Should corporate boards be required to have representation from the information security domain? Is it a governance issue that security and IT risk management has become critical, yet director's ability to manage this domain has perhaps lagged?