By now most boards know that cybersecurity is a business risk that they must oversee and ensure proper mitigations are in place. In an earlier article, we described the conversations the boards must have to perform this role. We made a case for discussing cyber resilience instead of cyber protection. Organizations cannot protect themselves enough to simply rely on additional investments in protection. Certainly, protecting assets, systems, and data is critically important, but as continued headlines have shown, focusing on protection is just not enough. Companies, and the boards that oversee them, have failed to find the right way to be protected enough (as evidenced by the constant headlines sharing the latest innovative breach on the under protected organization). Instead, we advocate that boards must have conversations about resilience, not just about protection.