The Board Cyber Governance Gap: What It Costs and How to Close It

Consider how a major listed company governs its financial risk. There is an audit committee, a risk committee, external auditors, quarterly deep dives, a dedicated internal audit function, and a Chief Financial Officer who speaks to the board in a language every director has been trained to interrogate. The governance apparatus is extensive, redundant, and expensive for a reason: the consequences of financial misgovernance are visible, measurable, and career-ending.

Now consider how the same company governs its cyber risk. The CISO presents to the board twice a year, usually with a traffic-light dashboard the board receives but cannot meaningfully challenge. The audit committee receives a summary. There is no equivalent of the external auditor for security. The board has no baseline against which to evaluate what it is being told, no independent source of assurance, and no clear accountability framework for the decisions it is supposed to be making.

This is the board cyber governance gap. It is not a gap created by bad boards or incompetent CISOs. It is a structural gap, one that has been present in most organisations for a decade and that regulators, investors, and enforcement bodies are now beginning to close by force.

What the gap looks like in practice

After 25 years as a CISO and former advisory member at the FCA and NCSC, I have seen the board cyber governance gap manifest in five consistent patterns. They are not unique to any sector or size of organisation. They are near-universal.

Risk appetite without definition. The board has approved a cyber risk appetite statement, but it uses language like "low tolerance for significant incidents" that creates no actionable framework for investment or decision-making. When a real trade-off arrives, accept a known vulnerability while a system is rebuilt, or take the business offline, the board has no tools to govern it.

Reporting designed for the CISO, not the board. The board receives the output of the security function's internal reporting, repackaged for a non-technical audience. It reflects what the security team thinks is important, not what the board needs to make governance decisions. The two are not the same thing.

Accountability without clarity. The board has delegated cyber risk governance to the audit committee, which has delegated it to management, which has delegated it to the CISO. At each stage, the accountability has become less specific. When something goes wrong, no one person at board level is clearly responsible for the governance failure.

Investment without strategy. Security budgets are approved annually against proposals the board cannot independently evaluate. The board has no framework for distinguishing necessary investment from discretionary investment, or for connecting security spend to the specific risk exposures that matter most to the business.

Incident surprise. When a significant incident occurs, the board is surprised, not because the risk was unknowable, but because the governance structure was not designed to surface it before it crystallised. The CISO knew. The security team knew. The information never reached the level where it could be governed.

Why the gap persists

The persistence of the board cyber governance gap is not mysterious. Several structural factors reinforce it.

Board composition has not kept pace with risk exposure. Most boards were composed before cyber risk was a board-level concern. Directors who joined in the 1990s and 2000s were selected for financial, operational, or sector expertise. Cyber literacy was not a criterion. It remains unusual, rather than normal, to have genuine cyber expertise at board level.

CISOs have been shaped to brief management, not boards. The skills required to present to a board are different from those required to run a security function. Most CISOs have never been trained to translate technical risk into the strategic, financial, and accountability language that boards use. The result is briefings that are accurate and incomprehensible.

The consequences have been diffuse. Unlike a financial restatement, which has an immediate, visible, attributable consequence, most cyber governance failures produce consequences that are delayed, distributed, and difficult to attribute to any specific decision. Boards have been able to govern badly for a long time without obvious sanction. That is changing rapidly.

What closing the gap actually requires

Closing the board cyber governance gap does not require every director to become a security expert. It requires three structural changes.

1. Independent cyber expertise at board level. A board member with genuine, deep cyber security expertise, not a broad technology background, not a credential, but the kind of operational knowledge that allows them to challenge management credibly and independently. The FCA, DORA, and NIS2 are all pointing in this direction. Boards that do not move proactively will find themselves pointed there by regulatory action.

2. A reporting framework designed for governance, not information. The board should not receive the CISO's management report repackaged. It should receive a governance-focused report that answers the questions the board is accountable for: Is our risk appetite being maintained? Are we investing in the right things? Are there decisions at this table that we have been deferring that we should not be? This requires the CISO and the board to agree on the questions before designing the report.

3. A defined, reviewed, enforced risk appetite. Risk appetite for cyber should be expressed in terms that connect directly to business decisions: acceptable downtime, acceptable data exposure, acceptable third-party risk. It should be reviewed at least annually, tested against actual decisions, and used as the basis for security investment discussions. A risk appetite that exists only on paper is not a governance control. It is a document.

None of these changes are technically complex. All of them require a board that is willing to examine its own governance honestly, and to act on what it finds.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises boards and executive teams on cyber governance, regulatory compliance, and security strategy.