SEI CERT Division Leadership Lends Emerging Technology Insights to Cyber-Risk Oversight Handbook

April 16, 2026—In the face of rapid technology changes, managing cyber risk is central to managing business risk. Advancements in artificial intelligence (AI) have already expanded the cyber threat landscape, and quantum computing represents a potential paradigm shift for many traditional cyber defenses. Two leaders from the CERT Division of the Software Engineering Institute (SEI) coauthored tools to help corporate boards govern the increased cyber risk posed by AI, quantum, and other emerging technologies. The tools appear in the recently released fifth edition of the Director’s Handbook on Cyber-Risk Oversight, from the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA).

The handbook presents six independently validated cyber-risk oversight principles applicable to boards of public, private, and nonprofit organizations. The guide also includes practical tools to help directors engage with management, assess organizational preparedness, and oversee incident response.

Gregory Touhill, director of the SEI’s CERT Division, and Matt Butkovic, the CERT Division’s technical director for cyber risk and resilience, coauthored the “Board Discussion Guide on Adapting to Emerging Technologies.” The tool presents cybersecurity-related questions for directors and boards when discussing the impact of emerging technology on organizational strategy.

Touhill, who serves as a member of the ISA board of directors, contributed three additional tools:

• “Board Discussion Guide on Quantum Computing”: an overview of anticipated impacts and applications of quantum technologies, as well as cybersecurity-related questions for board members
• “Discussion Guide for Board Decisions on AI”: a guide to help directors understand evolving AI capabilities and AI investments and provide leadership to help businesses gain advantage from AI
• “Example Cybersecurity Board Reporting”: foundational practices and metrics boards can use to determine the soundness of cyber-risk oversight during cybersecurity briefings

“Cybersecurity is not just a technology issue to be managed in the server room. It’s a risk management issue that is top of the agenda in today’s board rooms,” said Touhill. “That’s why the SEI’s CERT Division continues to lead efforts to help organizations better manage the risks associated with modern software-enabled technology.”

The CERT Division has developed internationally recognized foundational guidance on enterprise risk and resilience management, including the CERT Resilience Management Model (CERT-RMM) and the Cybersecurity Maturity Model Certification (CMMC). Touhill’s and Butkovic’s contributions to the NACD–ISA handbook are emblematic of the SEI’s role as a trusted partner to government, academia, and industry for more than 40 years.

Download the Director’s Handbook on Cyber-Risk Oversight from the NACD, and learn more about the SEI’s enterprise risk and resilience research on our website.