit committees.  This creates a gap because technology fuels competitive advantage and is fundamental to both growth and survivability.  Absent oversight over the strategic use of technology, a significant business risk is created. 

It is important to note, that by technology, we are not just talking about information technology (IT).  There are many forms of technology advancing across industries, in biotech, energy, aerospace, and so forth.  Boards have committees to address this which go by many different names: technology, technology and science, innovation and technology, to name a few.  In this article, when we use technology, we are speaking about board oversight of technology generally.  

Together, let’s examine why it is critical for boards to fully oversee the impact of technology on business, both the operational risks and the strategic growth opportunities.

Table of Contents

1. Digital Savviness – Competency Challenges in Technology Governance

2. Digital Transformation – Challenges

3. Best Board Governance Practices for Technology Oversight

4. Technology Oversight – Architecture Options

5. Governance Frameworks – How Good a Solution Are They?

6. Board Liability Considerations

7. Frequently Asked Questions

8. Conclusion

9. References

Key Takeaways

·      We are well into the Digital Era.  Technology experience gained leading technology transformations is a boardroom necessity.

·      Research shows that boards are not digitally savvy enough, yet research also shows that companies with tech savvy boards perform better.

·      Enterprises must digitally transform themselves to remain competitive.  Yet, digital transformations fail or underperform at alarming rates.

·      There are many governance frameworks for boards to choose from, yet reliance on them limits visibility.

·      Technology oversight has many architectures. 

·      IT governance frameworks can be useful but are not a complete solution.

·      Cyber Risk should be in the purview of the technology committee which feeds these risks into the audit committee, risk committee, or the full board, depending on the oversight architecture.

Digital Savviness - Competency Challenges in Technology Governance

Are boards digitally savvy enough?  Do directors possess the necessary expertise to oversee and monitor their respective company’s use of technology?  The available research data, and my experience, say this remains a risky gap, although the number of boards with technology committees is growing.

Technology is driving industry transformations at an increasing pace. Recent research underscores the critical evolution in corporate governance structures to address the growing complexity of technology oversight. However, the best data I can find shows a significant lack of technical competency at the board level. 

The most extensive data I found was an MIT Sloan(2) study conducted by Weill et al., that measured digital savviness “by analyzing data from surveys, interviews, company communications, and the bios of 40,000 directors, extracting key words that signal exposure to digital ways of thinking and working.”  Although from 2019, it revealed that only 24% of boards at companies with over $1B in revenue were digitally savvy. Most importantly, the data revealed that these companies performed better “on key metrics — such as revenue growth, return on assets, and market cap growth.”

Just what is a digitally savvy Board?  Weill et al., defined it as a board with members who have “an understanding, developed through experience and education, of the impact that emerging technologies will have on businesses’ success over the next decade.”   

To me, based on my experience, a digitally savvy board member has both the time and competence to evaluate what the technical experts at the company are sharing.  They can interact with them on an equal footing.  That is real oversight.     

Confirming MIT’s findings, McKinsey’s research showed that 12% of Global Fortune 500 companies have a technology committee, and these “had operating margins 100–600 basis points higher than their peers that did not have tech committees.”(3) Clearly, technology oversight produces its own ROI.  This is a high stakes performance gap that should be addressed on behalf of the shareholders.  

Another study in Harvard Business Review from 2024, undertook an analysis of public Fortune 500 companies’ boards and found that the percent of boards with a technology committee had grown from 13% to 20% over the prior five years.(4) The trend is up, but a significant and very important gap remains.

Digital Transformation Challenges

Digital transformation has emerged as a critical imperative for organizations seeking to remain competitive in an increasingly technology-driven global economy. However, the journey toward digital maturity is laden with challenges, as evidenced by consistently high failure rates across industries.

77% of companies are using or exploring the use of AI in their business.  As AI presses deeper into the enterprise, the importance of successful digital transformation is increasing. However, a 2022 global survey by McKinsey, found that organizations only capture 31% of the expected digital transformation benefits.(5)  

In alignment with this, data collected by Boston Consulting Group (BCG), showed that only 30% of digital transformations were successful.6  Based on 895 survey respondents, 26% reported that they achieved less than 50% of the intended benefits with limited long term change; 44% reported that value had been created, but there was also limited long term change; finally, 30% met their financial targets and achieved sustainable long term change.

