What Your Board Can Learn From Cloudflare – Directors & Boards

Board CompositionBoard DutiesBoard IssuesCommitteesCompensationRisk Oversight
ArticlesColumnsNewslettersEventsVideosWebinars
PodcastsGovernance ConversationsSubscribe
Board CompositionBoard DutiesBoard IssuesCommitteesCompensationRisk Oversight
ArticlesColumnsNewslettersEventsVideosWebinars
PodcastsGovernance ConversationsSubscribe
When Cloudflare went offline for three hours, it wasn’t a failure of technical expertise, but of good governance.
Sign up for the Directors & Boards newsletter and break through the clutter with the latest news, trends, and analysis impacting public company boardrooms.
No thanks. Take me back to the articles.
A Decrease font size. A Reset font size. A Increase font size.
When 19% of the Internet went dark on November 18, 2025, directors worldwide should have asked the same question: “Could this happen to us?”
The answer, for most organizations, is “Yes.” And the board probably doesn’t know it yet.
Cloudflare, one of the most sophisticated infrastructure companies on Earth, went offline for three hours because a routine database permissions change cascaded into total system failure. Not a cyberattack. Not a sophisticated adversary. A configuration change that nobody flagged as high-risk.
If you’re a director reading this, here’s the uncomfortable question: Does your board receive reporting that would have caught a failure pattern like this before it took down your business?
This wasn’t a failure of technical expertise. Cloudflare has some of the best engineers in the world. This was a governance failure; specifically, a failure to ensure that operational risk controls matched the organization’s systemic importance.
The technical cascade. A database permissions update produced duplicate entries in a configuration file. That oversized file propagated globally without validation. Core proxy software crashed when it hit hardcoded size limits. Bot mitigation failed, triggering false positives that blocked legitimate traffic. Dependent services collapsed in succession.
The organizational failures. Change management allowed a “routine” tweak to bypass impact analysis. Architecture created brittle dependencies between noncritical and core services. Testing never simulated what happens when configurations exceed bounds. Incident response initially misdiagnosed the failure, wasting remediation time.
This is governance theater: processes that look impressive in compliance and audit documentation but fail when tested by reality.
Three board-level breakdowns enabled this cascade.
Inadequate risk appetite framework. The board approved an architecture where a single component could crash the entire platform. That’s not a technical decision. That’s a risk appetite decision that was never explicitly brought to the board.
Insufficient operational risk oversight. When was the last time your board reviewed the organization’s change management processes? Not the policy document — the actual effectiveness of controls that prevent routine changes from becoming catastrophic failures.
No leading indicators of control degradation. Boards receive lagging indicators — incident reports after failures occur. What leading indicators does your board receive showing that “routine” change processes are degrading before they cause an outage?
Directors have a duty of care to ensure adequate systems of oversight exist. After Caremark and subsequent case law, “We didn’t know” is not a defense when systemic failures occur.
The Cloudflare outage exposes a specific oversight gap that likely exists in your organization. The board reviews cybersecurity risk, quarterly reports on vulnerabilities, penetration tests and incident response readiness. The board doesn’t review operational resilience risk.
Does your board see reporting on:
This isn’t hypothetical exposure. Here are three questions every board should ask as soon as possible:
If management can’t answer these questions with actual data, you have an oversight gap that could trigger directors and officers liability when the inevitable failure occurs.
Here’s what made this preventable: Nobody asked these three basic questions before approving the change:
These aren’t exotic failure analyses. They’re basic “What breaks if this breaks” questions that should be embedded in change approvals and architecture reviews.
Your organization probably has the same gaps — not because you lack monitoring, but because change management treats “routine” as low-risk by default, architecture reviews were never revisited and deployment processes optimize for velocity over blast-radius containment.
Cloudflare’s board didn’t fail because they lacked technical expertise. They failed because the reporting they received, like the reporting most boards receive, emphasized compliance over outcomes, process over resilience and lagging indicators over leading warnings.
Here’s what effective oversight looks like:
Quarterly operational resilience reporting. This reporting should include:
Annual operational resilience audit. Independent validation that critical systems have been tested for failure scenarios, not just security scenarios. Can you survive your largest vendor going offline? Have you tested that assumption in the last 12 months?
Clear accountability. One executive owns operational resilience outcomes. Not the chief information security officer or the chief technology officer — someone who reports directly to the CEO and has authority to stop changes that create unacceptable blast radius.
The lesson from Cloudflare isn’t “hire better engineers.” What boards should take away from this incident is even world-class teams fail when governance structures don’t force hard questions about routine operations.
The board’s job is to ensure those questions get asked and answered before the company makes headlines.
Sean Mahoney, CISM, is VP and information security officer at Netswitch Technology Management and co-host of the Cybersecurity Chronicles podcast.
Sign up for the Directors & Boards weekly newsletter for the latest news, trends and analysis impacting public company boardrooms.
© Directors & Boards 2025
© 2021 tagDiv. All Rights Reserved. Made with Newspaper Theme.

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.