NACD Principle One: Threat Cybersecurity as a Strategic Risk

Written By William Souza

As the organization pursues growth through new products, digital transformation, and acquisitions, cyber risk increasingly originates from externally acquired technologies rather than internally developed systems. The integration of third‑party, acquired, or licensed technologies introduces material exposure to security weaknesses, regulatory non‑compliance, and operational disruption that may not be fully visible at the time of investment or transaction execution (National Association of Corporate Directors [NACD], 2026; Arts et al., 2025). 

Reframing “Technology Investment” as Predominantly a BuyandIntegrate Cyber Risk 

NACD Principle One correctly elevates cybersecurity to a strategic risk. Still, it implicitly overweights a buildcentric model of technology investment that does not reflect how most organizations actually innovate at scale (National Association of Corporate Directors [NACD], 2026). In practice, new products and growth initiatives most often depend on acquired, licensed, or externally developed technologies, not greenfield engineering, placing cybersecurity risk primarily in integration, dependency, and governance, rather than invention. 

The Strategic Fallacy: New Products ≠ Greenfield Technology Builds 

Principle One frames technology as a “fundamental driver of business model success” and highlights board expectations that growth will be pursued through technology investments (NACD, 2026). However, the Handbook’s narrative implicitly assumes that technology investments are internally conceived and developed, with cybersecurity risk emerging primarily from in‑house design, implementation, and protection decisions. 

This assumption is misaligned with how modern enterprises actually deliver new capabilities: 

  • New products frequently rely on commercial software platforms, cloud services, AI models, industrial automation systems, or embedded thirdparty components, rather than proprietary technology stacks. 

  • Even when innovation is strategic, organizations increasingly buy maturity, speed, and market validation, rather than build from first principles. 

As a result, the dominant cyber risk is not whether internally built systems are “properly protected,” but whether externally sourced technologies can be securely absorbed, governed, and operated at enterprise scale

Empirical Evidence: Technology Strategy Is Primarily AcquisitionDriven 

The research literature directly contradicts a build‑first mental model. Arts, Cassiman, and Hou (2025) demonstrate that: 

  • Acquiring technology is the most important strategic driver of M&A activity, surpassing financial engineering or pure market expansion motives. 

  • Firms routinely acquire technology not because they lack R&D capability, but because externally developed technologies are more mature, differentiated, and markettested than internal alternatives. 

  • Even highly R&D‑intensive firms rely on acquisitions to obtain unique and productionready capabilities, rather than incur the time, uncertainty, and execution risk of building them internally. 

This mirrors boardroom reality: speedtovalue, ecosystem compatibility, and proven performance routinely outweigh bespoke engineering

The Real Cyber Risk: Integration, Not Invention 

By emphasizing technology investment as a strategic growth lever, Principle One is directionally correct, but incomplete in how it frames the cyber threat surface. 

When growth depends on acquired or externally developed technology, cybersecurity risk concentrates in areas that the current framing underemphasizes: 

  • Inherited security debt embedded in acquired software, platforms, or manufacturing technologies. 

  • Opaque design decisions made outside the acquiring firm’s threat model, coding standards, or risk appetite. 

  • Expanded third and fourthparty dependencies, particularly in cloud, AI, and industrial ecosystems. 

  • Postacquisition integration failures, where governance, identity, logging, and control planes lag business adoption. 

Notably, the NACD Handbook itself acknowledges cybersecurity considerations during M&A and emerging technology adoption in its supporting tools and guidance (NACD, 2026). However, Principle One does not fully elevate this reality into its core strategic framing. 

BoardLevel Implication: Cyber Risk Should Track Capital Allocation, Not R&D 

If boards accept that most technology investments are acquisitive rather than organic, then cybersecurity oversight must evolve accordingly: 

  • Cyber risk should be evaluated as part of capital deployment decisions, not merely IT execution. 

  • The strategic question for boards is less “Are we protecting what we build?” and more “Do we understand and accept the risk we are buying?” 

  • Cybersecurity becomes inseparable from deal rationale, integration sequencing, and operating model design, rather than a downstream control function. 

This perspective aligns more closely with enterprise risk management principles embedded elsewhere in the NACD framework. Still, it is underweighted in the emphasis on internally driven technology growth in Principle One (NACD, 2026). 

Reframed Principle: An Executive Lens 

A more operationally accurate articulation of Principle One would recognize that cybersecurity risk increasingly originates from externally sourced technologies that are strategically acquired for speed, maturity, and competitive advantage. Treating cybersecurity as a strategic risk, therefore, requires boards to: 

  • Govern technology acquisition with the same rigor as financial and legal risk. 

  • Explicitly account for integration‑driven cyber exposure in growth strategies. 

  • Recognize that buying mature technology transfers, not eliminates, risk

Bottom Line for Directors 

Principle One is necessary but not sufficient. Cybersecurity is indeed a strategic risk, but primarily because modern strategy is executed through acquisition and integration rather than internal invention. Boards that continue to frame cyber risk around internally built systems risk overlooking the most material exposures created by their own growth decisions. 

References 

  • Arts, S., Cassiman, B., & Hou, J. (2025). Technology differentiation, product market rivalry, and M&A transactions. Strategic Management Journal, 46(4), 837–862. 

  • National Association of Corporate Directors. (2026). Director’s handbook on cyberrisk oversight (5th ed.). NACD.

William Souza
Previous

Why Cyber Risk Demands a New Way of Thinking 
Next

Mission‑Based Risk Management in the Age of Cloud and AI