Many boards overestimate their company’s cyber-resilience—and underestimate their own role in shaping it.