Informed scepticism is a board's greatest defence against cyber threats
16 Sept 2025
Andrew Evans
Innovation specialist with expertise in cybersecurity LinkedIn
In April 2025, Marks & Spencer froze all online orders for three days after ransomware crippled its fulfilment systems – a £300 million lesson in how a single malicious email can paralyse even a household name. It is a crisis that, for any director, can begin with one chilling phone call.
Imagine the call comes through to you from your CEO, and the message is chillingly simple: "We’re locked out. Everything is gone, and they want millions."
In that moment, as a director, what is your first question? Is it "How did this happen?" or is it the far more telling "What did we do to prepare for this?" For too many boards, cybersecurity has been a technical issue delegated to the IT department. But as recent crises show, it’s actually a question of governance, and the ultimate responsibility rests squarely in the boardroom.
A board's greatest defence against cyber threats is not found in technology alone, but in a culture of rigorous, informed scepticism. What follows is the framework for that scepticism, no technical acronyms, just a guide for asking the right questions.
Governance and accountability or "who truly owns this risk?"
Cyber risk must be governed from the very top. It’s a classic case of the buck stopping in the boardroom. If the board treats cybersecurity as just another item on the IT department’s to-do list (either by habit, lack of time or by not having the perceived required technical acumen), the organisation is already on the back foot.
The real conversations should sound like this:
- Have we, as a board, clearly defined and documented our appetite for cyber risk in a way that guides strategic and financial decisions pragmatically?
- Have we clearly structured accountability?
- Does our Chief Information Security Officer or equivalent have the necessary authority and budget, with direct access to the board to be effective?
And perhaps the sharpest question of all:
- How is the management of cyber risk tied to senior executive performance and compensation?
"Company boards have an essential role in fostering a culture of strong corporate cyber security governance. Too often boards overestimate their company’s cyber security preparedness."
Source: Jersey's Draft Cyber Security Policy Framework 2025-2040
Strategy and culture or "are we defending yesterday's business or tomorrow's?"
Too often, security is seen as a handbrake on growth and agility. But a truly resilient organisation aligns its security with its strategic goals. The question isn't just "are we secure?" but "is our security enabling us to grow safely?"
This requires identifying the "crown jewels" (i.e. the essential data and systems for your survival) and knowing that your best defences protect them (pro tip: here is where you should direct most of your time and resources). I once saw a firm spend a fortune protecting its public-facing website while its client database was secured with little more than duct tape and a prayer. They were defending the shop window while leaving the vault door open. A director must ask: how are we measuring and fostering a security-conscious culture? What were the results of our latest phishing simulation, penetration test or ideally red teaming, and what was the lesson learned?
Assurance and measurement or "how do we know our defences actually work?"
This is about seeing evidence. A glossy presentation from the CISO assuring the board that "everything is under control" is no longer sufficient as assurance needs quantified metrics, not glossy dashboards. Trust is good, but verification is better.
A board should be asking for proof.
- When was our last independent, adversarial penetration test or "red team" exercise?
- What were the critical findings, and how have we addressed them?
- Can our security posture be presented using business-centric metrics, for example our average "time to patch" for critical vulnerabilities and how that benchmarks against our peers?
In the wake of supplier-related disasters like the Capita and Synnovis incidents, you must also ask how you are actively managing the risk posed by critical third-party suppliers.
"Supply-chain fragility tops the risk agenda: 54 % of large companies tell the World Economic Forum they lack visibility over third-party risk, so strategy discussions should start with mapping who really touches your data."
Resilience and response or "what happens when, not if, we are breached?"
An organisation's true strength is revealed not by its ability to prevent an attack, but by its ability to withstand one. This is about preparing for the inevitable bad day. It’s one thing to have a response plan in a binder; it’s another thing to know it works under pressure.
The board’s role is to test that readiness.
- When did we last conduct a full-scale simulation of a destructive ransomware attack that involved the executive team and the board?
- What broke in our response?
When CFOs took part in a live ransomware simulation at Infosecurity Europe 2025, average recovery time ran 40 % longer than boards had budgeted, highlighting why playbooks must be stress-tested with real executives, not just technical staff.
This is also where uncomfortable conversations must be had.
- What is our policy on considering a ransom demand, and who has the authority to make that decision?
- How confident are we in our ability to recover critical functions from backups without the compromised network?
The future horizon or "what is coming over the hill?"
Finally, a resilient board is always looking ahead. The threat landscape evolves constantly, and today's robust defence is tomorrow's open door. The questions here are about preparing for future threats, not just the current ones.
In 2024 British engineering firm Arup lost approximately $25 million after scammers used AI-generated deepfakes to impersonate the company’s CFO and trick an employee into transferring funds proving that AI-driven social engineering is already a board-level threat, not tomorrow’s worry.
What is our strategy for the emerging threat of AI-enabled attacks, such as hyper-realistic phishing and automated hacking? Are we developing a roadmap for transitioning to post-quantum cryptography to protect long-term sensitive data from future decryption? And, in the UK, how are we preparing for the forthcoming Cyber Security and Resilience Bill and what are the key implications for director liability?
These are not a one-time checklist but the engine of a continuous governance cycle. The board's role is to set the tone. By asking these questions relentlessly, directors can transform cybersecurity from a technical silo into an organisational imperative and a cornerstone of the company's culture.
Cybercrime’s economic impact is forecast to hit $10.5 trillion in 2025, making it the world’s third-largest “economy” after the US and China.
Our course Cybersecurity for Directors: Asking the right questions runs through the evidence-based questions you need to be asking and how you can confidently challenge the answers.