The Corporate Director Podcast

Episode: Strengthening Cyber Oversight
Date: October 1, 2025
Host: Diligent — Dottie Schindlinger & Megan Day
Guest: Katie Hall, Director at PwC’s Governance Insights Center

Overview

This episode, released during Cybersecurity Awareness Month, focuses on the evolving landscape of cyber oversight in corporate governance. Hosts Dottie Schindlinger and Megan Day discuss current cyber risks, recent incidents, and best practices for board directors. The centerpiece is an in-depth interview with Katie Hall of PwC, offering pragmatic advice for boards navigating growing expectations around cyber risk, reporting, boardroom expertise, and cross-functional approaches.

Key Discussion Points & Insights

1. The Persisting Threat of Ransomware and Human Error

Hosts reflect on recent cyber incidents, notably the ransomware attack on Collins Aerospace/RTX, disrupting flights across Europe, and a prolonged breach at Jaguar Land Rover (JLR) that shut down factories worldwide.
- Dottie: “We all know ransomware tends to start when someone clicks on an infected attachment in an email. That’s the most common pathway… humans are still the weakest part of the cybersecurity infrastructure.” [02:19]
Debate around the risks of outsourcing cybersecurity without adequate oversight.

2. Cybersecurity as Integral to Board Risk Management

Megan: “It has to be just naturally integrated into every conversation… another dimension of risk management in everything you’re discussing around the board.” [04:48]

3. Interview with Katie Hall (PwC): Effective Board-Level Cyber Oversight

a. What Works in Cybersecurity Reporting?

Decision-Useful Information over “data dumps.”
- Katie: “Boards need decision useful information. Not just a data dump of metrics… The board’s responsibility is to ask the CISO: ‘What’s important to you?’” [09:04]
Importance of tailored reporting, regular reassessment, and linking metrics to business unit-level risk.
- Use of frameworks like NIST CSF 2.0 for benchmarking.

b. Director-Level Cyber Expertise on Boards

Boards grapple with whether to include directors with deep cyber expertise.
- Katie: “It depends on your company’s risk profile and industry… But even if you do have a cyber expert, the board as a whole has a duty to understand the topics overseen.” [11:10]
- Emphasis on continuous upskilling: education via CISOs, third-party advisors, conferences, certifications.

c. Cyber Incident Readiness & Response

Widespread adoption of tabletop exercises: 81% of directors participate (annual PwC survey) [13:55].
- But: “Plenty of other actions are needed: understanding critical systems, communication plans, what if key processes are disrupted… and materiality evaluation for disclosure.” [14:18]

d. The Next Wave of Cyber Risk

AI and third-party risk dominate future threat conversations.
- Katie: “Third party continues to be top of mind… Not just who your third parties are, but how are they using your data? How are they using AI with your data?” [16:14]
Boards should ask: “What are we not talking about? What’s not showing up on the risk radar?” [17:03]

e. Concrete Steps for Strengthening Oversight

Education/Upskilling: “Getting that education is going to be a big piece of it.” [17:38]
Board–CISO Relationship: “Are you meeting with your CISO outside regular meetings? You want to be able to pick up the phone and ask your CISO anything.” [18:13]

f. Cross-Functional Cyber Readiness

Cyber is not just IT—it’s legal, audit, procurement, business units.
- Katie: “Ask business unit leaders: How are you thinking about cyber risk in your lines of business, with vendors… procurement due diligence, etc.” [20:24]

g. Final Thoughts

Progress has been made, but “it’s a constantly changing game… stay diligent and stay curious.” [21:37]

4. Quickfire: Getting to Know Katie Hall

Biggest Change in Boardrooms in 10 Years?
- “Technology.” [22:24]
Recent Governance Inspiration?
- “Watched Wall Street for the first time—so many governance lessons with hindsight!” [22:55]
Current Passion Project?
- “Working on sustainable funding for my local library as a trustee.” [23:53]

Notable Quotes

Dottie:
- “Humans are still the weakest part of the cybersecurity infrastructure.” [02:27]
- “You can't take your eye off this ball. Sadly, you cannot.” [04:32]
Megan:
- “It has to be just naturally integrated into every conversation. That's the only way you're really able to get your arms around it.” [04:48]
- “It just continues… to bring up questions about nimbleness and responsiveness and the need for flexibility and adaptivity across organizations… That starts at the board level.” [25:21]
Katie Hall:
- “Boards need decision useful information. Not just a data dump of metrics...” [09:04]
- “Even if you do [add a cyber expert], the board has a fiduciary duty to understand the topics they're overseeing… So there’s a fundamental question of how are we upskilling?” [11:29]
- “Education upskilling... getting that education is going to be a big piece of it.” [17:38]
- “You want to have that direct line [to your CISO] that is not just limited to your quarterly in-person meetings. Relationships and education.” [18:23]
- “Cyber is not just an IT issue… It is a cross-functional risk and responsibility to manage.” [19:37]
- “We've made great strides in the director community… but it’s a constantly changing game… stay diligent and stay curious.” [21:37]

