Cyber risk is now a material risk for every organisation in the UK. Yet the structures meant to govern it remain misaligned. Boards want oversight. Security leaders want investment and influence. Neither side is consistently getting what they need, and organisations are paying the price.
The gap isn’t technical. It’s structural, cultural, and in many cases, entirely avoidable.
A communication failure with real consequences
Most board-level cyber reporting fails before it starts. Security leaders default to technical language, threat counts, and crisis framing,none of which map to how boards assess risk or make decisions.
The result is a predictable impasse: boards disengage, cyber leaders feel unsupported, and risk accumulates quietly in the background.
The fix requires a deliberate shift. Cyber risk needs to be framed in the same terms as any other material business risk, financial exposure, regulatory consequence, reputational impact, and strategic continuity. When security leaders make that translation, board conversations change. Investment decisions become clearer. Accountability improves.
This isn’t about simplifying the message. It’s about delivering it in a language the board is already fluent in.
Governance doesn’t require technical expertise
One of the most persistent barriers to effective board oversight is the assumption that directors need deep cyber expertise to govern it well. They don’t. What they need is a clear framework for understanding risk, asking the right questions, and holding leadership accountable.
The NCSC’s Cyber Governance Code of Practice, published in April 2025, was designed precisely for this. Built around five core principles, risk management, cyber strategy, people, incident planning, and assurance, it gives board members a structured, accessible foundation for governance without requiring technical background.
It is free, well-constructed, and currently underutilised. If your board hasn’t engaged with it, that’s worth addressing.
Culture is the variable most organisations underestimate
Walk into an organisation and pay attention to how security is discussed. Is it treated as an enabler of business objectives, or a cost centre that surfaces only in a crisis? Is there a culture of blame when incidents occur, or one of shared accountability and continuous improvement?
The language in use tells you more about an organisation’s security maturity than its technology stack. A security function that is siloed, reactive, and disconnected from strategic discussions will remain a risk, regardless of tooling investment. Culture determines not only how well an organisation prevents incidents, but how quickly and effectively it recovers from them.
Building the right culture is a leadership responsibility, not a technical one. It starts with inclusion, bringing security into design and change discussions from the outset, not as a final gatekeeper. It requires clear ownership of critical systems and risks at every level. And it depends on incident response plans that are tested, not just documented, with unambiguous decision-making authority when it counts.
The questions worth asking now
Organisations that respond well to cyber incidents rarely do so by accident. They have prepared. For security leaders assessing their current position, these are the areas that consistently reveal the most significant gaps:
- Do your critical systems and data have clearly defined owners?
- Have you tested your offline or immutable backups, not just confirmed they exist?
- Does your incident response plan include clear, pre-agreed authority for escalation decisions?
- Is security embedded in change programmes from day one?
- Are your cyber risks integrated into the enterprise risk framework, or managed in isolation?
None of these are quick wins. But understanding where the gaps are puts leadership in a significantly stronger position than discovering them during an active incident.
The broader shift underway
There are early signs of genuine progress. The tone around cyber incidents is changing. The culture of blame that followed high-profile breaches, often directed at the CISO, has begun to give way to greater organisational accountability and a more considered public response. Information sharing between organisations, long inhibited by reputational risk, is increasing and is already demonstrably reducing the impact of attacks.
The direction is right. The pace needs to accelerate. Cyber risk will not become easier to manage. But organisations that close the gap between security leadership and the board now will be considerably better placed when it does.
Hear the full conversation
In the latest episode of Cyber Security In Focus, Katie Watson speaks with Esther Hitch, a consultant with a background spanning military leadership, legal practice, and global consulting, on how security leaders can build genuine board relationships, shift organisational culture, and translate technical risk into decisions that matter.
Listen to Closing the Gap Between Cyber and the Board with Esther Hitch on Apple Podcast, Spotify, YouTube or wherever you get your podcasts.
