The DOMINO Guide:
The Definitive Boardroom Guide
on Digital, Cybersecurity and
Systemic Risk Governance
3 About Digital Directors Network
4 About DOMINO And This Guide
6 CEO Letter
8 Executive Summary
9
The Value Of Digital, Cybersecurity And
Systemic Cyber Risk Governance
11 The Systemic Power Behind DOMINO’s Puzzle
13 The Standards And A Regulatory First, New
Frameworks And Leading Practices
27 The System of Digital And Cybersecurity Governance:
Skills, Structure, Scope
31 The Scope Of The Oversight System:
Opportunity, Cybersecurity And Systemic Risk
39 Next Steps: Strengthening The Board To
Optimize The Digital Business System
42 APPENDICES
Bob Zukis
CEO, Digital Directors Network
2025
IN THE APPENDICES:
— DDN Key Policy Positions
— SEC Disclosure Cheat Sheet
— Who Is FOR vs. AGAINST Director Cyber Expertise
— DOMINO 24 Peer Thought Leadership
Copyright © 2024 DDN Press
DDN LLC
The DOMINO Guide: The Definitive Boardroom Guide on Digital, Cybersecurity and Systemic Risk
Governance:
No part of this publication may be reproduced, distributed, or transmitted in any form or by any
means, including photocopying, recording, or other electronic or mechanical methods, without the
prior written permission of the publisher, except in the case of brief quotations embodied in critical
reviews and certain other non-commercial uses permitted by copyright law.
www.digitaldirectors.network
ISBN: 978-1-7350430-3-6 (Paperback)
The author makes no representations or warranties with respect to the accuracy or completeness
of the contents of this work and specifically disclaim all warranties, including without limitation
warranties of fitness for a particular purpose. Under no circumstances, shall any of the information
provided herein be construed as legal advice of any kind.
Requests for permission or print bulk discounts should be directed to info@digitaldirectors.network
Suggested reference: Zukis, Bob. “The DOMINO Guide: The Definitive Boardroom Guide on
Digital, Cybersecurity and Systemic Risk Governance,” DDN Press, Manhattan Beach, 2024
www.digitaldirectors.network
www.digitaldirectors.network
About
Digital Directors Network
Digital Directors Network (DDN) is the premier
boardroom network of IT and cybersecurity
executives, corporate directors and organizations
working together to shape and secure the digital
future. Together we are advancing the practice and
profession of digital, cybersecurity and systemic risk
governance. DDN was founded in 2017 and its
members represent many of the world’s leading
corporate directors and executives working on
both sides of the boardroom table to solve these
challenges.
About DOMINO And This Guide
This edition of The DOMINO Guide reflects the knowledge created and shared
at DOMINO 24, the leading boardroom executive learning event focused on
advancing the practice and profession of digital, cybersecurity and systemic
risk governance. The DOMINO Guide is a reference and implementation guide that
reflects the steps and leading practices that any board can take to strengthen
their role in how the complex digital business system creates and sustains
business value.
DOMINO 24 was held at The University of Chicago Booth School of Business in
Chicago, IL. This executive learning experience convened policy leaders, corporate
directors, digital and cybersecurity executive leaders and experts to network,
teach and learn about solutions that strengthen the role of the board in shaping
and securing the digital future.
A combination of business school caliber classroom-based lectures, peer learning
exchanges, and deep interactive masterclasses led by subject-matter experts, corporate
directors, and industry leaders, DOMINO 24 was focused on advancing solutions that
develop digital and cybersecurity governance as a high-performing part of boardrooms
around the world to strengthen the board’s role in the digital business system.
DOMINO 24 provided practical, and actionable insight and instruction to continue to
www.digitaldirectors.network
www.digitaldirectors.network
build upon the pioneering work of Digital
Directors Network and its membership.
Executive leadership from SolarWinds provided
the opening keynote at DOMINO 24 to set the
tone and share what they have learned from a
major cybersecurity incident that woke the world
up to the threat of systemic cyber risk along with
the emerging forces of government scrutiny and
accountability.
