Cyber Risk is now a standing item in most boardrooms. You’ll find it in annual reports, audit committees, and regulatory filings. And still, cyber risk is not being addressed.
Not because boards don’t care, or because CISOs are not reporting. But because something fundamental is still not working between security and governance.
We posed these three questions to six leading minds in the field of cyber security and risk:
- What is the biggest misunderstanding that the board still has about cyber risk?
- What metrics are actually used to drive decision-making at the board level?
- And finally, should the responsibility for cyber risk rest with the CISO alone?
What we got back was convergence. But within that convergence were sharp distinctions about governance, AI, trust, financial modeling, and accountability.
The Biggest Misunderstanding: Cyber Is Still Treated as an IT Problem
Despite years of awareness campaigns and headline breaches, the dominant misconception remains: cyber risk is a technical problem.
“The biggest misconception is that cyber risk is primarily a technology problem. It is not. It is a governance and leadership decision-making problem,” says Jane Frankland MBE, CEO of KnewStart.
“Too often, cybersecurity is communicated to boards in deeply technical language: acronyms, tooling updates, control frameworks. While accurate, this vocabulary creates distance. When directors hear operational detail instead of business consequence and outcomes, cyber is unconsciously delegated back to ‘the experts’, to IT. A leadership risk is reframed as a technical briefing.”
Panagiotis Soulos, Information Security GRC Senior Manager, Steelmet for Viohalco Companies, agrees: “The biggest misunderstanding is the belief that cyber risk is primarily a technical or IT issue. Too often, it is framed as a compliance exercise, a checklist of controls, or a question of whether enough tools have been deployed. This framing misses the point. Cyber risk is a business risk, one that can disrupt operations, erode customer trust, trigger regulatory consequences, and undermine strategic objectives. The absence of a major incident is frequently mistaken for proof of resilience, when in reality it may simply reflect good fortune or undetected exposure.”
Cyber Risk Can’t Be “Solved”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, adds: “Perhaps the biggest misunderstanding boards still have about cyber risk is the belief that it can be ‘solved’. That with sufficient investment in the right tools, platforms or vendors, the problem simply goes away. In reality, cyber risk is not a one-off technical issue to fix, but a dynamic business risk to continuously manage. Like financial exposure or even organizational health, it requires ongoing oversight, adaptation and cultural alignment. Threats evolve, attack surfaces expand and business models change. No amount of tooling alone creates immunity.”
Malik also highlights the limitations of compliance snapshots: “Over-reliance on point-in-time assessments can give reassurance but rarely reflect the complexity of the real world. Human behavior is unpredictable. Third-party suppliers introduce inherited risk. Increasingly, AI systems operate in ways that are powerful but not always fully transparent. A clean audit report does not necessarily equate to operational resilience.”
We’re Speaking Different Languages
Chloe Messdaghi, Founder of Thornbridge Advisory, discusses the communication gap: “Cyber risk gets lost in the boardroom not because boards don’t care, but because we’re often speaking two different languages. Security teams present technical metrics. Boards think in terms of enterprise risk, growth, liability, and shareholder value. When cyber risk is framed as a technical issue instead of a business issue, it becomes background noise instead of a strategic priority.”
She says a breach doesn’t just mean compromised data, it can mean halted operations, lost customer trust, executive liability, and long-term brand damage. “When boards see cybersecurity as a line item rather than a core component of resilience and competitive advantage, it naturally gets deprioritized.”
Security Is Dynamic, Compliance Is a Baseline
Rik Ferguson, VP of security intelligence at Forescout, echoes this, saying it’s not about not caring or because ‘cyber’ is an inaccessible concept. “It gets lost because we keep failing to translate it. We show heatmaps, maturity scores, and colour-coded confidence dashboards. Boards don’t govern colours; they govern outcomes, accountability, and trade-offs.
“From the board perspective, the biggest misunderstanding I still seesis that many boards treat cyber risk like a technical or a compliance problem, rather than a business continuity and decision-quality problem. “They’ll ask, “Are we secure?” or “Are we compliant?” when the operational truth is that security is dynamic, and compliance is a baseline. The better question is “What can break, how quickly, and how would we know early enough to do something about it?”
