Cyber security consultant Joseph Steinberg: why boards must oversee, not manage, cyber risk 

Boards face an increasingly urgent question: how should they engage with cybersecurity risk when it represents the single largest threat to most organizations? The answer, according to Joseph Steinberg, lies in understanding a critical distinction that many boards miss entirely. “Every company really needs somebody on their board today who understands how to oversee the management of cyber risk,” Steinberg explains, “but, while there are many people who know how to manage cyber risk far fewer know how to oversee the management of cyber risk.” 

This distinction between management and oversight defines the fundamental difference between boards that provide effective governance and those that inadvertently undermine their CISOs while creating dangerous gaps in organizational security. 

The Critical Difference Between Cyber Security Consultancy and Board Oversight 

Many players within the cybersecurity consulting industry have conditioned boards to think about cyber risk through the wrong lens. Traditional cyber security consultancy focuses on helping CISOs implement defenses: acquiring, deploying, and configuring security controls, building incident response capabilities, and managing day-to-day security operations. These tasks are components of management—the active work of defending systems and data. Board oversight, by contrast, ensures that CISOs are doing their jobs effectively without the board attempting to do those jobs themselves. 

“The difference is whether you’re actively doing it or making sure someone’s doing it the right way,” Steinberg clarifies. This mirrors how boards approach every other major business function. “It’s the same way that boards don’t manage accounting; they make

sure that the CFO is doing a proper job managing the accounting,” he explains. “It’s not my job to run the company if I’m on the board. The company’s CEO runs it.” 

Yet cybersecurity frequently breaks this pattern. “In many cases, companies don’t have that expertise on their boards,” Steinberg observes. “Either because they don’t have it at all or they’ve brought in people who don’t really understand how to do it. They’re doing management of cyber risk, not oversight of that management.” This confusion stems partly from how boards recruit cybersecurity expertise. Companies often add someone with technical and hands-on-management credentials—a former CISO or security consultant—expecting that technical knowledge and related management experience will easily translate to effective governance. It rarely does. 

Steinberg, author of the “Official (ISC)2 Guide to the CISSP-ISSMP CBK”—an official textbook for chief information security officers—occupies a unique position to address this challenge. He knows what CISOs should be doing because he wrote the book on it. More importantly, he understands what boards should be overseeing because he’s served on both sides of that relationship throughout his career. 

The irony is that what cyber consultants focus on—countermeasure configuration, vulnerability management, security architecture, incident response procedures, etc. —is precisely what boards don’t need to understand in detail. Boards need governance frameworks instead. Steinberg’s teaching experience at Columbia University illustrates this perfectly. He teaches people studying to be C-suite executives about cyber risk management. CEOs, CIOs, and CTOs—executives learning how to ask strategic questions, not technical specialists learning system hardening. 

How Boards Fail at Cyber Governance By Trying to Do the CISO’s Job 

The most common failure pattern in board cyber governance follows a predictable trajectory. Boards review security reports detailing department performance on social engineering simulations, patch management, compliance metrics, or individual incident details. These operational reports may be interesting, but focusing on them gives boards the illusion of proper engagement while distracting them from actual governance questions.

In actuality, effective board cyber oversight requires asking the right strategic questions rather than reviewing technical details. Steinberg’s framework, for example, focuses boards on governance-level inquiries: Is your risk appetite appropriate for your business model? Does management have adequate resources to appropriately and adequately manage cyber risk? Are you asking the right questions to verify effective execution? Do you understand your exposure in business terms that you can govern? Are you fulfilling your fiduciary duties regarding cyber oversight? 

Traditional cyber security consulting service firms either manage operations or sell specific technical implementations: penetration testing, security architecture reviews, compliance audits, incident response planning, and the like. Steinberg’s board advisory begins somewhere completely different—with clarifying whether you’re seeking management help or oversight help. “The chief information security officer needs to make sure that they manage cyber risk— transferring unacceptable risks via insurance or other agreements, and terminating or treating other risks with technical controls—all of which are done to ensure that only a tolerable level of risk remains,” Steinberg explains. 

The board’s role differs fundamentally. Boards verify that management is executing effectively, ensure that acceptable levels of risk are taken on, and hold executives accountable. When boards confuse these roles, they end up micromanaging technical decisions while failing to provide strategic oversight. 

The fiduciary implications are significant. Boards have a duty to oversee cyber risk as “the biggest risk to most companies.” Failing to distinguish oversight from management may constitute a governance failure, particularly when breaches occur that proper oversight might have prevented. 

Steinberg’s observation captures the problem precisely: boards get distracted by things with which they do not need to be involved and missing things in which they do, creating governance gaps while appearing busy and engaged. This micromanagement trap prevents boards from asking the strategic questions that actually determine whether an organization’s approach to cyber risk is sound. 

Steinberg’s multiple perspectives reinforce this observation. He has served as the head of security for other organizations,built products and deployed them all over the world.

He served as an expert witness on dozens of cybersecurity-related cases. He’s seen what works and what fails from every angle: as implementer, advisor, board member, and expert witness. 

His credentials demonstrate the breadth needed for this strategic perspective. Steinberg holds the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP. This combination of technical depth and governance breadth enables him to translate between technical operations and strategic oversight. 

Steinberg himself is selective about board positions, evaluating opportunities based on geography, cultural fit, ability to contribute value, mission alignment, and whether companies are contributing to human society. This selectivity mirrors his approach to expert witness cases—he only accepts engagements where he believes he is on the right side of justice and can add genuine value. 

The ultimate value proposition for boards is straightforward: they don’t need to become technical experts in cybersecurity. They need frameworks for asking the right strategic questions and evaluating whether their CISOs are performing effectively. Steinberg provides those frameworks based on having been both the implementer building security programs and the advisor helping boards govern them. Boards that understand the distinction between oversight and management can fulfill their fiduciary duties regarding cyber risk without attempting to do the CISO’s job.