For many years, cybersecurity sat firmly in the remit of IT teams. It was seen as technical, specialist and pretty much invisible to the wider organisation unless something went wrong. This, however, is changing quickly.
In October 2025, ministers and national security leaders wrote directly to FTSE350 executives and chairs, urging that cyber risk be treated as a board-level priority and that formal governance frameworks be adopted.
That message is being reinforced by policy, including the Cyber Security and Resilience Bill which is currently progressing through Parliament, and through the Government’s own Cyber Action Plan which aims to minimise risks to public services.
Government is sending clear signals that cyber resilience is no longer something to be ‘passed to IT’. Instead, it’s increasingly being moved to the board level agenda – viewed as a core part of corporate governance.
From technical to enterprise risk
Cyber incidents have long had the potential to cause operational disruption, but what’s changed is the scale of their potential consequences and public awareness around this. We know that a serious cyber incident today can bring operations to a standstill, expose sensitive data, damage reputation and trigger regulatory scrutiny. Plus, in sectors such as utilities, retail, finance and healthcare, the potential societal impact of major cyber disruptions has also become more apparent.
As a result, cyber risk is increasingly being treated in the same category as other strategic business risks such as financial resilience, supply chain disruption or regulatory compliance.
This means that cyber strategies are no longer simply about providing technical safeguards; they’re a core element of how organisations manage risk. For boards and senior leaders, cyber resilience must be fully understood as an enterprise risk that requires clear ownership and oversight.
The move towards board accountability
Historically, cybersecurity discussions rarely reached the boardroom unless there was a big incident. This is no longer the case, with policymakers and regulators increasingly saying that responsibility for cyber resilience sits with leadership. Boards are expected to understand their exposure to cyber risk, ensure appropriate mitigation measures are in place and demonstrate that resilience is being actively considered and managed.
That’s not to say that directors and senior leadership are expected to become cybersecurity experts. But they are expected to ask informed questions, understand the organisation’s risk and ensure appropriate governance is in place. This is similar to how boards oversee other areas of corporate risk – directors may not personally manage financial audits or operational safety processes, but they are responsible for ensuring robust systems and oversight mechanisms are in place.
One positive development is that Chief Information Security Officers (CISOs) are increasingly present in boardroom discussions. Cyber risk can only be governed properly if security leaders have direct access to senior decision-makers and the opportunity to brief boards regularly. However, many organisations are still seeing a disconnect in how those conversations take place.
Boards typically approach cyber risk through the lens of strategic and enterprise risk. Senior leaders want to understand financial exposure, regulatory implications, operational disruption and reputational impact, while security leaders often communicate in technical terms. Updates may focus on patching rates, vulnerability counts or system-level metrics that are meaningful within cybersecurity teams but harder for non-specialists to understand. As a result, board discussions can sometimes feel frustrating for both parties – directors are asking strategic questions, while the information they receive back is often very technical.
For cyber resilience to be governed effectively, that gap needs to close. Increasingly, organisations are recognising the importance of translating technical cyber information into business risk. Instead of focusing solely on operational metrics, board discussions need to address how exposed the organisation is to specific threats, what the financial and regulatory implications might be if those threats materialise and how customer or stakeholder trust could be affected.
And there are now specifically designed interventions, including our own cyber resilience assessment, that can help boards to understand the specific risks facing their business, what actions need to be taken to address them, and how well they would recover, in ways that resonate with them.
Cyber risk needs to be framed in the same language used for other enterprise risks – so around impact, likelihood, exposure and resilience, with real life case studies and real-world incident rehearsals used where possible to illustrate. It’s hard to argue when presented with real-life stats on profits, sales and shares plummeting in the aftermath of an attack.
When this communication change happens effectively, the role of security teams within organisations also begins to evolve and rather than operating as technical specialists behind the scenes, they become recognised as key enablers of business strategy.
Why neurodivergent founders can excel at building complex systems
The strategic advantage of resilience
Although regulatory pressure is driving much of the increased focus on cyber resilience, it shouldn’t be viewed purely through a compliance lens or done as a tick box exercise. Organisations that see resilience as a strategic capability often gain wider benefits.
Strong cyber governance can improve operational reliability, strengthen supply chain confidence and reassure customers, partners and investors that risk is being managed responsibly. In an environment where cyber incidents regularly dominate headlines, visible commitment to resilience can also become a sign of maturity. Many are now seeing cyber resilience as another way to build trust, not just avoid penalties.
Three simple steps leaders can take now
For organisations still developing their approach to cyber governance, there are several practical steps leaders can start by taking.
Firstly, boards should ensure cyber risk is integrated into existing governance and risk frameworks, rather than treated as a standalone technical issue.
Secondly, leadership teams should focus on understanding organisational resilience, including incident response and recovery capabilities, not just preventative security controls.
Finally, cyber resilience should be treated as a shared leadership responsibility rather than a technical function owned by one department – conversations should be a key agenda point in board and/or leadership meetings.
Ultimately, when resilience is embedded across leadership teams and they fully recognise its importance, organisations are far better positioned to respond effectively when incidents do happen.
Dealmaking blind spot that sparked multi-million-pound business