We Are Not the “Department of No”
Gary Hibberd, Fellow of CIISec, sees an opportunity rather than just risk: “Another misunderstanding is that cyber risks are a cost to the business, when in fact if managed effectively, quality in products and services can be improved, which leads to increased revenue through customer satisfaction. This misunderstanding is something that we (within the industry) have allowed to exist because some still see their role is to say ‘No’ to everything! We are not the ’thought police’ or the ‘department of no’, and if the perception is that you are, then the problem isn’t with the board, it’s with you.”
Don’t Discount AI Risk
Security researcher Ross Moore adds a forward-looking view with AI: “One major component to keep in mind is how artificial intelligence in all of its permutations will affect risk. It may seem only technical or higher-grade than what one has in place already, but all that tech behind AI affects every area of life, whether professional or personal. Not taking into account the enormous risks presented by AI would be a disaster. Many vendors are throwing in AI as an integral piece of their app’s warp and woof, so purchasers have to improve their vendor risk assessments to account for AI risk — what last year was plain old software may now introduce a host of subprocessors that send sensitive data all over the world.”
The experts agree that cyber risk becomes marginalized when framed as technical, solvable, compliant, or quiet, and overlooked when it is not translated into business impact.
The Metrics That Actually Move Boards
Boards are swamped with technical metrics: patching rates, vulnerability counts, uptime, yet these operational indicators rarely sway strategic decisions.
Impact What Leadership Does Next
The metrics that influence board decisions are the ones tied directly to business impact and executive control, says Ferguson. “I’d prioritise a small set of leading indicators a board can actually govern: proven recovery capability (from tests, not targets), exposure of critical services (the internet-facing and identity-dependent paths to crown-jewel systems), and time-based measures like mean time to detect and contain for your highest-impact scenarios. If a metric doesn’t impact what leadership does next, it’s not a board metric. Good metrics end with a decision: “Do we fund this control, accept the exposure, transfer the risk, or change the plan?”
Focus on Exposure, Not Activity
“Many board packs still focus on activity rather than exposure: patching rates, vulnerability counts, alerts generated. Operationally useful, yes, but strategically insufficient,” says Frankland.
“Boards respond to metrics that illuminate resilience and consequence: detection and response time, operational continuity, recovery confidence, third-party concentration risk, and the organization’s ability to sustain critical services during disruption. Scenario-based discussions are particularly powerful because they shift the question from ‘Are we secure?’ (which no responsible leader can answer definitively) to ‘Are we prepared to operate when something goes wrong?’”
Malik agrees: “When it comes to metrics that genuinely influence board-level decision-making, the most effective ones are framed in terms of business impact. Technical metrics like patching rates, phishing click percentages and vulnerability counts have value operationally, but they rarely resonate at board level in isolation. What drives engagement are quantified scenarios such as potential financial loss, operational disruption, customer impact, regulatory exposure and reputational damage.”
Scenario-based modeling must directly connect to enterprise consequences, adds Messdaghi. “Not patch counts. Not number of blocked attacks. Instead: potential financial exposure, third-party risk concentration, time to detect and recover from incidents, regulatory readiness, and scenario-based modeling that shows what disruption actually looks like. Boards need clarity on ‘What happens to revenue, operations, and trust if this risk materializes?’ That’s the level at which decisions get made.”
The Trust Economy
Hibberd discusses the trust economy. “Metrics tend to be focused on IT outages or ‘uptime’, again this is an indicator that the Board have too narrow a view on security. Cyber risk metrics that influence a board should include feedback from clients/customers on services, but also on WHY the customer uses them. We are living in the ‘trust economy’, and trust is hard to win but easy to lose.”
For Moore metrics can be viewed in financial terms: “Financial exposure, loss estimates, exposed business services, metrics tied to risk reduction (not simply to activity), and readiness and resilience indicators are some metrics that speak to the business. What’s the quantified loss of a ransomware attack on a critical service? How often are there exceptions to the risk appetite? Is the DRP/IRP/BCP tested regularly to ensure proper recovery from disruption?”
Boards Lack Insight
Soulos stresses the gap between data and insight: “Boards do not lack data; they lack insight. Trend-based indicators (showing whether risk is increasing or decreasing over time) are far more meaningful than static maturity scores or red amber green dashboards. Metrics that genuinely influence board level decision making are those that translate cyber exposure into business impact. Financial loss scenarios, estimated exposure relative to revenue or EBITDA, and plausible worst-case events enable cyber risk to be discussed alongside other enterprise risks.”
