Professor of Management Practice
Imagine a corporate headquarters where access is controlled by automated doors and gates. Executives walk in confidently, swiping their access cards or presenting their biometrics to access the building. The value of physical security is obvious; it’s tangible and offers peace of mind.
But when it comes to digital security, the same leaders often fail to ask the right questions about cybersecurity. Why? Because the threats are invisible, intangible and often underestimated until it's too late.
In today’s interconnected world, digital assets are the crown jewels. Yet many executives treat cybersecurity as a technical problem rather than a strategic, existential threat to the business. This blind spot is dangerous.
The high stakes of cyber neglect
The consequences of underestimating cybersecurity are immense. Financially, cyber breaches cost individual companies an estimated average of €4.5 million per incident in 2023. The cost to the global economy of these breaches in 2025 is likely to be a staggering €10 trillion.
Damage to reputation and customer trust is more challenging to quantify. High-profile attacks on companies like LolaLiza, Sony, Maersk, the Port of Antwerp, and cybersecurity providers themselves show that the risk is real, growing and indiscriminate.
Maersk, for example, faced an unprecedented existential crisis when Russia’s targeting of Ukrainian financial services spilled into their systems. Your organisation does not have to be the target to suffer the consequences. In fact, the fallout from these attacks is often more damaging for adjacent organisations.
Cyber will enter your boardroom conversation at a much more prominent level in the very near future. This could be because your organisation is already on a path to high cyber maturity. It could also be because regulation like the NIS2 directive has created new urgency and forced compliance. Alternatively, it could be in direct response to a cyber incident that requires an executive-level response.
Let’s take a quick look at the biggest reasons why cyber threats are underestimated.
It’s intangible
Physical threats are immediate and visible. Digital threats can be harder to grasp. Malware usually isn’t apparent until systems are crippled. Data breaches often go unnoticed for months. Ransomware may just be a word… until a cybercriminal’s disguised voice hisses their demands at you over the phone. This lack of visibility makes it easy for executives to deprioritise security.
Lack of ROI
Cybersecurity investments don’t generate immediate returns – so it can be difficult to excite shareholders about them. Generally, initiatives that contribute directly to growth and profitability are more likely to be embraced. How do you argue the value of a breach that didn’t happen as a result of a well-designed and funded cybersecurity strategy?
A disconnect between the IT and non-IT leadership
Organisations have struggled to measure tangible value from digital investments for decades. It remains an active area of research and debate in boardrooms with low levels of digital maturity. Cybersecurity now resides in the space once occupied by IT and management misalignment. Boardroom discussions fail to land when cyber resilience is framed in mostly technical terms by IT leaders or when non-IT leaders do not understand the basic elements of cyber resilience.
Complacency
There can be an assumption that “it won’t happen to us”. This leads organisations that have, to date, escaped major breaches to feel invincible. Overconfidence is also a factor. Our research indicates that executives frequently overestimate their understanding of cybersecurity threats, or the effectiveness of their current security measures.
It's time to make cyber a boardroom priority
It took time and effort from both sides to resolve the disconnect between IT and non-IT leaders. The same effort is required for cyber.
From CISOs, CTOs and CIOs, a shift in mindset will be required. Cyber specialists need to learn to speak the board’s language. In the same way that the board doesn’t care about a machine on the production line, it really doesn’t find the latest firewall configuration interesting. What they do care about is putting successful products in front of customers – and they want the metrics to show this. So instead of drilling down into technical detail, talk about reducing business risk, sustaining production and serving customers.
One of the best cyber presentations I witnessed was a CISO hacking 70% of a senior audience's accounts the day before a meeting. Yes, he nearly got fired! But, he got their full attention and signed-off on actions he’d been asking to implement for years. Using real-world examples of breaches and their fallout can work miracles. Simulate cyberattack scenarios in executive meetings to highlight vulnerabilities. If necessary, hack your organisation to show the kind of data that can be leaked or systems that can be exploited or brought to a grinding halt.
And this is what executives should do…
Lead from the top
When senior executives prioritise cyberresilience, it sets a powerful example for the entire organisation to treat cybersecurity as a strategic priority, and it fosters a culture of vigilance and responsibility at every level. Conversely, top-down neglect trickles down, leaving the organisation vulnerable to preventable risks. To build a resilient business, the boardroom must lead by example – because when leadership sets the tone, the rest of the organisation follows.
The time for complacency has passed. Either you will make it a priority yourself, or some nefarious threat actor will do it for you.
More info?
Check our online management programme ‘Cyber Resilience for Business Leaders’ or get in touch with Annelies Claeys. She will be happy to answer all your questions: annelies.claeys@vlerick.com or +32 (0)9 210 98 04.