This is alarming data because a company’s inability to digitally transform their business model is a significant threat to survival.  Therefore, boards need to have deeper oversight of the risk of technology execution failure.  As a former Fortune 250 turnaround CIO, I researched IT project and program failure rates. Technology transformation initiatives have failed, or underperformed, at alarming rates dating all the way back to the 1960’s.  I wrote about this in my book Transforming IT Culture, published as part of Wiley’s CIO Series.   

Best Board Governance Practices for Technology Oversight

There are best practices that strengthen board oversight of technology governance. Having a dedicated technology committee is a key mechanism.  That committee can then devote the right amount of time, ask the right questions, probe and track the progress of strategic technology initiatives, and then update the full board as to their findings and recommendations.

New board members must devote adequate time as part of their onboarding to get fully up to speed.  I found this process very useful when I onboarded as a cybersecurity board member.  At the beginning of my tenure, I met extensively with the firm’s experts to fully understand their security environment, posture, practices and investments. Adequate time by both the board member and the firm’s experts must be dedicated to the onboarding process so the board member is fully up to speed.

Key practices include:

• Establish Appropriate Mechanisms: 

  A strong mechanism is the creation of a dedicated board committee for technology governance.  Such committees focus on technology strategy, major projects, and risks, and then report to the full board. Even when the full board is engaged on tech topics, many organizations find a formal tech committee valuable for deeper dives and for surfacing key metrics related to technology and cyber risk.  ​ Best practice is to clearly define the committee’s charter – outlining oversight of areas like IT strategy alignment, innovation, cybersecurity, and major technology investments​.3 For boards that choose not to have a separate committee, they must ensure IT governance responsibilities are explicitly handled (often within Audit or Risk Committees) so nothing falls through the cracks.

  
  
  
  

• Integrate Technology into the Strategic Agenda:  Boards should treat technology and digital strategy as a regular agenda item, not just an occasional or reactive topic. To make it a standing consideration a technology strategy discussion should take place at the board level ​.  Ideally, the board should schedule frequent reviews of technology initiatives (e.g. digital transformation progress, major IT investments) on a routine basis. This ensures technology decisions are aligned with business strategy under board guidance.

The board should also insist on management’s accountability to demonstrate technology results based on the strategic agenda. Strategic alignment with enterprise goals becomes visible when technology projects are prioritized by business value as well as the outcomes delivered.  The measured outcomes establish the value realized by the initiative - the true bottom-line return on investment.

• Board IT Expertise and Education: 

  Having directors with technology expertise is a best practice. Adding board members knowledgeable in technology or digital trends significantly improves oversight quality​. This is second best to having a dedicated technology committee.  
  

When hiring tech-savvy directors isn’t feasible, boards should seek external advisors or provide education on emerging tech trends. Regular board training sessions on topics like cybersecurity, data privacy, and digital innovation are an important way to keep directors informed and engaged.

• Use a Mix of Oversight Mechanisms: 

Effective technology governance oversight typically involves multiple complementary mechanisms.

• Structural mechanisms include the previously mentioned committee.

   

• Process mechanisms include understanding existing IT governance policies, approval processes for technology investments, and requiring management to provide dashboards or reports on technology performance and risks. Boards should define what information they need for informed technology governance oversight and mandate regular reporting on that information​.

  
  

• Relational mechanisms include fostering a strong partnership between board members and management on technology matters – e.g. informal interactions, site visits to technology teams, or board mentorship by tech executives.

  
  

Boards should implement a mix of these structures, processes, and relational practices enables more holistic and effective board-level technology governance.

• Align Technology Governance and Risk Appetite: The board should oversee technology risk to ensure it is governed in alignment with the enterprise’s risk tolerance. That means the board can see whether technology risks (such as cybersecurity, system outages and disaster recovery) are managed within acceptable levels.