Together, the panel believes that effective metrics translate technical exposure into financial, operational, and reputational consequences, and contextualize risk over time, not just as a snapshot.
Who Owns Cyber Risk?
Ownership remains one of the thorniest issues in governance.
A Deeper Structural Issue
Frankland notes: “Ownership exposes a deeper structural issue. Cyber risk cannot sit solely with the CISO. Many CISOs carry significant accountability… yet lack the authority to implement the changes required to materially reduce risk. Investment priorities, technology strategy, and operational trade-offs often sit elsewhere in the executive team. When accountability is concentrated but power is distributed, organisations create a governance fault line that remains invisible until crisis exposes it.”
“While the CISO plays a critical leadership role, cyber risk is an enterprise-wide issue,” Malik adds. “Business unit leaders create and own risk through their decisions, technologies and third-party relationships. Effective governance requires shared accountability across the executive team, with the board ensuring cyber risk is embedded into broader risk management and strategic decision-making, rather than being treated as a siloed IT concern.”
Proof in plain language
Ferguson agrees: “The CISO should orchestrate and provide clarity, but risk ownership belongs with the executives who own the processes and the financial consequences. Identity risk is as much a CIO/CTO problem as it is a security one. Third-party exposure is procurement and legal. OT risk is operations. The board’s role is to demand explicit accountability, and to ensure risk acceptance is signed by the business owner, not quietly absorbed by security.”
Boards don’t need a bigger dashboard, he says. “They need proof in plain language: what could stop the business, how credible it is, how fast, what it costs to reduce it, and who’s on the hook.”
When Risk Is Siloed, It Becomes Isolated
“The CISO owns the security program, but enterprise risk belongs to the executive team collectively,” says Messdaghi. “Finance defines risk tolerance. Legal manages regulatory exposure. Operations owns resilience. The CEO sets tone and accountability. When cyber risk is siloed within security, it becomes isolated. When it’s shared across leadership, it becomes embedded in strategy.”
Hibberd brings in the accountability distinction: “Someone needs to be responsible for cyber risks, so yes, the CISO is a good person to be responsible. But accountability sits with the board, and these are two different things.” Road safety helps explain this… Someone in government is ‘responsible’ for identifying the risks associated with road safety, but we are ALL accountable for our actions when using those roads. The CISO should have strong leadership and communication skills and be able to draw out this understanding from the executive team.”
Who Will Take the Stand?
For Moore there’s a legal and practical perspective: “Who is willing and able to take the stand in court if something goes really wrong? Someone capable needs to be in the lead, because if there’s a data breach, someone will be in that courtroom… Irrespective of titles, there should at least be owners of enterprise risk, the security program, and risks created by their own department’s strategies.”
Soulos rounds it up: “Ownership of cyber risk must be shared across executive leadership, with clear oversight from the board and accountability at CEO level. Ultimately, cyber risk gets lost in the boardroom when it is presented in technical language, measured in abstract terms, and delegated to a single function. When it is reframed as a core enterprise risk (expressed in financial and operational terms, tied to strategic decisions, and owned collectively) it earns its place where it belongs: at the heart of boardroom decision making.”
The consensus is clear: CISOs provide expertise and execution, but boards and executives collectively own cyber risk, just as they own financial or operational risk.
From Technical Control to Organizational Survivability
Across all experts, a single theme stands out: cyber incidents rarely escalate because a single control fails. They escalate when governance, visibility, and accountability fail.
“Cyber risk gets lost in the boardroom when it’s treated as a specialist domain rather than a leadership condition. The organizations best positioned for the years ahead will be those that govern cyber not as an IT issue but as a determinant of organizational survivability,” says Frankland
A Business Survival Issue
“Cyber risk stops getting lost in the boardroom when we stop treating it as a technical function and start treating it as what it truly is: a business survival issue,” Messdaghi says.
“Cyber risk is a dynamic business risk to continuously manage… It requires ongoing oversight, adaptation and cultural alignment,” Malik ends.
From AI, trust, and third-party risk to executive accountability and scenario-based financial metrics, the expert panel paints a compelling picture of a board that needs to grasp cyber as a business discipline that is strategic, continuous, and organization-wide, rather than “technical, reactive, and compartmentalized.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.