Timestamps for Key Segments

Ransomware Realities & Human Error: 01:02–04:32
Cyber Risk as Part of Board Discussions: 04:48–05:06
Introduction to Katie Hall: 05:33–06:04
Cyber Reporting: What Works: 07:11–10:26
Director-Level Expertise & Upskilling: 10:47–13:21
Incident Readiness and Tabletop Exercises: 13:48–15:18
What’s Next: AI, Third-Party, and Supply Chain Risks: 15:44–17:13
Concrete Board Steps: 17:13–19:15
Cyber as Cross-Functional Risk: 19:37–21:24
Quickfire Q&A with Katie Hall: 22:15–23:53
Reflections & Day-to-Day Vulnerabilities: 26:01–29:00

Memorable Moments

The story of a social influencer being phished with a fake podcast invitation illustrates just how sophisticated and subtle attacks have become—even outside the corporate world. [27:39–29:00]
Dottie’s practical tip: “...I pretty much don’t download or click on anything until I have validated that it was sent by the person who said they sent it... it pays to be a little paranoid.” [29:00–29:51]

Takeaways for Board Directors

Cyber risk is dynamic, ubiquitous, and cannot be outsourced entirely.
Effective oversight requires continuous education, thoughtful metrics, and robust CISO-board relationships.
Cross-functional engagement is critical: Finance, legal, procurement, and business units must all play a part.
Stay curious, stay aware—progress is being made but vigilance is ongoing.

For more resources and certification programs on cyber risk and strategy, see: www.diligent.com/resources

The Corporate Director Podcast

Episode: Strengthening Cyber Oversight
Date: October 1, 2025
Host: Diligent — Dottie Schindlinger & Megan Day
Guest: Katie Hall, Director at PwC’s Governance Insights Center

Overview

Key Discussion Points & Insights

1. The Persisting Threat of Ransomware and Human Error

Hosts reflect on recent cyber incidents, notably the ransomware attack on Collins Aerospace/RTX, disrupting flights across Europe, and a prolonged breach at Jaguar Land Rover (JLR) that shut down factories worldwide.
- Dottie: “We all know ransomware tends to start when someone clicks on an infected attachment in an email. That’s the most common pathway… humans are still the weakest part of the cybersecurity infrastructure.” [02:19]
Debate around the risks of outsourcing cybersecurity without adequate oversight.

2. Cybersecurity as Integral to Board Risk Management

Megan: “It has to be just naturally integrated into every conversation… another dimension of risk management in everything you’re discussing around the board.” [04:48]

3. Interview with Katie Hall (PwC): Effective Board-Level Cyber Oversight

a. What Works in Cybersecurity Reporting?

Decision-Useful Information over “data dumps.”
- Katie: “Boards need decision useful information. Not just a data dump of metrics… The board’s responsibility is to ask the CISO: ‘What’s important to you?’” [09:04]
Importance of tailored reporting, regular reassessment, and linking metrics to business unit-level risk.
- Use of frameworks like NIST CSF 2.0 for benchmarking.

b. Director-Level Cyber Expertise on Boards

Boards grapple with whether to include directors with deep cyber expertise.
- Katie: “It depends on your company’s risk profile and industry… But even if you do have a cyber expert, the board as a whole has a duty to understand the topics overseen.” [11:10]
- Emphasis on continuous upskilling: education via CISOs, third-party advisors, conferences, certifications.

c. Cyber Incident Readiness & Response

Widespread adoption of tabletop exercises: 81% of directors participate (annual PwC survey) [13:55].
- But: “Plenty of other actions are needed: understanding critical systems, communication plans, what if key processes are disrupted… and materiality evaluation for disclosure.” [14:18]

d. The Next Wave of Cyber Risk

AI and third-party risk dominate future threat conversations.
- Katie: “Third party continues to be top of mind… Not just who your third parties are, but how are they using your data? How are they using AI with your data?” [16:14]
Boards should ask: “What are we not talking about? What’s not showing up on the risk radar?” [17:03]

e. Concrete Steps for Strengthening Oversight

Education/Upskilling: “Getting that education is going to be a big piece of it.” [17:38]
Board–CISO Relationship: “Are you meeting with your CISO outside regular meetings? You want to be able to pick up the phone and ask your CISO anything.” [18:13]

f. Cross-Functional Cyber Readiness

Cyber is not just IT—it’s legal, audit, procurement, business units.
- Katie: “Ask business unit leaders: How are you thinking about cyber risk in your lines of business, with vendors… procurement due diligence, etc.” [20:24]

g. Final Thoughts

Progress has been made, but “it’s a constantly changing game… stay diligent and stay curious.” [21:37]