  
  
  
  

  Moreover, boards should integrate IT risk oversight into their enterprise risk management. That means mapping cybersecurity and technology project risks into the enterprise risk registers reviewed by the board.

  
  
  
  

  In my enterprise risk management experience, I have observed that the operational risks introduced by technology are often overlooked.  These need to be elevated, captured, chronicled, and sized in the risk register, along with the other risks.

  
  
  
  

  Lastly, if the risk register isn’t actively changing, then the enterprise culture is not truly risk aware.  In risk aware cultures, new risks are always being uncovered, and old risks are nailed down and archived.  The board must have visibility into the vibrancy of risk management.

  
  
  
  

• Continuous Improvement and Assessment: Lastly, boards should periodically assess their own technology governance performance. Boards can use maturity models or governance scorecards to gauge how well the company’s technology governance is functioning. Conducting regular self-assessments or audits of technology governance processes is a best practice​.  This helps identify gaps – such as insufficient reporting or unclear decision rights – so that the board and management can address them.

  
  
  
  

  Personally, I have found a SWOT approach very effective.  This identifies what is going well, what needs improvement, what new practices (opportunities) can be leveraged, and threats.  Under threats you would include emerging regulatory frameworks, poor information quality, emerging technologies, lack of awareness, or confusion over authority, and emerging legal challenges.   

In summary, best practices center on making technology governance an ongoing, structured part of board responsibilities: dedicate the right people (expert directors or advisors), create oversight mechanisms (committees/board engagement), enforce robust processes (reporting and dashboards), and cultivate an informed, collaborative culture between the board and technology leadership.  These practices collectively help the board to oversee technology such that it drives business value while controlling risks.

Technology Oversight - Architecture Options

Here are four predominant governance structures:

Oversight through the audit committee.  This model is prevalent because boards integrated cybersecurity risk oversight into the audit committee’s purview.  This architecture leaves the board mostly blind to the transformational aspects of technology, which is where sustained competitive advantage will emanate from.

Oversight through the full board.   

Leaving technology oversight with the full board is ineffective because board agendas are packed with topics, leaving inadequate time to fully acquaint themselves with the strategy, ongoing performance, culture, risks and leadership of the technology organization.  Moreover, absent the time, not many boards are digitally savvy enough to evaluate what the technology experts share with them.  

Oversight through a dedicated technology committee.

This option is ideal because the right expertise, adequate time, and detailed attention can be dedicated to understanding how technology is performing and what strategic gaps and risks exist.  The members can dive deeper and learn how key initiatives are unfolding, what is being achieved, and what is holding them back.  Those performance risks can be brought the attention of the full board and executive management so they can be addressed.  By interacting with the technology leadership as a fellow traveler, they really get to know them, learn what they are capable of, and build a productive relationship.  This is the ideal means for digitally savvy board members to have a positive impact on the performance of technology.  

Oversight through and outside expert or temporary committee.   

There are times when a company must make an unusually large strategic technology investment.  In cases like this, the board may decide it needs external advisors to help oversee the risk and may even set up a temporary committee to keep a closer eye on the strategic initiative’s progress.  I was part of just such an arrangement. 

As a CIO, I was hired to turnaround an IT organization and restart a large, multi-year initiative that had utterly failed after burning through the money. For the company, failure was not an option because its legacy business systems had to be replaced to ensure its future viability.  I reported our strategy and progress to the full board at each board meeting.  

However, as an insurance policy, the board hired an outside expert to oversee our progress.  Three days prior to each board meeting, the outside expert met with us to review our progress based on the plan that had been approved.   After I provided my update to the board, I would leave the board room, and the outside expert would provide his update and answer the board’s questions.  Fortunately, our work unfolded as planned and after three years, we had delivered every stream of work on time and on budget.   

Initially, I had some reservations about the expert oversight.  I worried about the individual’s competence and ability to understand the changes we had to make as the portfolio of projects unfolded and we learned better ways to phase in the functionality.  He turned out to be an excellent resource, and most importantly, was a good collaborator, not an adversary.  This arrangement can work well.  As always, it comes down to the quality of the talent.

