For most of the last decade, cyber risk lived in the basement. It was managed by technical teams, reported upward in language that boards didn't understand, and treated as an operational problem rather than a strategic one.
That era is over.
Regulatory frameworks across Europe such as NIS2, DORA, and the evolving expectations of institutional investors - are now placing cyber risk squarely on the board agenda. Directors are being held personally accountable. Audit committees are being asked questions they are not yet equipped to answer. And the gap between what leadership thinks is in place and what actually exists is, in most organizations, significant.
The real exposure is not technical
The most consequential cyber incidents of recent years were not caused by sophisticated attacks that bypassed state-of-the-art defenses. They were caused by misaligned priorities, unresolved dependencies, and decisions made at speed without understanding the downstream risk.
This is a leadership problem. Not a technology problem.
Boards that treat cyber as an IT budget line will continue to be surprised. Those that treat it as a strategic risk with the same rigor applied to financial, legal and reputational exposure - will be materially better positioned.
What boards actually need
Not more dashboards. Not another compliance framework. What leadership teams need is clear, independent judgment on where they are genuinely exposed, what decisions carry hidden risk, and how to ask the right questions of the people reporting to them.
The organizations that will navigate this environment well are those where cyber risk is understood at the top, and not delegated away from it.