The Board’s Role in Cybersecurity – Why “We’ve Got an IT Guy for That” Doesn’t Cut It

It’s long been stated by the likes of ASIC, the AICD, and just about every regulator worth their salt that cybersecurity risk is a business risk. Not an IT issue.

This isn’t new information. That position has been around for years. Yet too many business leaders, executives, and board members still treat it like a revelation. The all-too-common mindset of “we’ve got an IT guy for that” is, frankly, spurious at best and fallacious at worst.

Your IT team is there to manage systems, networks, and operations. They’re not necessarily the ones equipped to assess and manage cybersecurity risk. IT and cyber are related, certainly, but they are not the same.

You wouldn’t ask your tax accountant to draft your will, and you wouldn’t consult your general counsel about criminal law if they specialise in contracts. They’d tell you they “know a guy” – an expert in that domain. The same principle applies here. Your IT team should know their cyber guy.

 

Governance Means Accountability

It’s now an expectation from regulators, investors, and insurers alike that boards demonstrate active engagement in governing cyber risk. And if they don’t, directors may find themselves personally liable for failing their duties of care and diligence.

Boards don’t need to know how to configure a firewall or apply a patch. But they do need to ensure there’s a structured framework in place – one that’s assessed, managed, reviewed, and implemented by qualified experts.

Failing to do so isn’t just an operational weakness. It’s non-conformance. It’s negligence. And when the next breach happens, it’s also indefensible.

 

Cyber Literacy is the New Financial Literacy

Boards have long been stacked with professionals strong in finance and law. That’s a hangover from thnron collapse, which forced a reckoning around financial literacy and governance.

We’re now at the same turning point for cybersecurity.

Directors don’t need to become penetration testers or cryptographers. But they do need enough literacy to ask intelligent questions:

• Are our controls adequate for the risks we face?
• Are we following frameworks like ISO 27001, SOC 2, or NIST CSF?
• Do we have independent validation of what our internal teams are saying?

For smaller firms, frameworks like SMB 1001 offer a practical way to start building that maturity without the overhead of enterprise standards.

The point is simple – the board must be able to interpret the answers it’s given and challenge them where needed.

 

Proportionality Matters

Cybersecurity isn’t one-size-fits-all. There’s no point dropping banking-grade security onto a suburban florist, and conversely, what keeps a small retailer safe won’t cut it for a financial services firm.

Boards must understand proportionality – the balance between operational capability, risk exposure, and the cost of control. Cybersecurity should be right-sized for the organisation’s risk appetite, not copied from a checklist.

 

Integrating Cyber into Enterprise Risk

Cyber risk can’t sit in an isolated “technology” column on a risk register. It must be integrated into enterprise risk management. That means:

• Defined ownership and accountability
• Clear reporting lines and escalation paths
• Agreed appetite and tolerance levels
• Regular review as part of ongoing governance cycles

As the organisation matures, these elements should align with recognised frameworks and control sets. Cybersecurity isn’t a bolt-on – it’s an embedded component of good governance.

 

Reporting the Right Things

Boards don’t need weekly updates on patches, firewall rules, or server uptime. That’s not governance, that’s noise.

What the board does need is visibility into:

• Shifting risk exposure over time
• Key areas of concern or non-conformance
• The business impact of remediation versus inaction
• Trends that signal improvement or decline in posture

Risk reporting should translate technical outcomes into business implications. “We patched 42 endpoints” is meaningless to a board. “We’ve reduced our exposure window by 30 percent in line with our risk appetite” is not.

 

The Board’s Role in Incident Response

Here’s where many boards come unstuck. They assume incident response is an IT exercise. It isn’t.

When ransomware hits, this becomes a business continuity, reputational, and governance crisis – all at once.

The board must know:

• Who speaks to shareholders, regulators, and the public
• What statements can and cannot be made
• When and how to activate continuity and recovery plans
• How decisions are recorded for legal and regulatory follow-up

If these aren’t rehearsed through a cyber incident or crisis exercise, the first real event will look like a flock of headless chickens.

Boards need to participate in these simulations. They reveal gaps, clarify decision paths, and – crucially – demonstrate that directors take their duties seriously.

 

Tone from the Top

Accountability starts at the top. If the board doesn’t care about cybersecurity, neither will management. And when leadership treats cyber as a cost centre, it becomes the first line item to be cut when budgets tighten.

That’s short-term thinking.

Cybersecurity is a business enabler. It protects reputation, maintains customer trust, meets contractual and regulatory obligations, and allows the organisation to continue to operate – and sell.

Cutting security spending because “nothing’s gone wrong yet” is the corporate equivalent of cancelling your insurance because you haven’t crashed your car.

Boards must make visible, credible commitments to security – not just for compliance, but because the health of the business depends on it.

 

Final Thoughts

Cybersecurity governance isn’t about fear. It’s about responsibility.

Boards don’t need to become technical experts, but they do need to engage, question, and oversee. The alternative isn’t ignorance – it’s negligence.

If your board isn’t confident that cybersecurity is being managed as a true business risk, or if you’re not sure where your responsibilities begin and end, it’s time to have that conversation.

 

Reach out. Let’s talk about how your organisation’s governance can evolve to meet the cybersecurity expectations of today’s regulators, investors, and customers.