Cyber security is a governance challenge, not just a technical one

Over recent years, boards have made enormous strides in understanding cyber security and the associated risks. Tools such as risk registers, and roles like CISOs and IT leads having a stronger voice and presence, are becoming more commonplace.

Recently, I joined other leaders of New Zealand organisations at a ‘Chatham House Rule’ gathering designed to address what good leadership looks like during a cyber crisis.

The overarching theme was clear: cyber incidents are not just technical problems, they are prominent leadership and governance challenges that directors need to pay serious attention to. Cyber risk can no longer be treated as a line item or a compliance exercise.

We only have to consider the current threat environment for a sobering reminder of how serious cyber risks have become. Roughly a quarter of cyber incidents affecting nationally significant organisations in the past year have involved state-sponsored actors. These are not opportunistic hackers, but patient, well-resourced adversaries who often maintain undetected access for months or even years.

The motivations vary – espionage, intellectual property theft and disruption of critical infrastructure – but the outcome is the same. Every organisation, regardless of sector, now sits on the frontline of a global battle that doesn’t recognise national borders.

This context matters deeply to boards. Increasingly, directors are being asked to demonstrate that they have exercised due care in overseeing cyber resilience. When an incident occurs, stakeholders will look not only at what management did, but also the board’s role in the organisation’s preparedness.

The board has a critical role

Many management teams underestimate how actively they’ll be drawn into incident response. The technical component – restoring systems, patching vulnerabilities, recovering data – accounts for only about 20% of the total workload. The remaining 80% is communications, stakeholder management and leadership.

That’s where the board’s oversight becomes crucial. In a major cyber incident, the board chair or directors may be called upon to support or even participate in external communications, interface with regulators, and make judgement calls about disclosure timing and business continuity. These decisions can’t be made on the fly. They require clear protocols, defined roles, and trust and understanding between management and the board.

If you fail to plan, you plan to fail

If there’s one piece of advice I can give other boards, it is to be aware that preparation beats documentation. The organisations that respond best to attacks are not necessarily the ones with the most sophisticated technology, but those that have practised their response through tabletop exercises.

These simulations – ideally conducted at least twice a year – give leaders and boards the chance to walk through crisis scenarios, test decision-making processes and identify communication gaps before they matter.

When operational urgency is high and data is deeply personal, such as in sectors like healthcare, the difference between a coordinated response and chaos often comes down to whether the team has ‘muscle memory’ from practice.

For boards, participating in these exercises provides a rare opportunity to understand how decisions unfold under real-world pressure. It also strengthens alignment between directors and management about who leads which parts of the response.

The new reality: directors as potential targets

Another insight that resonated strongly was the personal nature of modern threats. There’s a growing number of cases where ransomware groups have harassed executives directly. These include ‘swatting’ incidents where threat actors faked emergency calls to a CEO’s home, and offers of small payments to members of the public to contact and pressure targeted individuals.

While these tactics are confronting, they highlight a critical governance point: cyber security is no longer confined to systems and networks, it extends to people. Boards should consider whether their own members – as high-profile individuals with access to sensitive information – are adequately briefed and protected. The GCSB’s National Cyber Security Centre provides specific guidance for high-profile individuals.

Governance that enables, not overloads

The challenge many organisations face is expecting one individual – often the CISO – to be a technical expert, a team manager, and a translator for the board all in one. This is simply unrealistic, and these functions must be separated.

A virtual CISO model or external advisor can provide technical depth, while internal leaders focus on implementation and reporting. This structure not only reduces burnout but also ensures directors receive clear, decision-ready information, rather than technical jargon.

Boards should also resist the temptation to treat cyber as a standalone issue. Instead, it should be integrated into enterprise risk management and crisis planning alongside financial, operational and reputational risks. A good tip from the panel was to avoid tagging the ‘cyber’ label onto everything (for example, ‘cyber response plans’). Cyber incidents are, in essence, business continuity events.

A call to action for boards

The global landscape is shifting at an ever-increasing pace. Governance must evolve alongside it.

Cyber security now sits squarely in the boardroom. Directors who engage deeply with it – who practise, question and plan – will not only protect their organisations but also demonstrate the kind of proactive governance that builds long-term trust with customers, regulators and communities.

When a cyber crisis hits, good leadership matters most – and boards can play a vital role in ensuring organisations emerge stronger, safer and more resilient.

For a practical resource to support board-level preparedness, see Kordia’s Ransomware Preparedness Guide.