Prioritizing Cybersecurity in Boardroom Discussions

Every time I host a session on Cybersecurity, it still never fails to amaze me and learn new things. This time, here's what I learnt. Cybersecurity is now a war of proxies. So many actors, each with different motives, make it extremely difficult attribute and manage. Yet, it's precisely because of this, Cybersecurity is not a tech problem. It’s a leadership one. QED just wrapped up an intense, no-holds-barred leadership session co-hosted with our friends from Ensign InfoSecurity to explore “Leadership in the Age of Cyber Risks and Opportunities.” Instead of just another tech talk, we made it a strategic dialogue at the Board-level. So here are my key takeaways... I did say I'm learning, right? 😉 1. When sh*t happens, who decides? Clear ownership is critical when a breach happens. If everyone’s responsible, no one is. 2. Assume you’re already breached. Incident response plans are 3-parters what should cover before, during and after a breach/attack. 3. Boards must prioritise the top 3 cyber risks. Not everything can be defended equally—focus on protecting your critical assets and ask how can you recover... if at all? 4. Metrics that matter. Boards should ask the right questions, not just more questions. Assess resilience with clear indicators. Watch out for vanity metrics that feel good, but does absolutely... nothing! 😅 5. Cyber hygiene is culture, not compliance. Regular simulations. Employee training. Strong passwords. Make it a daily habit and not something tedious nor optional. Ensign also shared their 2025 Threat Report which focuses more of the situation across APAC rather than elsewhere. Top three points: – Ransomware is still king – GenAI poses new challenges/complexities – Geopolitical tensions are reshaping the attack surface A huge thank you to Charles Ng and the great team at Ensign for the comprehensive deep dive and to all the leaders who shared, questioned, and connected with the purpose of being safer and better guarded together. Special thanks to our amazing panelists Lily Low, Audrey Ong, and Charles + our wonderful QED Fellow and moderator Ramakrishna Purushotaman for cutting through the noise. Your various vantage points help us all see a more complete picture of the challenges! 🙏🏼 Here's something for you to ponder: 📣 If you're a Board Director, but haven’t discussed cyber in the last 90 days, it’s overdue. Do you know what are the right questions to ask your management? 🤔

"Cyber is IT's problem" That's the most expensive phrase in business. Why? Because every time I hear a CEO say this, I know exactly what's coming next: → The urgent board meeting → The press release draft → The market cap freefall → The leadership "restructuring" 🧙🏼♂️ I've sat in both chairs: Security Leader, watching business leaders delegate their survival to IT. Consulting Leader, seeing how fast "technical issues" become business extinction events. Here's what every executive needs to understand: Cybersecurity isn't an IT problem wearing a business hat. It's a business problem that happens to wear a tech shirt. Think IT isolation is safe? Consider this: → Incidents = 200+ days to find & ~7 mths to recover  ↳ That's a long time to have reduced revenue → Compliance fails can keep you from entire markets ↳ Your best prospects are asking harder cyber questions When cyber lives in an IT silo, business context dies. Risk decisions get made without revenue impact analysis. Security budgets compete against "real" business investments. Your sales team finds out about security gaps when prospects do. The companies crushing it treat cyber as a business function: → CISO reports to CEO, COO, not CIO, CTO → Security metrics tied directly to business outcomes → Revenue teams understand your risk posture → Board conversations focus on business impact, not technical jargon → Investment decisions consider both growth and protection Here's how to get business leaders on board: 1. Translate Tech to Money 💰 → Don't say "patch management is behind" → Say "we have $3.2M in revenue at risk from preventable system vulnerabilities" 2. Connect to Growth Goals 📈 → Don't say "we need a GRC tool" → Say "this will reduce security questionnaire response time from 2 weeks to 2 days, accelerating deal closure" 3. Use Competitor Intelligence 🎯 → Don't say "our security posture is weak" → Say "3 competitors just earned compliance certs we can't win against" 4. Focus on Revenue Protection 💵 → Don't say "our incident response is immature" → Say "average breach costs 24 days of downtime - that's $X in lost revenue for us" 5. Speak Their Language 🤝 → Skip the tech jargon → Use terms from their quarterly earnings calls → Frame security as market differentiation Your CISO should be your secret weapon for growth. Your security team should be revenue enablers. Stop treating security as a cost center. Start using it as your competitive edge. What security conversation do you need help translating? ⤵️ 🔄 Repost if this resonates 📲 Follow Wil Klusovsky for wisdom on cyber & tech business