This can be alternatively architected by setting up a temporary committee involving the outside expert, select board members, and members of management. What model is chosen depends on how involved the full board wants to be.   

Governance Frameworks – How Good a Solution Are They?

Contemporary governance frameworks have gained traction especially for IT, however, they are geared towards the responsibilities of management, not the board. Multiple IT governance frameworks have emerged as tools to guide management in establishing a comprehensive set of governance mechanisms and processes. But, board oversight of technology goes beyond IT, so the board’s oversight must be based on the technology strategy and architecture particular to that enterprise.

Familiarity with frameworks can be helpful.    However, in my experience, every company’s technology stack, history of investment, technology successes, failures, and challenges are unique.  What matters is having the technology experts on the board who can dig in and understand the current state strategy, challenges, risks, investments and initiatives, and then track and monitor how management addresses these. 

There are also several frameworks to help oversee cybersecurity risk.  I think NIST is a very good one.  A discussion of cyber risk frameworks will be handled in a separate article on board oversight of risks. 

Board Liability Considerations

Caremark claims relate to “directors’ oversight responsibilities to monitor critical risks relating to a company’s operational viability, legal and regulatory compliance, and financial performance and reporting”.(7)   Under Caremark, directors can have personal liability.  However, to be liable, the directors must “utterly fail” to put into place a mechanism to monitor the critical risks, or they must “consciously fail” to use the mechanism.  An example of this is deliberately disregarding “red flags”.(7) 

Although a series of cyber liability suits have been brought since 2014, the Delaware Court of Chancery has stressed that “a Caremark claim is possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”(8)   The suits have all related to cybersecurity failures, not failures to oversee the strategic use of technology, which closely correlate with operational viability.

AI poses a new set of risks that will fall under the board’s purview.  This is a rapidly evolving area speeding ahead because of the hundreds of billions of dollars being invested into it.  This technology is disruptive, and as disruptive technologies get introduced, the question of a board’s fiduciary responsibilities arise with respect a firm’s business operations and risk management. AI poses significant operational risks because of its algorithmic decision making, breadth of application, and the rapid pace of change. The regulation of AI is still emergent, but this is a key area to watch.   

Getting back to Caremark, there have been many cases, but three are particularly noteworthy, and these all relate to cybersecurity.

Three shareholders filed a lawsuit against SolarWinds in 2021 following a significant security breach.  It was alleged that the defendant directors “breached their fiduciary duties by utterly failing to monitor or oversee any aspect of the Company’s known mission critical cybersecurity risks.”(8) This case was dismissed by the Chancery Court in 2022. 

This case evolved further when the SEC brought a lawsuit against SolarWinds in a very high-profile case that garnered a lot of attention.  The SEC sued the company and CISO for inaccurate claims in their security statements. This case was dismissed by the Chancery Court in 2024. 

Two large data breach cases have resulted in financial payments, Yahoo and Wendy’s. 

In the Wendy’s Data Breach case, the parties reached a settlement in 2018.  Wendy’s agreed to implement remedial measures and the firm’s insurer paid $950k in attorney’s fees, funded by the company’s D&O policy.  Netting this out, “there would seem to be little here to provide significant incentives to other prospective claimants (and more importantly to their attorneys) to pursue these kinds of claims.(9)

Yahoo was different.  This was an egregious case of conscious disregard and resulted in the first ever monetary recovery in a cyber oversight case.  The plaintiffs were awarded $29 million and the case included “allegations of conscious disregard and cover-up” by Yahoo’s board.(10)   Even though this suit was successful, no subsequent cases have resulted in a monetary award, sustaining the known difficulty of successfully suing a board for inadequate oversight in Chancery court.

Frequently Asked Questions

What is the best oversight model?

There is no best model.  This is an “it depends” question where the complexity and importance of the technology determine the answer.  That said, I firmly believe that in a large, complex enterprise, the only way to adequately oversee technology is to have a separate technology committee with members who have both the competence and time to interact with the firm’s technology experts and evaluate what they are being told.  Because of the changes AI is bringing, this becomes even more urgent.

