Content to action
Qubicweb keeps the discovery and trust-education layer lightweight. When you need governed account, commerce, service, or trust actions, continue in the canonical app without losing the article’s source context.
Content to action
Qubicweb keeps the discovery and trust-education layer lightweight. When you need governed account, commerce, service, or trust actions, continue in the canonical app without losing the article’s source context.
Cybersecurity is now a governance and survival issue. Boards that treat it as an IT matter are leaving their organisations exposed to fraud, downtime, regulatory pressure, and reputational collapse. This post outlines the questions boards should be asking and how leaders can translate cyber risk into executive decision language.
Boards that treat cybersecurity as “an IT matter” are making a category error. Cybersecurity has become a primary driver of operational continuity, financial integrity, regulatory exposure, partner confidence, and enterprise valuation. When risk sits at that level, it is not delegated away. It is governed.
This does not mean boards must discuss tools or configurations. It means boards must govern:
what the organisation is willing to risk
what must never fail
how control effectiveness is evidenced
who owns the consequences when controls fail
how crises are managed when prevention fails (because sometimes it will)
A mature board treats cyber the way it treats credit risk, liquidity risk, fraud risk, and business continuity: as a strategic risk with measurable indicators, clear decision rights, and periodic stress testing.
A board-grade cyber programme is an enterprise control system with five elements:
Crown jewels definition
What assets, processes, and data would cause existential harm if compromised?
Control objectives
What are we trying to guarantee? Confidentiality, integrity, availability, safety, and legal compliance.
Control coverage
Which controls protect which crown jewels? Where are the gaps?
Assurance and evidence
How do we know controls work? Not belief. Evidence.
Response readiness
What happens when controls fail? Who decides, who communicates, and how recovery is executed.
If any of these elements is missing, the organisation is relying on luck.
Boards should not “run security.” Boards should own governance. Practically, that means:
approve cyber risk appetite and tolerances
ensure management has a funded, time-bound programme
demand evidence of control effectiveness
oversee third-party concentration risk and exit readiness
ensure incident response, recovery, and crisis communications are rehearsed
ensure accountability for repeated control failures
implement controls and produce evidence
run operations: monitoring, patching, access governance, vendor oversight
execute incident response and recovery
build culture and capability
The line is simple: boards demand clarity and evidence, management delivers capability.
Boards delegate security to IT without giving it authority across business units, procurement, HR, and operations. The result is predictable: controls remain inconsistent and exceptions multiply.
Security becomes a once-a-year compliance exercise, while attackers operate continuously. If cyber is not discussed routinely, it is not governed.
Boards receive dashboards full of activity metrics (number of trainings, number of tools deployed) instead of risk metrics (time-to-detect, privileged access reduction, restore success rate). Activity is not safety.
Boards underestimate third-party risk and concentration risk. A vendor outage or compromise becomes the organisation’s problem within minutes, regardless of contract wording.
The first time executives discuss decision rights, customer messaging, regulatory notification, and containment trade-offs is during the incident. That is not leadership. That is reaction.
A board that wants to govern cyber should ask questions that force precision:
What are our crown jewels, and what is the blast radius if each is compromised?
Which systems can move money, change identity attributes, or export customer data?
Who has privileged access today, and how fast can that access be removed?
How quickly can we detect an intrusion or fraud campaign in our most critical systems?
How quickly can we contain it without destroying evidence or causing extended downtime?
When was our last incident simulation, what failed, and what has been fixed since?
Do we have tested restores, not just backups?
What are our proven RTO and RPO for crown jewel systems?
How would we operate manually if key platforms are down for 48 hours?
Which vendors are critical to uptime, identity, payments, or customer communications?
What is our exit plan if a critical vendor fails or becomes unaffordable?
How do we monitor vendor controls beyond initial onboarding?
Who owns cyber risk in each business unit?
What are the top 5 risks management is carrying, and why are we accepting them?
What is our process for exceptions, and how do exceptions expire?
These questions translate cyber from “technical” into “governance”.
A board cannot govern cyber without a consistent evidence pack. Each quarter, boards should receive:
Crown jewels map and changes since last quarter
Top risk register: top 5–10 cyber risks with likelihood, impact, mitigation status
KRI dashboard (risk indicators, not activity indicators)
Incident and near-miss report with lessons learned and actions closed
Third-party posture report for critical vendors and concentration exposure
Readiness report: tabletop exercise outcomes, recovery tests, communications rehearsal outcomes
Programme delivery status: what was promised, what is done, what is late, and why
If the pack is not evidence-based, it is a storytelling exercise.
Boards should focus on a small set of KRIs that show whether risk is increasing or decreasing:
MFA coverage on crown jewel systems
privileged access count and trend (should reduce over time)
time-to-deprovision access for leavers and contractors (SLA and compliance)
critical vulnerability remediation SLA adherence
percentage of crown jewel systems with current patch posture
percentage of production changes with change control and rollback plans
time-to-detect and time-to-contain for material incidents and simulations
alert fatigue indicators: false positive rate and triage backlog
coverage of logging for key events (privilege changes, data exports, payout changes)
restore test success rate and proven RTO/RPO outcomes
coverage of tested recovery plans across crown jewel systems
number of critical vendors without current risk review
concentration risk index: dependency on top 1–3 providers without exit runbooks
These KRIs avoid the trap of “we did training therefore we are safe.”
In many African markets, trust collapses quickly and publicly, often through WhatsApp, community channels, and informal media amplification. This changes the crisis dynamic.
Boards must ensure:
crisis communications is rehearsed, not improvised
messaging is truthful, specific, and timely
customer protection actions are prioritised (account safety, fraud containment, service continuity)
regulators are engaged with discipline, not panic
internal teams have a single source of truth to prevent rumour-driven chaos
Speed and clarity are not PR tactics. They are trust controls.
Boards should assign ownership clearly:
Audit/Risk Committee: KRIs, risk register, vendor risk, assurance
Technology Committee (if present): resilience, architecture risk, major investments
Full Board: risk appetite, major incident oversight, strategic trade-offs
Management should have a named executive owner, typically a CRO/COO/CIO depending on the organisation, with the CISO responsible for programme delivery and evidence.
A board that governs cyber well does three things consistently:
demands clarity on crown jewels and blast radius
insists on evidence of control effectiveness
rehearses response and recovery before the crisis arrives
Anything less is not neutrality. It is unmanaged risk.
Commentary
Loading comments...