A Board-level Challenge: Managing Cyber Risk with Strategic Vision

$10.5 trillion¹. According to research, this staggering number will be the estimated cost of damages incurred by businesses due to cybercrime in 2025.

Fueled by advancing technologies and increasingly sophisticated attackers, cyber threats are evolving at a breakneck pace. Regardless of industry or geography, cyber threats are an ever-present challenge that poses real-world consequences, including financial and reputational losses for the businesses that fall victim.

The problem is that organizations often approach cybersecurity reactively. The companies that have faced the cost of an attack (an estimated $9.36 million per data breach²) are most likely to invest heavily in future prevention. In contrast, companies that opt not to invest in cybersecurity programs before an incident are often all too willing to spend the budget only after a breach occurs.

Cybersecurity requires a significant change in mindset, and like every major change, it starts at the top. While the leadership team is ultimately responsible for cybersecurity, executives often underestimate the likelihood of cyber risks or prioritize short-term business priorities. In these situations, the board plays a crucial role in creating the urgency to address these risks.

When boards prioritize cybersecurity, they send a powerful message throughout the organization. An engaged board sets the tone for accountability and drives proactive risk management, positioning companies to better anticipate and mitigate threats.

However, it turns out that many boards are thinking about cyber security the wrong way.

Beyond a Technical Solution

Cybersecurity is more than just firewalls, encryption, and antivirus software. While organizations often focus on acquiring cutting-edge technologies to combat cyber threats, they tend to overlook the human element. After all, research shows that 75% of all cyber-attacks are malware-free³, with the majority of incidents stemming from some form of human error.

Technology is only as effective as the people managing it. Threats evolve over time, making it essential for companies to have a strong cybersecurity leader who can evolve along with it.

Building a Strong Cybersecurity Function

To combat cybercrime, many organizations established strong cyber-security functions, led by a Chief Information Security Officer (CISO). Since their inception, the responsibilities of these teams have expanded significantly, with increased involvement in policy development and risk management.

A CISO today needs to be able to align cybersecurity strategies with broader business objectives while driving organizational change and influencing executive decision-making. To be successful, the CISO must be empowered to lead the organization’s cyber resilience.

Cybersecurity is a resource-intensive endeavor, and boards play a crucial role in ensuring that the necessary investments are made to maintain robust security strategy. Executive boards looking to elevate cybersecurity as a priority they should consider these tactics:

• Include CISO updates as a recurring item on board agendas. This allows the CISO to provide regular updates to the board about the cybersecurity strategy and elevate potential concerns to the business. This will help the board gain a higher level of awareness regarding how the CISO and their team are ensuring cybersecurity and how the board can support those efforts.
• Track the progress of cybersecurity initiatives. By agreeing on and monitoring regular reporting on key performance indicators (KPIs), boards are better able to track the effectiveness of cybersecurity initiatives and make informed decisions about resource allocation.
• Collaborate with CISOs to assess their talent and resource needs. Boards should work with the CISOs to ensure they have the right mix of technical expertise and strategic capabilities. It’s important to understand that this is not limited to current-state cybersecurity, but also about predicting the future needs of the business.
• Explore potential risks through scenario planning and simulations. Board members often feel they lack the technical expertise to advise on cybersecurity. By participating in simulated cyber incidents, boards can develop a stronger understanding of their role during crisis situations and identify potential gaps in the organization’s cyber threat response plan.
• View other priorities through a cybersecurity lens. As the board reviews the company’s other priorities in their regular meetings, they should consider the potential impact of the decisions from a cybersecurity standpoint. This includes decisions regarding new investments in technology, new partnerships, and other significant changes to the infrastructure.

Creating a Culture of Cyber Vigilance

Ultimately, an organization’s cybersecurity strength depends on its culture. Boards have a unique opportunity to shape the organization’s culture by promoting awareness, accountability, and a proactive mindset among the employees.

In an era of escalating cyber threats, board-level engagement in cybersecurity is no longer optional—it is essential. By recognizing the strategic importance of the role of a CISO, investing in talent and resources, and fostering a culture of vigilance, boards can transform their organizations into resilient, cyber-aware enterprises.

Although the stakes of being cyber secure are high, with the right leadership and vision, organizations can navigate the complex landscape of cyber security with confidence and ensure their long-term success in the digital world.

¹ Cybersecurity Ventures 2023 Official Cybercrime Report

² IBM Cost of a Data Breach Report 2024

³ Crowdstrike 2024 Global Threat Report

About the Author

Tim Hewat is Head of Executive Search, North America, LHH Knightsbridge. He and his team help clients find and transition the top leadership talent they need to unlock their full potential. Contact Tim Hewat at tim.hewat@lhhknightsbridge.com to learn more.