Does cybersecurity fall under the oversight of the technology committee?

This is a design question.  The answer is it depends on the board’s architecture.  I spent seven years as the Cybersecurity representative on the board of a midsize insurance company and over two decades as a CIO with responsibility for IT Security.   Based on my experience, although cybersecurity exists because of information technology vulnerabilities, these risks fall under both the technology and risk committees.  The technology committee should have an expert member who can ask all the right questions to understand whether the cybersecurity risks have been remediated.  All risks should roll into a consolidated risk register for review by the risk committee, or audit committee if there is no risk committee, or the full board if risks are overseen by them.  Ultimately, the board itself decides on the architecture.   

What are the risks if boards don’t modernize their governance?

As noted above, this is much less a legal risk than a business risk.  Great boards add value.  All the research shows that savvy boards help companies perform better.  As the importance of technology continues to rise, so too will the importance of the technology committee.

Conclusion  

Contemporary research demonstrates that effective technology governance requires boards to transcend traditional oversight roles, evolving into strategic partners capable of interrogating technical architectures and digital value propositions. While frameworks can be useful, and dedicated committee structures show promise, their effectiveness hinges on the expertise of the directors and robust performance data.

Future-proofing board governance demands a focus on technology oversight,

especially because quantum computing, AI, and other emerging technologies will continue to reshape the competitive landscape.

References

1 National Association of Corporate Directors (NACD), "Directors Should Prepare to Address Five Board Dilemmas in 2025”, December 2024. [Online]. Available:

https://www.nacdonline.org/all-governance/governance-resources/governance-research/outlook-and-challenges/2025-governance-outlook/preparing-for-five-crucial-board-balancing-acts-in-2025/

2 MIT Sloan Management Review, " It Pays to Have a Digitally Savvy Board",March 2019. [Online]. Available:  https://sloanreview.mit.edu/article/it-pays-to-have-a-digitally-savvy-board/

3 McKinsey Digital, "How Effective Boards Approach Technology Governance", September 2022. [Online]. Available: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/how-effective-boards-approach-technology-governance

4   Harvard Business Review, “Boards Need A New Approach to Technology”, September-October 2024. [Online]. Available: https://hbr.org/2024/09/boards-need-a-new-approach-to-technology 

5   McKinsey Digital, “Three new mandates for capturing a digital transformation’s full value”, June 2022. Available: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/three-new-mandates-for-capturing-a-digital-transformations-full-value

6   Boston Consulting Group, “Flipping the Odds of Digital Transformation Success” October 2020. Available:

https://www.bcg.com/publications/2020/increasing-odds-of-success-in-digital-transformation

7   Harvard Law School Forum on Corporate Governance, “Chancery Court Addresses Board Responsibility Under Caremark for Cybersecurity Risk”, November 2022. [Online]. Available: https://corpgov.law.harvard.edu/2022/11/17/chancery-court-addresses-board-responsibility-under-caremark-for-cybersecurity-risk/

8   D&O Diary, "Cybersecurity-Related Breach of the Duty of Oversight Claim Filed Against SolarWinds Board," November 2021. [Online]. Available: https://www.dandodiary.com/2021/11/articles/shareholders-derivative-litigation/cybersecurity-related-breach-of-the-duty-of-oversight-claim-filed-against-solarwinds-board/

9   The D&O Diary, “Wendy’s Settles Data Breach-Related Derivative Lawsuit”,May 2018. [Online] Available: https://www.dandodiary.com/2018/05/articles/director-and-officer-liability/wendys-settles-data-breach-related-derivative-lawsuit/#:~:text=Background

10 The D&O Diary, “Yahoo Data Breach-Related Derivative Suit Settled for $29 Million”,May 2018 [Online] Available: https://www.dandodiary.com/2019/01/articles/cyber-liability/yahoo-data-breach-related-derivative-suit-settled-29-million/#:~:text=In%20July%202016%2C%20shortly%20after,Among%20other%20things%2C%20after