Strategy and Governance /

Holding Leadership Accountable Around Cybersecurity

cybersecurity leadership accountable

The role of the Board has to go beyond oversight given the criticality the subject has acquired

 

This interesting piece in the HBR reflects on recent research around cybersecurity governance but I think the analysis does not go far enough. (“Boards Need a More Active Approach to Cybersecurity”, Noah P. Barsky, Keri Pearlson, May 20th 2025).

First, as almost always, I miss a stronger sense of historical perspective, both around cybersecurity as a discipline and the role of the Board in its respect.

It seems lost for too many industry players that cybersecurity practices have been developing and structuring themselves for the best part of the last three decades.

Most large firms would have been active in that space for the best part of that period; many would have experienced data breaches, possibly significant ones.

With regards to the Board’s role in that space, it has been building up over the past 10 years; myself, I was already writing about it on 2016 in echo of the TalkTalk data breach in the UK, and again in 2019 and in 2022, commenting on another piece in the HBR, co-incidentally from the same author (7 Pressing Cybersecurity Questions Boards Need to Ask” — Dr Keri Pearlson, Nelson Novaes Neto — 4th March 2022).

You cannot re-examine the Board’s approach to cybersecurity in 2025 without looking back at each firm’s history on the matter, how the discussion was framed in the past, what has worked and what hasn’t.

The colossal amount of technical debt in many firms, which the survey rightly highlights, also affects cybersecurity practices and is often the result of those flawed conversations, which all too often have only had a short-termist dimension and have allowed a box-checking culture to set in around cybersecurity.

Underestimating the strategic importance of cybersecurity while overestimating the firm’s levels of preparedness and protection cannot be taken as raw fact or seen as an emerging situation: It is likely to be the result of earlier practices that would have been structuring themselves over a number of years, and the resulting situation can only be analysed in that context.

It may be a simplistic view on corporate governance but from my perspective, the Board has a duty to ensure that the firm is and remains sufficiently protected from the threats that may target it, cyber threats as well as others. In the volatile and complex world we live in, this is a duty to shareholders, as well as customers, staff and for some critical operators, society at large.

Of course, it has to be rooted in a business understanding of those threats at Board level (an experience that can be developed or brought in).

But I don’t think many legislators or regulators would be satisfied with the role of the Board being limited to a sense of “stewardship”, in particular in relation to the criticality of cyber threats.

I have been advocating for years that the Board needs to hold the leadership team accountable for the protection of the business and should ask for clear roles and responsibilities to be defined at that level, possibly with links to compensation packages.

Ideally, a CSO role should emerge encompassing all business protection aspects, including cybersecurity of course but also data privacy, business continuity and regulatory compliance; a portfolio large enough to attract the right calibre of executive with a level of management and political experience commensurate to the challenges involved and the type of stakeholders to be faced.

In many firms, this is becoming quite simply a matter of common sense and good leadership in the face of the non-stop cyber-attacks all industry sectors have faced over the past two decades.

 

JC Gaillard

Founder & CEO

Corix Partners


Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.