The U.S. Cybersecurity and Infrastructure
Security Agency (CISA) Executive Assistant
Director for Infrastructure Security Dr. David
Mussington presented and answered questions
on the work being done at the senior most levels
of the U.S. government to secure complex digital
systems against the growing unpredictability of
worldwide threats.
Other policy leaders, executives and directors
from Target, Delta Airlines, PNC Bank, Barnes
Group, WD-40, Kraft Heinz, EY, Dominion Energy,
Campbell’s, United Airlines, and many other leading
companies enriched the DOMINO 24 executive
learning experience with their perspectives and
insights.
Enriching the overall learning experience were
DOMINO 24’s learning partners who shared
their deep insights through a masterclass
series and peer learning exchanges focused
on solutions to the challenges of digital and
cybersecurity oversight. They included White
& Case, EY, Veracode, Proofpoint, X-Analytics,
Kudelski Security, Corporate Board Member,
CYVERSITY, Equilar, and Hitch Partners.
Four conference attendees were recognized for
their contributions to the practice based upon
their thought leadership submissions to the
DOMINO 24 Call For Papers. Submitted papers
were peer reviewed and four were selected for
their contributions to the body of practical
knowledge on digital, cybersecurity and systemic
risk oversight. Their papers are included in the
Appendix.
Pre-event participants also attended the widely
acclaimed DDN QTE 501 Boardroom Readiness
Masterclass for IT and Cybersecurity Executives. All
attendees enjoyed opportunities to network
including our Veteran’s and Women’s leadership
breakfasts, an evening reception, dinner and an
entertaining display of complex systems of a
different kind.
DOMINO 24 was CPD Certified as an executive
learning event and attendees earned 13 hours of
CPD credit. Participants who attended the QTE 501
Boardroom Masterclass for IT and Cybersecurity
Executives on May 14, 2024 earned another 13
hours of CPD.
www.digitaldirectors.network
DOMINO: Solving the Digital, Cybersecurity
and Systemic Risk Governance Puzzle
The digital world is all around us. The digital future will be
what we make it — or what we allow it to become if it remains
ungoverned.
The corporate boardroom has a vital role to play in shaping and
securing the digital future and our mission at DDN is to make sure
that every corporate board is a high-performing part of their
company’s digital journey. Together with our members, this is
the problem that we are solving — and we know that solving it
drives significant business value — and we know how to solve it.
But the digital future is stumbling forward as it is being tripped up
by old, new and different types of risks. Boardroom leadership
and capability on these issues is often lacking which creates
weakness throughout the system. This weakness impairs the
economic growth, output and resiliency of businesses and
economies around the world.
DOMINO 24 was focused on accelerating and
scaling the solutions that are helping boardroom
and executive leaders strengthen directorship and
the role of the board in shaping and securing the
digital future.
While boardroom awareness of digital innovation,
cybersecurity and systemic risk is as high as
it ever has been, the strength of the
boardroom as a control is far weaker than it
needs to be.
The advent of artificial intelligence (AI), high
profile cybersecurity incidents and new
regulations from the U.S. Securities and Exchange
Commission and in the EU have delivered many
different wake-up calls. But not enough is being
done, fast enough, to strengthen the critical
capabilities needed from boardroom leadership.
Remarkably, there are also some organizations
working against common sense board reform on
these issues, making our job collectively harder but
the job of the hackers easier.
The cybersecurity failings of the corporate
boardroom were recently on full display during
the largest cybersecurity incident in American
healthcare history at UnitedHealth Group (NYSE:
UNH). During Congressional testimony from the
UNH CEO. U.S. Senator Ron Wyden attributed
this cybersecurity failure to a lack of boardroom
leadership pointing to the fact that there is no
director cybersecurity expertise on the UNH board.
Directors with cyber expertise addresses one
key part of solving this puzzle, but much more is
needed.