𝗡𝗖𝗦𝗖 𝗔𝗻𝗻𝘂𝗮𝗹 𝗥𝗲𝘃𝗶𝗲𝘄 𝟮𝟬𝟮𝟱 The National Cyber Security Centre have released its Annual Review, and the message is clear: cyber risk is now a boardroom priority, not just an IT issue. This year’s review reveals a 50% increase in highly significant cyber incidents, with attacks disrupting everything from supply chains to public services. The cost of inaction is rising - financial losses, reputational damage, and regulatory scrutiny are now the norm after a breach. 𝗞𝗲𝘆 𝗵𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 𝗳𝗿𝗼𝗺 𝘁𝗼𝗱𝗮𝘆’𝘀 𝗽𝘂𝗯𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻: • Cyber attacks are impacting every sector, from SMEs to critical national infrastructure. • Ransomware remains a top threat, with attackers targeting operational downtime and sensitive data. • Leadership matters: cyber resilience must be driven from the top and embedded into strategy, culture, and operational planning. • The NCSC is urging all organisations to act now, don’t wait for the breach. 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝘀𝘁𝗲𝗽𝘀: • Make cyber risk a standing board agenda item. • Invest in foundational controls like Cyber Essentials. • Use free NCSC resources such as the Cyber Assessment Framework (CAF) and Early Warning services. • Build a positive cyber security culture - prevention is always better than cure. As the NCSC says: “It’s time to act. Don’t wait for the breach.”

CEO: “I’m not paying 6 figures just for compliance.” Me: “Okay. Then you should know someone just sat at your desk, in your secure office and took a photo of your unlocked laptop.” CEO: “…What?” [Body] Let me take you back 15 years when I was Head of Security for Flybe, a UK-based airline processing over £2M/day in online bookings. Back then, cyber was seen purely as a cost. Leadership did compliance only because we had to. The company's entire focus was on physical operations: • Planes in the air • Airport apron security • Engineering uptime But their website, ecommerce platform, and booking system pulling in millions of pounds every day weren't even in the security conversation. Until I forced it into one. Leadership tasked me with achieving PCI compliance. I told them it would cost at least 6 figures. The CFO looked like he’d just swallowed a lemon. “Why would we spend that much on something that never happens?” Because when you run £2M/day through your website, that mindset puts planes and humans at risk. So I tried something bold. I brought in a social engineering firm with two simple missions: 1. Get into the CEO’s office, sit at his desk, and take a picture of you on his laptop. 2. Board one of our planes on the apron of our engineering bay, get into the cockpit, and take a photo in the pilot’s seat. They succeeded. On both. Two days later, I walked into the boardroom, mid-way through their cost-cutting talks, and dropped both photographs on the table. Silence. Then, I explained what leadership didn’t see: → If you become known as the airline that got hacked, how much in daily sales do you think that will cost? → If our airline reservation booking system were compromised, could you continue to fly our schedule? → If we cannot accept credit/debit card payments, how long would we survive? Cybersecurity was the airline. They just didn’t see it yet. From that moment forward, the conversation shifted. No longer was security “just a cost.” It became a core part of how we earned, protected, and scaled. By incorporating effective security, Flybe was able to • retain £2M/day in online revenue • reduce its cyber insurance premiums • avoid charge-backs for fraudulent transactions. • give customers the reassurance of being PCI compliant To this day, I tell every SME leader the same: Cyber isn’t insurance for what might happen. It’s the infrastructure that powers what must happen — every single day. If you’re still seeing it as a tickbox exercise, you're leaving risk wide open — and revenue on the table. –– Note: Not the CEO/CFO in the picture below, just a shot of me with friends from a past event.

