Poor Governance - Why cyber resilience fails before the first attack

It is 2 a.m. The security team is facing a flood of alerts, unsure who should make critical decisions. Important systems are sending warnings, but no one knows which ones to address first. Key contacts are hard to reach, and every passing minute could turn a small problem into a full-blown crisis. It sounds like a scene from a movie, but it happens far more often than most realize. Even with policies and frameworks in place, gaps in cybersecurity governance can quickly turn a manageable incident into a serious operational and reputational risk.

In this blog I highlight the most common governance-related pitfalls, from unclear decision-making to fragmented responsibilities. It explains why addressing these issues is essential for building a strong, resilient cybersecurity function. I included practical steps to help you to strengthen your cybersecurity governance and make cybersecurity a true organization-wide priority.

In my work advising boards across industries, certain patterns repeat themselves far too often. Observing them in practice shows why cybersecurity often struggles to gain the attention it deserves.

• Cyber illiteracy: In some boardrooms, directors come armed with financial and operational expertise but little understanding of cyber. Watching them nod along as CISOs present technical threat reports, it is often unclear whether they know which questions to ask. This knowledge gap makes it difficult to challenge assumptions or make informed decisions.

• Legacy view as an IT issue: Too many boards still leave cybersecurity discussions exclusively to IT. In these cases, strategic risks including legal, operational, reputational, and regulatory matters remain underexplored. Cybersecurity is a business-wide concern, but this outdated mindset keeps it siloed.

• Competing priorities: Board agendas are crowded, and cybersecurity rarely competes with financial performance or strategic growth initiatives. I have observed meetings where it is just mentioned briefly and is only given full priority fully after an incident occurs. This deprioritization turns cyber into a reactive conversation rather than a proactive strategy.

• Complacency without incidents: The absence of a breach can be deceiving. I have seen leadership teams assume their defenses are sufficient simply because nothing has happened. In reality, this false sense of security often hides vulnerabilities that could be catastrophic if left unaddressed.

The framing of cyber security as a technical issue – something for IT to handle in the background  - is not only outdated, it is dangerous. In our work with leadership teams across sectors, we see how this narrow view limits progress and leaves organizations exposed. Cybersecurity is not just about firewalls and patches; it is about protecting the business, its reputation, its operations, and its people.

To change the narrative, organizations must start by reframing cybersecurity as a strategic enabler. This means elevating cyber from the server room to the boardroom, embedding it into decision-making processes, and treating it as a core business risk - on par with financial, legal, and operational risks.

In order to achieve this goal, I would recommend to take the following steps:

• Make cybersecurity a board-level topic: Cyber should be a standing item on board agendas with regular updates from the CISO or equivalent, not a reactive discussion after an incident. Boards must be equipped to ask the right questions, challenge assumptions, and understand the implications of cyber risks on business strategy.

• Invest in cyber literacy: Leadership teams need more than awareness, they need understanding. This doesn’t mean turning executives into technical experts, but it does mean giving them the tools to interpret cyber risks, evaluate trade-offs, and make informed decisions. Developing tailored cyber education programs for executives and board members, focusing on threat landscapes, regulatory obligations (e.g. NIS2, DORA), risk frameworks and business implications is the way to go.

• Integrate cyber into enterprise risk management: Cyber risks should not sit in isolation. Cyber risks should be mapped to business processes and strategic objectives, showing how a breach could disrupt operations, compliance, or reputation. They must be woven into enterprise risk assessments, aligned with the overall business risk appetite and tracked in the same risk register.

• Measure what matters: Although Boards need tailored dashboards and insights, they particularly need metrics that reflect operational reality (and not just compliance checkboxes). While avoiding too much technical details in reporting, this does mean developing and measuring KPIs and KRIs that reflect operational readiness such as time to detect and respond to incidents, backup restoration success rates, MFA coverage across critical systems, and the number of unresolved vulnerabilities.

A key stakeholder and enabler of the Board and this new narrative is the CISO (Chief Information Security Officer).  No longer confined to technical oversight, the modern CISO is expected to operate at the intersection of cybersecurity, business strategy, and enterprise governance.

CISOs today are expected to wear many hats:

• Technologist: Deep understanding of threat landscapes, architecture, and tooling.

• Strategist: Aligning cyber initiatives with business goals.

• Board Communicator: Translating technical risks into business language.

• Leader and Visionary: Building teams, driving culture, and anticipating future risks.

Yet in reality, I see many CISOs being pulled into operational firefighting - responding to incidents, managing compliance tasks, and navigating fragmented reporting structures. This leaves little room for strategic leadership, and even less for proactive risk management. To unlock the full potential of the CISO role, organizations must build governance structures that support strategic focus. This means more than giving CISOs a seat at the table; it means enabling them to lead.

Some practical conditions that I think need to be met to empower the CISO:

The boundaries between IT and OT must be explicitly defined. Without this clarity, CISOs are left navigating overlapping responsibilities and conflicting priorities. A formal accountability model, such as a RACI matrix, ensures alignment and enables focused leadership.
The CISO must have regular, scheduled access to executive leadership. These sessions should go beyond incident updates and focus on strategic risks, investment priorities, regulatory obligations, and business alignment. 
Reporting must translate technical risks into business impact. Dashboards and briefings should answer key questions: What does this risk mean for operations, compliance, or reputation? What decisions are needed? 
Incident data, audit findings, and threat intelligence must inform governance decisions. Structed feedback loops ensured that board strategies are grounded in operational reality, not assumptions. This creates a continuous learning cycle between frontline teams and leaderships.

As boards begin to engage more meaningfully with cybersecurity, the role of regulation is accelerating this. The EU’s Network and Information Systems Directive 2 (NIS2) marks a fundamental shift in how cybersecurity is governed. No longer confined to IT departments or delegated to CISOs alone, NIS2 places direct accountability on board members and senior management to oversee, approve, and actively engage in cybersecurity risk management. For the first time, board members face personal liability for cybersecurity failures. This shift reflects a broader recognition that cybersecurity is a core governance concern with strategic, operational, and legal implications.

We observe a careful but noticeable shift in how boards engage with cybersecurity. NIS2 has helped bring the right topics to the table - like risk ownership, operational resilience, and strategic oversight – and has opened doors to revisit governance structures.  Cybersecurity is appearing more regularly on board agendas, CISOs are gaining visibility, and funding for cyber programs is becoming more accessible.

This shift is reflected in the nature of boardroom discussions. Executives are starting to ask more informed, business-driven questions such as: What is our recovery time objective for core business processes? And how would a supply chain compromise affect our operations?
These are strategic questions with technical implications, indicating a deeper understanding of cybersecurity’s role in business continuity and risk management.

Cybersecurity governance will continue to shift, shaped by new regulations and evolving risk landscapes. While frameworks like NIS2 help elevate the conversation and create a window of opportunity, meaningful change depends on how organizations respond and adapt. Meanwhile, we remain committed to supporting businesses in navigating cyber  security challenges, including implementing effective governance structures and strengthening resilience. I hope the insights shared in this blog, will give you and your organization some actionable steps in the right direction.    

In our upcoming posts, we’ll shift from governance to the operational realities that make or break cybersecurity programs.

First up, how to use MFA to outsmart cyber threats.