DOMINO’s world-class learning experience helps
corporate directors and executives rise to this
digital leadership moment to learn how to lead
their companies safely and securely into the digital
future. Focused on governing digital value creation
and protection, the good news is there are many
corporate directors, digital and cybersecurity
executives already leading in the boardroom on
these issues. And evidence shows that when
corporate directors lead on these issues,
positive business impacts follow.
In a highly connected world, risks are distributed
CEO Letter
www.digitaldirectors.network
across complex and interdependent digital ecosystems and companies. But the lack of a collective security
model or leadership mindset means that one company’s risk or failure, can often be a problem for many
companies, e.g., CrowdStrike.
And too much is at stake for the corporate boardroom to not be leading on these issues. At DDN and
DOMINO we are creating a collective understanding and mindset in the boardroom and building the
capabilities so that every boardroom can fulfill its leadership role and obligations in the digital world.
Thank you to the DDN Members who attended DOMINO 24, our speakers, content partners, our
boardroom certified Qualified Technology Experts (QTEs) and the other leaders who are stepping up to
this challenge and leadership moment. The digital future needs you and will be in better hands because of
you.
A special thank you to the DDN Advisory Board comprised of Andrew Chrostowski, Tony Cole, Fay Feeney
and Jerry Nowicki for their advice, counsel and support.
The DOMINO Guide is produced from the knowledge created and shared at DOMINO 24, the leading
boardroom and executive learning event on digital and cybersecurity governance. It is both a
reference guide and implementation guide and we encourage you to share it with your leadership
team and entire board.
As the definitive voice on these issues, DDN’s members and our DOMINO 24 attendees are collectively
building the practice and profession of digital, cybersecurity and systemic risk governance — making
directorship a high-performing part of the system leading companies successfully and safely into the
digital future.
Thank you for being with us on this journey.
Bob Zukis
DDN Founder and CEO
bob@digitaldirectors.network
www.digitaldirectors.network
Executive Summary
Evidence shows that effective digital, cybersecurity and systemic risk governance creates and protects
business value. Empirical evidence proves that significant positive business impacts and tangible business
results are created when there is a high-performing corporate board in place with the expertise to capably
govern the digital upside and protect against the downside. Negative impacts follow when this is absent.
Voluntary and mandatory standards are developing. Voluntary and mandated standards from regulators
that are specific to the role of the board in governing digital business systems are maturing and emerging.
Regulatory coercion is forcing the adoption of specific boardroom policies, processes and procedures that are
strengthening the role of directorship in the digital business system. Leading practices standards continue to
develop and mature.
Self-regulated board transformation remains the best path forward. The leading edge of digital and
cybersecurity governance is now being self-regulated into place. The number of boards and corporate
directors who are transforming one or more aspects of their governance systems continues to grow. While
self-regulation is slower than forced government mandate, these boardroom leaders recognize their
responsibility to shareholders and stakeholders and are taking action. Regulatory mandate also tends to lag
the reality of market risks.
Digital risk is rapidly changing, expanding, and is not sufÏciently understood. New risks continue to
emerge as a result of new technologies and the growing complexities of the complex digital business systems
that power companies. Corporate directors are learning about these weaknesses the hard way — because of
incidents at their company or high-profile companies like UnitedHealth Group and CrowdStrike. Technologies
like AI are creating new risks, and the understanding, identification and mitigation of systemic cyber risks like
the CrowdStrike incident is nascent and not keeping up. More large scale incidents are guaranteed.
Solutions exist, they are just not widely understood or distributed. We know how to fix the problem as it
is well understood by DDN and the leaders who are at the forefront of implementing processes that have been
proven to work to drive and protect business value. However, more leaders on both sides of the boardroom
table need to be proactive and willing agents of change and the pace needs to accelerate. Individual leadership
initiatives are slow and new stakeholders need to step-up including institutional investors and the corporate
leaders in IT and cybersecurity who have an ethical and moral responsibility to fix the problems that their
innovations have created, starting with strengthening boardroom leadership over these technologies.
created, but a business opportunity if they do.
www.digitaldirectors.network
www.digitaldirectors.network
The Value of Digital, Cybersecurity
And Systemic Risk Governance
Albert Einstein has famously said that if he had
an hour to solve a problem, he’d spend 55
minutes thinking about the problem and 5
minutes thinking about the solution. The truth of
his statement reflects the reality that in order to
solve a problem, you first have to understand it.
