Company boards should invite C-level security pros to business development discussions, in order to get the security implications of decisions, High said.
The financial services and tech industries are examples of sectors where it is not unusual for security to be a part of board-level discussions, Litan said. In other sectors, such as retail, board members are less technologically savvy and usually leave security responsibilities with the CEO.
"In most cases, they just want a one-paragraph summary that everything is taken care of," Litan said. "They don't know enough to micromanage. They don't even know what questions to ask."
Indeed, a recent Ponemon Institute survey of nearly 5,000 IT security professionals in the U.S. and 14 other countries found that eight in 10 did not believe that board-level executives understood the risks associated with losing sensitive data.
In Target's case, the company reported spending $61 million in the fourth quarter alone in dealing with the breach.
Target executives have acknowledged that security pros failed to heed early warnings in detection systems in November that attackers had broke into its computer systems. The company did not start investigating until December when federal authorities notified Target of suspicious activity on its networks.
Sign up for CIO Asia eNewsletters.