The report found that many boards struggle to challenge what they hear about cybersecurity from their organization’s CISO