Over the last eight years, DDN has worked
exclusively to understand the role of the
boardroom in shaping and securing the digital
future and the importance of strengthening
directorship as a control in optimizing the
potential of the digital future. Together with our
corporate, executive and boardroom members
we know how to solve this problem and what’s
at stake when we do, and don’t.
Based upon a growing body of evidence, we
know that strengthening the boardroom works
to create and protect the vast amounts of
business value derived from complex digital
business systems. That value drives economic
output and growth, i.e., revenue and profitability
and many different corporate value propositions.
And strengthening corporate governance
strengthens the whole digital business system to
create a resilient system that delivers and protects
investor and stakeholder interests.
The debate is also over on these benefits, but
denial is not. Boardroom leadership drives
significant positive business impacts, the
evidence supports this. The lack of boardroom
leadership does the opposite and the proof makes
almost daily headlines.
Our mission at DDN and DOMINO is to scale,
distribute and continue to advance these
solutions. By strengthening the boardroom as
a control in the complex digital business system
we enable boardroom leaders and management
teams to stop being literal hostages to their digital
business systems. Whether being held captive by
ransomware, a malicious attack, or even human
error, our mission is to set them free so that they
can focus on navigating their companies safely and
securely into the digital future.
Empirical evidence and research from MIT shows
that effective digital and cybersecurity governance
creates significant positive business impacts.
These benefits include higher revenue growth,
profitability, return on assets, and market
capitalization. The business impacts their research
identified when boards have a critical mass of true
digital capabilities and expertise included:
Their conclusion is that boardroom leadership
delivered by corporate directors with digital
expertise drives material business results.
Research from Virginia Tech during the SEC’s
comment period for their proposed cybersecurity
disclosure rules also gathered evidence of the
positive impact to cybersecurity risk when there
is director cybersecurity expertise on the board,
and the negative impacts when it is lacking. These
impacts included:
•
38% higher revenue growth.
•
34% higher market capitalization growth.
•
34% higher return on assets.
•
17% higher profit margins.
•
Lack of director cybersecurity expertise
leads to superficial check-the-box oversight.
•
Boards without cybersecurity expertise
rely too heavily on the CISO which can
create a circular oversight environment
that lacks independence or even encourages
CISO’s to water-down problematic issues.
•
Director cybersecurity expertise can
strengthen the effectiveness of the CISO
with the full board and the C-suite.
10
www.digitaldirectors.network
10
www.digitaldirectors.network
The conclusion is that Boardroom leadership
delivered by corporate directors with cybersecurity
expertise creates and protects business value by
reducing cybersecurity and systemic risk.
Whether creating business value or protecting it,
the evidence shows the positive business impacts
that effective digital and cybersecurity governance
provides while reinforcing the board’s central role
as a control in the digital business system. From
digital value creation to cybersecurity risk mitigation,
this research along with DDN’s observations and the
experiences of our DDN members also support these
findings.
Boardroom leadership matters. Strengthening the
boardroom as a leadership control in the complex
digital business system strengthens all controls
— that is its superpower. Strengthening the
boardroom strengthens the entire control system. It
is the most powerful leverage point available to drive
digital innovation and cybersecurity resilience. It is
also a superpower that is readily available to every
board and a high ROI solution that can be efÏciently
and quickly implemented.
At DDN, together with our members, we know how to
solve this puzzle. Read on to learn how you can too.
•
The presence of director cybersecurity
expertise enables directors to provide
proactive, value-added oversight of
cyber-security risk that would not be
possible without it.
10
www.digitaldirectors.network