90% of Board Directors Lack Confidence in Cybersecurity Value

Gartner Survey Reveals Critical Confidence Gap in Cybersecurity Governance

A startling new survey from Gartner, the global research and advisory firm, has revealed that 90% of non-executive directors (NEDs) lack a measure of confidence in the value delivered by cybersecurity investments. The 2026 Gartner Board of Directors Survey, conducted among 330 board members across North America, Latin America, Europe, and Asia/Pacific, paints a concerning picture of how corporate leadership perceives cybersecurity initiatives.

The Communication Breakdown Between Boards and Security Leaders

Only 10% of NEDs expressed strong confidence that their organizations have achieved the right balance between protection and cost in cybersecurity. This staggering statistic highlights a fundamental disconnect between how cybersecurity leaders communicate value and how boards understand it. 'Boards often struggle to connect cybersecurity investments to real business outcomes,' said Kristin Moyer, Distinguished VP Analyst at Gartner. 'Dashboards and compliance updates can confuse rather than reassure, leaving NEDs uncertain about whether their organization is truly more secure.'

The survey identifies a group of successful 'sense-maker' CIOs and CISOs who have managed to bridge this gap. These leaders translate complex cybersecurity concepts into tangible business value, focusing on how security initiatives impact revenue, costs, and shareholder value. They provide transparency on actual exposure levels and readiness for specific threats, moving beyond general cyberthreat trends to empower NEDs with actionable information.

Cybersecurity in Context: Geopolitical and AI Priorities

Interestingly, while cybersecurity confidence remains low, boards are grappling with broader external threats. Seventy percent of NEDs identified geopolitical instability and international conflict as the most significant external threats to shareholder value in the next 12 months. Only one in three NEDs viewed cyber-risks as a top external threat, suggesting that cybersecurity may be getting overshadowed by other concerns.

Perhaps most telling is the board's perspective on artificial intelligence. 'The majority of NEDs not only believe that technology investment is a key strategy in dealing with volatility, but they also believe that the majority of those investments should be in AI,' said Tina Nunno, Managing VP at Gartner. AI was ranked as the number one investment (57% of respondents) expected to have a positive impact on shareholder value in the next two years, ahead of investing in new products and services (56%) and M&A (45%).

Technology as Both Risk and Solution

The survey reveals a fascinating duality in how boards view technology. While technology disruption is seen as an emerging risk area to shareholder value—particularly AI's disruptive potential—it's also viewed as an essential lever for navigating volatility. Sixty-three percent of NEDs said investment in technology and innovation is the best way to counter today's global volatility.

This creates a complex landscape for cybersecurity leaders. 'Virtually all NEDs have experienced a cybersecurity breach either as executive leaders or during their tenure as board members,' noted Nunno. 'New security regulations have placed this topic front-and-center on board agendas. At the same time, AI is causing significant business disruption—and has gained considerable attention from boards.'

The Path Forward: Translating Security into Business Value

The confidence gap identified by Gartner presents both a challenge and an opportunity. The 71% of boards who want their enterprises to take more technology risk are actively encouraging CEOs and executive teams to demonstrate they have an AI strategy and are moving quickly enough. This creates an opening for cybersecurity leaders to position security as an enabler of innovation rather than just a cost center.

Successful organizations will need to develop new communication strategies that connect cybersecurity investments to measurable business outcomes. This means moving beyond technical metrics and compliance reports to demonstrate how security initiatives protect revenue streams, enable new business models, and build customer trust. As cybersecurity threats continue to evolve, the ability to articulate security's strategic value will become increasingly critical for securing board-level support and resources.