In an article last year for Foreign Affairs Magazine (https://lnkd.in/ggFTEU3z) on how to catalyze a sustainable approach to cybersecurity, Eric Goldstein & I emphasized that in every business the responsibility for cybersecurity must be elevated from the IT department to the CEO and the Board. As we noted, the trend is moving in the right direction: In a survey conducted by NACD (National Association of Corporate Directors), 79% of public company directors indicated that their Board’s understanding of cyber risk had significantly improved over the past two years. The same study, however, found that only 64% believed their Board’s understanding of cyber risk was strong enough that they could provide effective oversight. To improve those numbers, CEOs & Boards must take ownership of cyber risk as a matter of good governance. This is largely a cultural change: where cybersecurity is considered a niche IT issue, accountability will inevitably fall on the CISO; when cybersecurity is considered a core business risk, it will be owned by the CEO and Board. Recognizing that Board members in particular have special power to drive a culture of "Corporate Cyber Responsibility," I asked my Advisory Committee to make recommendations on how to advance such a culture. The effort, led by Dave DeWalt, highlighted several key points: Board members should be continuously educated on cyber risk, with cybersecurity considerations appropriately prioritized in every business and technology decision, and decisions to accept cyber risk scrutinized and revisited often. Boards should also ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; “near misses” should be reported along with successful intrusion attempts, as much can be learned from them. In addition, Boards should ensure that adequate long-term security investments are available to address the safety consequences of antiquated technology with new investments focused on technology that is #SecureByDesign. Finally, Board members should ensure that CISO's have the influence & resources necessary to make essential decisions on cybersecurity, with decisions to prioritize profits over security made both rarely and transparently. The Committee also recommended developing a Cybersecurity Academy for Board Directors & set about establishing a pilot program, which was held yesterday at the U.S. Secret Service Training Center (https://lnkd.in/eVSzP_sx). Huge thanks to my teammate Kimberly C. for her partnership, as well as the awesome Ron Green for driving this effort with Dave & Katherine Hennessey Gronberg, and the great NACD team, led by Peter Gleason. Am super grateful to the Board Directors who participated in this inaugural effort and look forward to their feedback so we can further scale the program.

𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗵𝗮𝘀 𝗯𝗲𝗰𝗼𝗺𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆, 𝗻𝗼𝘁 𝘀𝘂𝗽𝗽𝗼𝗿𝘁. I believe that some of us used to think of #cybersecurity as a technical function, important, but secondary to strategy. Well, that thinking doesn’t hold anymore. Today, cybersecurity defines how resilient and trusted a business can be. It’s a strategic advantage. When I read McKinsey & Company’s 𝘉𝘰𝘢𝘳𝘥-𝘓𝘦𝘷𝘦𝘭 𝘗𝘦𝘳𝘴𝘱𝘦𝘤𝘵𝘪𝘷𝘦 𝘰𝘯 𝘊𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺, it reminded me how quickly leadership priorities are evolving. ✅ In board discussions and leadership meetings, I’ve seen how cybersecurity shapes decisions around capital, data, and governance. The strongest organizations treat it not as compliance, but as a foundation for innovation and long-term value creation. ✅ The same shift applies to AI. As its influence expands, governance can’t just be reactive or regulatory. It has to be intentional. Leaders need to understand both the potential and the boundaries, what AI can do, and what it should do. For me, this isn’t about becoming an expert in every technology. It’s about building the systems, culture, and trust that allow technology to serve a bigger purpose. 𝗞𝗲𝘆 𝗿𝗲𝗳𝗹𝗲𝗰𝘁𝗶𝗼𝗻𝘀: ➡️𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀 𝗻𝗼𝘄 𝗮 𝗯𝗼𝗮𝗿𝗱𝗿𝗼𝗼𝗺 𝗮𝗴𝗲𝗻𝗱𝗮. It influences competitiveness as much as cost or capital allocation. ➡️𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗶𝘀 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰. Managing risk well creates room for growth and innovation. ➡️𝗔𝗜 𝗱𝗲𝗺𝗮𝗻𝗱𝘀 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲. Leadership must move faster than regulation and set its own ethical boundaries. ➡️𝗙𝗹𝘂𝗲𝗻𝗰𝘆 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. The best boards and executives don’t delegate understanding, they seek it. ➡️𝗣𝘂𝗿𝗽𝗼𝘀𝗲 𝗶𝘀 𝘁𝗵𝗲 𝗮𝗻𝗰𝗵𝗼𝗿. Every decision around technology and data should reinforce the values the organization stands for. Because in this new era, leadership isn’t just about understanding risk, it’s about turning responsibility into advantage, and guiding technology with conviction and purpose. Curious how other leaders are reframing cybersecurity and AI as part of their strategic agenda? The conversation is only just beginning. Reference: https://lnkd.in/gCgqr42Q 

