Cyber neglect starts and ends in the Boardroom

Imagine a corporate headquarters where access is controlled by automated doors and gates. Executives walk in confidently, swiping their access cards or presenting their biometrics to access the building. The value of physical security is obvious; it’s tangible and offers peace of mind.

iStock-2069203787

But when it comes to digital security, the same leaders often fail to ask the right questions about cybersecurity. Why? Because the threats are invisible, intangible and often underestimated until it's too late.

In today’s interconnected world, digital assets are the crown jewels. Yet many executives treat cybersecurity as a technical problem rather than a strategic, existential threat to the business. This blind spot is dangerous.

The high stakes of cyber neglect

The consequences of underestimating cybersecurity are immense. Financially, cyber breaches cost individual companies an estimated average of €4.5 million per incident in 2023. The cost to the global economy of these breaches in 2025 is likely to be a staggering €10 trillion.

Damage to reputation and customer trust is more challenging to quantify. High-profile attacks on companies like LolaLiza, Sony, Maersk, the Port of Antwerp, and cybersecurity providers themselves show that the risk is real, growing and indiscriminate.

Maersk, for example, faced an unprecedented existential crisis when Russia’s targeting of Ukrainian financial services spilled into their systems. Your organisation does not have to be the target to suffer the consequences. In fact, the fallout from these attacks is often more damaging for adjacent organisations.

Cyber will enter your boardroom conversation at a much more prominent level in the very near future. This could be because your organisation is already on a path to high cyber maturity. It could also be because regulation like the NIS2 directive has created new urgency and forced compliance. Alternatively, it could be in direct response to a cyber incident that requires an executive-level response.

Financially, cyber breaches cost individual companies an estimated average of €4.5 million per incident in 2023.
Martin Butler
Professor of Management Practice

Let’s take a quick look at the biggest reasons why cyber threats are underestimated.

It’s intangible

Physical threats are immediate and visible. Digital threats can be harder to grasp. Malware usually isn’t apparent until systems are crippled. Data breaches often go unnoticed for months. Ransomware may just be a word… until a cybercriminal’s disguised voice hisses their demands at you over the phone. This lack of visibility makes it easy for executives to deprioritise security.

Data breaches often go unnoticed for months. This lack of visibility makes it easy for executives to deprioritise security.
Martin Butler
Professor of Management Practice

Lack of ROI

Cybersecurity investments don’t generate immediate returns – so it can be difficult to excite shareholders about them. Generally, initiatives that contribute directly to growth and profitability are more likely to be embraced. How do you argue the value of a breach that didn’t happen as a result of a well-designed and funded cybersecurity strategy?

A disconnect between the IT and non-IT leadership

Organisations have struggled to measure tangible value from digital investments for decades. It remains an active area of research and debate in boardrooms with low levels of digital maturity. Cybersecurity now resides in the space once occupied by IT and management misalignment. Boardroom discussions fail to land when cyber resilience is framed in mostly technical terms by IT leaders or when non-IT leaders do not understand the basic elements of cyber resilience.

Complacency

There can be an assumption that “it won’t happen to us”. This leads organisations that have, to date, escaped major breaches to feel invincible. Overconfidence is also a factor. Our research indicates that executives frequently overestimate their understanding of cybersecurity threats, or the effectiveness of their current security measures.

It's time to make cyber a boardroom priority

It took time and effort from both sides to resolve the disconnect between IT and non-IT leaders. The same effort is required for cyber. 

From CISOs, CTOs and CIOs, a shift in mindset will be required. Cyber specialists need to learn to speak the board’s language. In the same way that the board doesn’t care about a machine on the production line, it really doesn’t find the latest firewall configuration interesting. What they do care about is putting successful products in front of customers – and they want the metrics to show this. So instead of drilling down into technical detail, talk about reducing business risk, sustaining production and serving customers.

One of the best cyber presentations I witnessed was a CISO hacking 70% of a senior audience's accounts the day before a meeting. Yes, he nearly got fired! But, he got their full attention and signed-off on actions he’d been asking to implement for years. Using real-world examples of breaches and their fallout can work miracles. Simulate cyberattack scenarios in executive meetings to highlight vulnerabilities. If necessary, hack your organisation to show the kind of data that can be leaked or systems that can be exploited or brought to a grinding halt.

And this is what executives should do…

  • You need a Cyber Champion at director's level to ask the difficult questions using language and metrics the board cares about.
  • Ensure Cybersecurity is embedded in an organisation's strategic responses and tactical activities. 
  • Measure and track your organisation's digital resilience. Tracking cyber maturity should form part of the typical risk, governance and audit procedures. 
  • Ensure regular cyber audits. No one bats an eye when annual audits of financial reporting take place. We understand this kind of activity to be part of the cost of operating a business and an important method of identifying weaknesses in control systems. The same should become the norm for cyber audits, investments in technology and training, and incident-response simulations.
You need a Cyber Champion at director's level to ask the difficult questions using language and metrics the board cares about.
Martin Butler
Professor of Management Practice

Lead from the top

When senior executives prioritise cyberresilience, it sets a powerful example for the entire organisation to treat cybersecurity as a strategic priority, and it fosters a culture of vigilance and responsibility at every level. Conversely, top-down neglect trickles down, leaving the organisation vulnerable to preventable risks. To build a resilient business, the boardroom must lead by example – because when leadership sets the tone, the rest of the organisation follows.

The time for complacency has passed. Either you will make it a priority yourself, or some nefarious threat actor will do it for you. 

More info?

Check our online management programme ‘Cyber Resilience for Business Leaders’ or get in touch with Annelies Claeys. She will be happy to answer all your questions: annelies.claeys@vlerick.com or +32 (0)9 210 98 04.