






















Othman Rafay, Principal Cybersecurity GRC Lead.

getty
I have spent years watching organizations treat cybersecurity as a cost center. Something managed quietly by the IT department and reviewed once a year in a board risk report that nobody truly understands.
That model is finished. The companies that will dominate the next decade have already worked out what the laggards are still debating: Cyber governance is not a compliance obligation. It is a strategic capability, and the gap between those who understand that and those who don't is widening faster than most leaders realize.
Aon's recent risk research puts it plainly: Cyber risk now sits atop its global top 10 risks for business leaders, ahead of supply chain disruption and geopolitical instability. That is a significant shift, and it calls for a fundamentally different quality of governance response.
Regulators have reached the same conclusion. The UK's Cyber Governance Code of Practice explicitly calls on boards to develop genuine cyber literacy. This is not just superficial awareness but the kind of working knowledge that allows directors to challenge assumptions, question management proposals and hold executives properly to account. Directors will increasingly be judged not just on financial performance but on the credibility of their cyber oversight. Boards that cannot demonstrate it will be viewed as structurally weak, and in time, markets will reflect that.
What I find most interesting about this shift is something most commentary tends to miss. The benefit of mature cyber governance is not simply that you reduce your chances of being breached; it changes the quality of strategic decision-making at the top of the organization. When boards work with financially grounded cyber risk data, translating vulnerabilities into potential earnings impact and valuation exposure, they make sharper and faster capital allocation decisions.
Analysis cybersecurity consultant Kieran Upadrasta supports this. "Companies with mature cyber governance frameworks command valuation premiums of 372% higher total shareholder returns over three years, pay 20-50% less in cyber insurance premiums, and avoid the $4.88 million average breach cost that punishes the unprepared."
Research cited in MIT Sloan Management Review consistently shows that digitally literate boards outperform peers on revenue growth and market valuation. When a board can genuinely govern cyber risk, it becomes safer to pursue ambitious digital initiatives: AI deployment, data sharing partnerships, platform integrations. Good cyber governance is a driver of innovation, not a brake on it.
For large organizations going through multi-year digital transformation programs, the data on how many of those programs encounter serious cyber incidents makes for uncomfortable reading. ISACA's research shows that a significant majority will experience at least one material cyberattack, set against a backdrop where the average breach cost has reached approximately $4.88 million.
I think of digital transformation as the engine that generates future revenue. Cyber governance is the steering and braking system. Running the engine without the steering in place is not courageous—it is irresponsible.
Without proper governance, security investment fragments into inconsistent controls, duplicated tools and poor return on spend. With the right governance in place, boards set clear risk appetite, security gets built in from the start rather than bolted on at the end and technology leaders can make confident decisions at pace. Customers, partners and regulators gravitate toward organizations whose governance they trust. In a competitive market, that trust is not distributed equally.
The UK Cyber Governance Code of Practice sets a standard I expect will become the baseline across major markets within five years. Boards need to maintain substantive, ongoing dialogue with CISOs and technology leaders about cyber risk. Not a once-a-year update but a genuine ongoing conversation. The gap this creates will be clearly visible. Boards that engage meaningfully with their CISO can provide real oversight. Those that cannot will make critical risk decisions without the information they need.
Firms should help clients move beyond tick-box compliance toward integrated, business-driven governance. Compliance-driven governance produces the appearance of oversight. Business-driven governance produces the actual capability to manage risk at board level. Capital markets are starting to tell these two things apart, in the same way they have learned to distinguish genuine ESG commitment from the performative version.
The WEF Global Cybersecurity Outlook 2026 report sets out the structural pressures ahead: more AI-enabled attacks, expanding regulation and deepening digital interconnection between firms. In that environment, the organizations that pull ahead will consistently do three things:
1. They will treat cyber risk as a business risk, quantified in financial terms and governed alongside other strategic priorities rather than left inside the technology function.
2. They will use cyber governance to move faster on digital innovation, not slower. Governance that creates confidence around risk enables bolder investment decisions.
3. They will demonstrate credible oversight to regulators, insurers, partners and customers, turning that trust into a durable commercial advantage.
Cybersecurity will always be a technical discipline. But the organizations that lead their industries over the next decade will be the ones where boards govern it with the same seriousness they bring to capital allocation and long-term strategy. Cyber governance is not the agenda item you work through before the real conversation starts. It is the real conversation. And the organizations that understood that first will be the hardest to catch.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。