𝗧𝗵𝗲 𝗖𝗜𝗦𝗢 𝗖𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗚𝗮𝗽 𝗧𝗵𝗮𝘁 𝗤𝘂𝗶𝗲𝘁𝗹𝘆 𝗗𝗲𝘀𝘁𝗿𝗼𝘆𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝘂𝗱𝗴𝗲𝘁𝘀 Your security budget isn’t getting cut because it’s too big. It’s getting cut because it’s misunderstood. That’s the CISO communication gap. And it quietly creates budget waste year after year. 𝗜’𝘃𝗲 𝘀𝗲𝗲𝗻 𝘁𝗵𝗶𝘀 𝗽𝗮𝘁𝘁𝗲𝗿𝗻 𝘁𝗼𝗼 𝗼𝗳𝘁𝗲𝗻. Security says: “We reduced vulnerabilities by 40%.” Executives hear: “Technical improvement.” What they actually care about: “Did we reduce revenue exposure?” Security activity does not automatically equal business impact. And when that translation fails, funding gets questioned. Here’s what happens next. A new tool gets purchased. Metrics are reported. But there’s no clear business linkage. Executive clarity drops. Future funding gets challenged. Reporting becomes more defensive. The cycle repeats. Not because security failed. Because communication failed. Every board conversation filters through four lenses: Revenue. Risk. Regulatory exposure. Reputation. If your update doesn’t clearly connect to one of these, it gets categorized as overhead. Instead of saying: “Vulnerability backlog decreased.” Say: “We reduced the revenue exposure window.” Instead of: “Incident response time improved.” Say: “We strengthened downtime containment capability.” Instead of reporting activity, report capital protection. Before proposing any initiative, answer five questions: What asset is truly at risk? What is the probable impact? What is the financial exposure range? How does this reduce probability or impact? Is the cost justified by the risk reduction? If $1 of spend doesn’t clearly reduce $10 of exposure, expect friction. Security doesn’t lose budget because it’s expensive. It loses budget because it sounds operational instead of strategic. The most dangerous risk in cybersecurity right now is misalignment between technical language and capital language. If you’re leading security today, ask yourself: Are you reporting metrics… or are you reporting business protection? Curious how others are reframing board conversations this year. Follow Marcel Velica for more insights on executive security leadership, risk strategy, and board-level communication. If this resonated, reshare it with other security leaders who need to see this.

The board asked me: "Are we secure?" I said: "That's the wrong question." "Here's what I can tell you: • We detected 3 attempted breaches last quarter. All contained within 4 hours. • 12% of our critical assets have no documented owner. I'm fixing that. • Our mean time to patch critical CVEs is 72 hours. Industry average is 16 days. • We haven't tested our backups in 6 months. That's my #1 priority this quarter." They didn't ask about our EDR vendor. They asked about risk, metrics, and accountability. Cybersecurity isn't a technology problem. It's a business risk management problem. If you're still speaking in CVE scores to your board, you're speaking the wrong language. Learn theirs. Or get a translator. #CISO #cybersecurity #boardroom #riskmanagement #infosec

Cybersecurity isn’t just about fighting fires. It’s about telling the story in a way everyone at the table actually understands. Too often CISOs and security pros get caught up in jargon and deep tech details that go right over the heads of CEOs and boards. Sameer Ansari from Protiviti nails it. We need to dial it back to the basics where the focus is on what could happen how likely it is and what we’re doing to respond not a data dump. Here’s the truth. If the board can’t grasp the risks and controls how can they make smart decisions? With AI and new tech pushing the envelope this kind of clear ongoing conversation isn’t a nice to have it’s critical. If you’re a security leader your job isn’t just to defend it’s to translate connect and collaborate. Cyber risk is a business risk and it deserves a seat at the real decision-making table.