Keegan Crage | Owner, TechBrain AU — ISO 27001 certified, cyber security & AI governance partner | Oxford MSc Cyber Security (in progress).
getty
The regulatory tide has already turned. Has enterprise cyber posture kept pace?
A director reviews a board pack at the kitchen table, on a personal laptop, over the home Wi-Fi. But the corporate SIEM sees nothing. The corporate SOC raises no alerts. This is the board's unowned risk, and it sits on the kitchen table. Many cyber programs built in the last decade falter at the corporate boundary. Director liability could walk out with the executive every evening.
The U.S. SEC has already tightened cyber disclosure rules for companies. Australia is on the same arc, with the Corporations Act 2001 placing a statutory duty on directors to act with reasonable care and diligence. The ASIC has treated cyber as material since the Privacy Act 1988 Notifiable Data Breach Scheme can extend to director-held personal data.
The enterprise security program isn't behind, but it wasn't scoped for this. The moment it clicked for me was when I found out that a chair had been using a personal Gmail account for board correspondence for the better part of two years because it was just easier on their phone. Nobody had flagged it. Nobody had even thought to look. That was the moment I realized the risk model had a human-shaped hole in it that no amount of corporate tooling was ever going to close.
Corporate SOC, SIEM and MDR platforms are working as designed; they are staffed and tooled for the corporate-owned attack surface. But the executive's kitchen-bench laptop, the home router and the family iPad are all owned outside it. None of it is in scope. The gap is an architectural boundary.
Ponemon Institute's 2025 research, surveying 586 security professionals, found 51% of organizations had seen attacks targeting executives or family members, up from 42% in 2023. GetApp's 2024 research puts the figure at 72% of senior executives targeted in the prior 18 months. In mid-market boardrooms, the number stops being alarming. It becomes predictive.
The Australian Signals Directorate's 2024-25 report documents state-sponsored groups turning home routers into botnet infrastructure. Every family-shared device still signed in to work (laptop, tablet or inherited phone) could widen the hijack surface. Personal email used for board correspondence has the potential to become a wire-fraud vehicle in waiting.
Every one of these is a claim against the director as opposed to a ticket for IT to resolve. Boards still briefed through the IT subcommittee on a lagging audit cycle may not be hearing the signal.
For most directors hearing this, the first reaction is recognition as they see themselves in the scenario, followed immediately by discomfort. There's almost always a beat where they realize this is the first time someone has spoken to them about cyber as something that belongs to them personally, not to the IT team, not to the CISO. Then the discomfort sets in, because they can see exactly where that logic leads.
Companies need to start treating executive personal cyber as its own program, owned at board level, with its own scope and budget line. It doesn't live inside the CISO's remit: Legal, privacy and ethical issues prevent corporate IT from operating inside a director's personal environment.
Any program fails if there isn't buy-in. An executive who silently disables protections ends the program. A seamless, trusted relationship is what holds it together. Protection and surveillance have to be separated architecturally. Get it right, and the strategy does what it needs to without peering into the executive's personal life. Get it wrong? No director tolerates the program past the second month.
Start with a prepared personal-risk audit for each director, mapping the full household digital footprint (personal devices, shared accounts, home networks and who has access to). That inventory becomes your program scope, and it could surface the personal email accounts or kitchen-table laptops no corporate SIEM has ever seen along with devices such as home security cameras no director ever considered was a corporate cybersecurity risk. Ownership sits with the general counsel or chief risk officer, not the CISO.
From that baseline, protection needs to operate across four domains simultaneously: personal privacy foundations (dark web monitoring, credential exposure), home network security with active penetration testing, device-level hardening and malware protection, and incident response. The executive's household is a unit of protection. Any program that covers only the individual and ignores shared devices at home could leave potential entry points wide open.
Finally, build the evidence layer from Day One. Every control implemented should produce documentation that maps directly to D&O and cyber insurer renewal questionnaires. An annually certified, audit-ready record of your security posture underpins a strong a governance strategy.
Stop asking the CISO to find the budget. Executive personal cyber is a governance category that runs adjacent to the enterprise cyber program, not nested inside it. Executives should put a line in the board-level risk budget before anyone's written a scope document, because if it has to compete internally with the enterprise program, it loses every single time, and quietly, so nobody notices until something goes wrong.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。