Why cybersecurity is now a board-level responsibility – not just an IT problem

What changed: the shift from IT problem to business risk

High-profile incidents have made cybersecurity outcomes visible to boards, customers, insurers and regulators simultaneously in a way that simply wasn't true a decade ago. The MOVEit vulnerability exposed data at hundreds of organisations. The SolarWinds supply chain attack hit government agencies and major enterprises. NHS ransomware incidents took clinical systems offline for weeks, with direct consequences for patient care and public accountability.

These aren't stories about technology failures. They're stories about operational disruption, reputational damage, regulatory scrutiny and financial loss – all things that boards are responsible for managing. When a ransomware attack shuts down operations for a fortnight, the board can't point to the IT team and say it was nothing to do with them.

Cyber insurance has tracked this shift precisely. Premiums have risen sharply over the past few years, and underwriters now ask detailed questions about controls before they'll quote at all – questions about multi-factor authentication, privileged access management, backup integrity and incident response capability. If you can't answer those questions, either your premiums go up or your coverage is refused. That makes cybersecurity a commercial matter with a direct line to the board.

Why IT ownership of security creates governance risk

IT teams are not well-positioned to be the sole owners of cybersecurity risk. That's not a criticism – it's a structural problem. IT teams have legitimate incentives to manage how security risks are communicated upward. They don't want to create alarm that triggers difficult questions. They're competing with other priorities for budget. And they're often evaluating their own work, which is never ideal from a governance perspective.

The result is that boards frequently receive an incomplete picture. A technical briefing that says "we patched 94% of vulnerabilities this quarter" sounds reassuring but tells you nothing about whether the 6% that weren't patched include your most critical systems. Boards need independent visibility into cybersecurity risk – framed in commercial terms, not technical ones.

There's also a skills gap at board level that compounds this. Most boards don't include anyone with a meaningful cybersecurity background. That makes it easy for technical complexity to become a shield – whether intentionally or not – rather than a genuine explanation. Governance requires the ability to ask good questions, and you can only do that if you know what to ask.

What regulators and frameworks now require from senior leadership

The regulatory environment has shifted materially. The UK Corporate Governance Code and FRC guidance increasingly reference technology and cyber risk as matters for boards, not just audit committees. The expectation is that boards understand the nature of their technology risk exposure and can demonstrate that they're actively governing it.

The EU's NIS2 Directive, which came into force in October 2024, goes further. It includes explicit board accountability provisions: senior management must approve cybersecurity risk management measures and can be held personally liable for failures where negligence is found. NIS2 applies to a much wider range of organisations than its predecessor, including many mid-sized businesses in sectors previously not covered.

In the UK, the Cyber Security and Resilience Bill – currently progressing through Parliament – is expected to bring similar provisions into domestic law, expanding scope and strengthening accountability requirements for senior leadership. The direction of travel is clear: regulators want to see boards personally engaged with cybersecurity, not delegating it entirely to technical teams and hoping for the best.

Cyber Essentials, the UK government-backed certification scheme, provides a useful governance baseline. It's not a comprehensive security framework, but it gives boards a defined standard to point to and an independent assessment of whether basic controls are in place. For many SMEs it's the right starting point.

The questions a board should be asking about cybersecurity

You don't need to be a security expert to govern cybersecurity effectively. You need to ask the right questions and expect clear, non-technical answers. These are the ones that matter:

• What are our most critical digital assets? What data, systems or processes, if compromised, would cause the greatest harm to the business? Does the security team know what they are, and are those assets protected accordingly?
• What would a ransomware attack cost us in operational downtime? Not a theoretical figure – a real estimate based on which systems would go offline and how long recovery would take. If no one has modelled this, that's the answer.
• When did we last test our incident response? Having a plan and having tested it are different things. Tabletop exercises and simulated incidents reveal gaps that documents don't.
• What is our cyber insurance coverage, and does it match our actual risk profile? Many businesses discover coverage gaps after an incident. The time to review this is before one happens.
• What are our key supply chain security risks? Third-party software and service providers are one of the most common attack vectors. Does the business know which suppliers have access to critical systems?

If you can't get clear answers to these questions, that tells you something important about the state of your security governance.

Building board-appropriate cybersecurity reporting

Most cybersecurity reporting is written for IT teams. If your board is receiving dashboards full of CVE counts, patch percentages and firewall rule changes, they're not getting information they can act on.

Board-level reporting should translate technical measures into commercial risk language. A useful monthly or quarterly cyber dashboard covers a small number of metrics that actually indicate business risk exposure: the number of critical vulnerabilities that remain unpatched and for how long, the number of privileged accounts and whether that number is growing, phishing simulation results (what percentage of staff clicked a test link and what percentage reported it), and the current status of cyber insurance coverage.

It should also include a brief narrative – what changed this period, what the key risks are and what's being done about them. This doesn't need to be long. A single page that a non-technical board member can read and understand in five minutes is far more useful than a 40-slide technical deck.

The goal is to give the board enough visibility to ask good questions and make informed decisions about risk appetite and investment – not to turn them into security specialists.

What a cyber-aware board looks like

A board that's engaging well with cybersecurity doesn't need deep technical expertise. It needs a few specific things.

At least one member with relevant experience – ideally someone who has either led a security function or sat on a board during a serious incident. This person doesn't need to run the programme; they need to be able to ask the right questions and recognise when answers are incomplete.

Regular agenda time for cyber risk – not just when something goes wrong. Cybersecurity should be a standing item on the risk register and should surface at least quarterly in board discussions, not only when there's a crisis or an insurance renewal coming up.

A clear escalation path. The board should know, in advance, who tells them what and when in the event of an incident. Finding out during an active ransomware attack that there's no agreed escalation protocol is not the moment to start designing one.

And crucially, a willingness to spend. Cyber risk governance without resource allocation is just a paper exercise. Boards that engage seriously with security reporting and then refuse to fund the remediation work it identifies are creating a different kind of risk – one that's documented.

The CISO and fractional security leadership for SMEs

A Chief Information Security Officer (CISO) is the senior executive responsible for an organisation's cybersecurity strategy, risk management and compliance. For large organisations, a full-time CISO is the standard model. For most SMEs, it isn't financially viable – and often isn't necessary.

The alternative is a virtual CISO (vCISO) or fractional security leadership arrangement: a senior security professional who works with the business on a part-time or retained basis, providing strategic oversight without the full-time overhead. This gives the board access to genuine security expertise – someone who can own the risk register, brief the board in terms they understand, manage the technical team's output and engage with insurers and regulators – at a cost that works for an SME.

The key is that this person reports to the board or CEO, not to the IT function. Security leadership that sits within IT is subject to the same governance problem we described earlier. Independence is part of the value.

Starting the governance conversation

The practical starting point for most boards is an honest assessment of where they are now. Not a technical audit – a governance review. What decisions about cybersecurity has the board actually made in the past 12 months? What information has it received? What questions did it ask? What was done with the answers?

If the honest answer is "very little", that's not unusual – but it is a starting point for change, not a reason to avoid the conversation. The regulatory and commercial pressure to engage with this seriously is only going to increase. The businesses that get ahead of it now will be in a materially stronger position than those that wait for an incident to force the issue.