4. Quickfire: Getting to Know Katie Hall

Biggest Change in Boardrooms in 10 Years?
- “Technology.” [22:24]
Recent Governance Inspiration?
- “Watched Wall Street for the first time—so many governance lessons with hindsight!” [22:55]
Current Passion Project?
- “Working on sustainable funding for my local library as a trustee.” [23:53]

Notable Quotes

Dottie:
- “Humans are still the weakest part of the cybersecurity infrastructure.” [02:27]
- “You can't take your eye off this ball. Sadly, you cannot.” [04:32]
Megan:
- “It has to be just naturally integrated into every conversation. That's the only way you're really able to get your arms around it.” [04:48]
- “It just continues… to bring up questions about nimbleness and responsiveness and the need for flexibility and adaptivity across organizations… That starts at the board level.” [25:21]
Katie Hall:
- “Boards need decision useful information. Not just a data dump of metrics...” [09:04]
- “Even if you do [add a cyber expert], the board has a fiduciary duty to understand the topics they're overseeing… So there’s a fundamental question of how are we upskilling?” [11:29]
- “Education upskilling... getting that education is going to be a big piece of it.” [17:38]
- “You want to have that direct line [to your CISO] that is not just limited to your quarterly in-person meetings. Relationships and education.” [18:23]
- “Cyber is not just an IT issue… It is a cross-functional risk and responsibility to manage.” [19:37]
- “We've made great strides in the director community… but it’s a constantly changing game… stay diligent and stay curious.” [21:37]

Timestamps for Key Segments

Ransomware Realities & Human Error: 01:02–04:32
Cyber Risk as Part of Board Discussions: 04:48–05:06
Introduction to Katie Hall: 05:33–06:04
Cyber Reporting: What Works: 07:11–10:26
Director-Level Expertise & Upskilling: 10:47–13:21
Incident Readiness and Tabletop Exercises: 13:48–15:18
What’s Next: AI, Third-Party, and Supply Chain Risks: 15:44–17:13
Concrete Board Steps: 17:13–19:15
Cyber as Cross-Functional Risk: 19:37–21:24
Quickfire Q&A with Katie Hall: 22:15–23:53
Reflections & Day-to-Day Vulnerabilities: 26:01–29:00

Memorable Moments

The story of a social influencer being phished with a fake podcast invitation illustrates just how sophisticated and subtle attacks have become—even outside the corporate world. [27:39–29:00]
Dottie’s practical tip: “...I pretty much don’t download or click on anything until I have validated that it was sent by the person who said they sent it... it pays to be a little paranoid.” [29:00–29:51]

Takeaways for Board Directors

Cyber risk is dynamic, ubiquitous, and cannot be outsourced entirely.
Effective oversight requires continuous education, thoughtful metrics, and robust CISO-board relationships.
Cross-functional engagement is critical: Finance, legal, procurement, and business units must all play a part.
Stay curious, stay aware—progress is being made but vigilance is ongoing.

For more resources and certification programs on cyber risk and strategy, see: www.diligent.com/resources

Strengthening cyber oversight

Powered by Wave AI

Summary

The Corporate Director Podcast

Overview

Key Discussion Points & Insights

1. The Persisting Threat of Ransomware and Human Error

2. Cybersecurity as Integral to Board Risk Management

3. Interview with Katie Hall (PwC): Effective Board-Level Cyber Oversight

a. What Works in Cybersecurity Reporting?

b. Director-Level Cyber Expertise on Boards

c. Cyber Incident Readiness & Response

d. The Next Wave of Cyber Risk

e. Concrete Steps for Strengthening Oversight

f. Cross-Functional Cyber Readiness

g. Final Thoughts

4. Quickfire: Getting to Know Katie Hall

Notable Quotes

Timestamps for Key Segments

Memorable Moments

Takeaways for Board Directors

Summary

The Corporate Director Podcast

Overview

Key Discussion Points & Insights

1. The Persisting Threat of Ransomware and Human Error

2. Cybersecurity as Integral to Board Risk Management

3. Interview with Katie Hall (PwC): Effective Board-Level Cyber Oversight

a. What Works in Cybersecurity Reporting?

b. Director-Level Cyber Expertise on Boards

c. Cyber Incident Readiness & Response

d. The Next Wave of Cyber Risk

e. Concrete Steps for Strengthening Oversight

f. Cross-Functional Cyber Readiness

g. Final Thoughts

4. Quickfire: Getting to Know Katie Hall

Notable Quotes

Timestamps for Key Segments

Memorable Moments

Takeaways for Board Directors