It’s a common misconception that stopping cyber attacks just means hiring security experts and buying the latest technology. The reality is, most organisations only realise this isn’t enough after they’ve been attacked. Suddenly, cyber security becomes the board’s top priority.
Boards often don’t want to spend money on cyber security until something goes wrong. Usually, they don’t see how much damage a cyber attack can cause. Or, nobody has explained the risks to them in a way they understand.
Bridging the Gap
Given how dramatically the risk of cyber attack has risen over the last decade, this is no surprise. Even experienced security professionals have been caught out by the surge in disruptive cyber crime.
What matters is bridging the gap with boards by arguing the case for investment using terms of reference they can process. In large organisations, this falls to roles such as CISOs, CTOs or CIOs, while in smaller organisations, it’ll often be the head of IT or a similar role.
Although some of the language will be different between these environments, the principles remain the same.
Read: How CISO became the most important job in cyber security
Use Simple Language
Board members are appointed for their business experience and background rather than cyber security or IT knowledge. Their knowledge of cyber security issues will often come from reading about incidents in the media that focus on the impact and damage. The first step is to develop a common language to discuss the issue.
Technical arguments and jargon don’t cut it. It’s better to explain an organisation’s security as a series of protections around layers, for example, users, data, devices, applications, the network, and cloud assets. Highlight advancements such as passwordless authentication and AI-driven threat detection, which have become key.
The message is that cyber attacks attempt to breach multiple layers at once, which is why each must be defended on a 24×7 basis using specific policies and technologies.
Boards Understand Risk
Using threats like ransomware to justify spending can be tricky and often leads to confusion. It is better to describe risk by outlining the vulnerable elements of the organisation’s infrastructure and how each might be better secured. For example, a common threat technique is to attempt to steal credentials using phishing – a type of cyber attack in which fraudsters impersonate legitimate organisations or individuals to deceive people into disclosing sensitive information such as passwords or personal data. This is a simple tactic whose outcome can be severe.
This can be countered through investment in user training, but also email filtering and authentication. It’s not how these work that matters, but how they prevent a given outcome.
It’s also important to talk about policies, for example, the adoption of principles such as zero trust – a security approach where no one is trusted by default, and every user or device must be verified every time they try to access resources. Zero trust doesn’t mandate which technologies must be deployed but outlines a trust architecture that must be applied consistently to achieve its objective.
Here are just a few examples of organisations, across various sectors, affected by cyber security incidents, demonstrating the need for robust security measures:
- The retail sector: A group known as Scattered Spider coordinated attacks on major retailers, including Marks & Spencer and Co-op in 2025. These attacks resulted in significant disruptions and drew attention to vulnerabilities in the retail sector’s cyber security infrastructure.
- HMRC: Over 100,000 taxpayer accounts were compromised in a cyber attack on HMRC. Cyber criminals stole more than £47 million, highlighting the persistent threat of cybercrime to governmental financial institutions.
- BBC: The BBC experienced a significant data breach affecting the personal information of over 25,000 current and former employees. The breach involved the unauthorised copying of private records from an online data storage service.
Read about the top 8 cyber security risks for business.
Incident Response
The most extreme example of risk is sudden emergencies, such as an unfolding ransomware attack. This is one area where a lot of CIOs find themselves asking for more money, not only for in-house expertise and response, but third-party support.The board needs to understand the importance of this spending.
Cyber attack response planning should be treated in a similar way to how organisations plan against unusual weather, pandemics, or economic disruption.
Clear plans on how to respond to ransomware and data breaches are essential. It’s important to decide if cyber security insurance (that covers ransomware and extortion) is an option for the organisation, and to understand what additional funds may be available to support recovery following an attack.
The board needs to recognise how automated incident response systems can help deal with cyber attacks quickly. They should also be aware that failing to comply with regulations like GDPR can lead to significant fines.
Key Performance Indicators (KPIs)
It’s not enough simply to make a series of spending recommendations based on technical arguments. The board must have confidence that this spending is part of a long-term strategy whose success can be measured objectively by the organisation over time.The business might also consider introducing KPIs that reflect new technologies, such as AI-driven threat detection effectiveness and adoption rates of innovative security measures.
A common cyber security KPI is reducing the organisation’s reliance on vulnerable legacy systems, typically unsupported software. This is a useful because the reduction in legacy equipment can be measured and reported quite precisely. The board approves spending on new systems and migration, and gets a defined risk reduction it can understand.
Independent Assessment
Boards will often want more than a list of KPIs, however, and will want to understand how these relate to higher-level governance regimes, for example, GDPR or NIST’s Cybersecurity Framework. This can be achieved by carrying out a benchmarking exercise that compares an organisation to its peers and gives boards an idea of maturity level.
However, this doesn’t mean that technical assessments have no place. A good example is to conduct independent assessments such as penetration testing. This provides a degree of reassurance, so the board doesn’t have to take it on trust that its security design is meeting its goals.
Cyber Security is Competitive
Strong cyber security can now be a real competitive advantage. In the past, a cyber attack was often seen as just an IT problem – something that could be fixed with some extra work and minor embarrassment. However, the surge in data breaches, the theft of IPs, and ransomware has changed this.
Severe cyber attacks now represent a huge potential bill and possibly even an existential threat. It follows that organisations that can resist or minimise the impact of cyber attacks can gain a competitive advantage over peers that fail to do this.
Read: How Supply Chains Became the Next Big Cyber-risk.
A Strategic Imperative: Boards and Cyber Security Alignment
Bridging the gap between the cyber security function of an organisation and management as an idea is far from new. What’s changed however, is the urgency of making this happen in a way that leads to concrete improvement rather than a lot of meetings and talks.
This isn’t simply about best practice and compliance but survival. The organisations that find a way to turn cyber security from IT’s unwanted child into a part of their strategic planning for the future will be the ones that survive into the future.
Achieve Cyber Security Certifications For Your Business
Get started on your journey to Cyber Essentials and Cyber Essentials Plus and ISO 27001 certifications for your business with British Assessment Bureau.
Request a quote today or contact our team to discuss your needs.
