From IT Topic to Strategic Imperative - 30 Years GUBERNA - Cybersecurity

Cyber risk has moved from the server room to the boardroom. As attacks grow more professional, regulations intensify, and AI reshapes the landscape, boards can no longer treat cybersecurity as a technical sidebar. It is a governance issue that touches strategy, reputation, and continuity. Drawing on insights given by our panellists Karolien Vanhuffel, Fabrice Clément, Vincent Pacheco, Saskia Van Uffelen, Peter Van Dyck, Alex Driesen and Chris Verdonck, here are the key takeaways:

1. Threats are faster, smarter, and closer than ever
Cyberattacks are increasingly professional, often backed by states or criminal ecosystems. AI is a double-edged sword: attackers automate phishing and social engineering, while defenders deploy it for detection and anomaly management. Yet, human error remains the biggest vulnerability, especially in hybrid work environments. Ransomware continues to dominate, raising ethical and legal dilemmas around ransom payments.

2. Cyber is a board issue, not an IT problem
Boards must integrate cyber risk into strategy, audit, and enterprise risk management. Regulatory complexity (NIS2, DORA, GDPR) demands clear role agreements between board, ARC, and management. Supply-chain governance is often overlooked, even though third-party exposure is a major risk.

3. People: the weakest link and the strongest shield
Awareness programs are essential but must go beyond theory to hands-on simulations. Security fatigue is real; employees need psychological safety to report incidents without fear. Leadership sets the tone: managers must model secure behaviour and make cybersecurity part of modern people management.

4. From principles to practice: building cyber resilience

Embed cybersecurity in business strategy and investment planning.

Work risk-based: prioritize critical assets and high-impact risks.

Prepare for crises with clear incident response and communication plans.

Use technology as an accelerator: zero-trust architecture, identity management, encryption-by-default.

Secure the chain: impose standards on suppliers and embed obligations contractually.

5. Structures that work: clarity beats complexity
Dual reporting from the Board and the ARC works: Board for strategy and risk appetite, ARC for assurance and technical depth. Cadence matters, especially as cyber should be a standing agenda item, not a reactive topic. It is best to ensure that at least one director/advisor has cyber expertise.

6. ARC preparedness: fluency before formality
ARC becomes effective when members understand risk in business language, not technical jargon. Decision-oriented board packs and structured Q&A improve confidence. The responsible executive (often CIO/CEO) owns accountability; the CISO translates complexity into clarity.

7. KPIs that count: less is more
Avoid vanity metrics. Boards should track resilience indicators like maturity score trends, time-to-detect, time-to-recover, and cost of downtime. Include human factor KPIs (training participation, awareness tests). Harmonize definitions across multi-entity groups to avoid misleading consolidation.

8. AI: the next frontier for governance
Boards must govern AI across four tracks: IT efficiency, business innovation, sandbox experimentation, and shadow AI. Build AI literacy and align oversight with EU AI Act principles. Treat AI as a cultural shift, educate staff, define use cases, and implement a roadmap.

9. Supply chains: the hidden cyber risk
Institutionalize dependency mapping and report regularly. Extend oversight to deep-tier suppliers and human factors. Use heatmaps and escalation triggers for visibility and move from tick-box compliance to risk-based supplier management.

10. The warm handshake: bridging board and executive
Create trust through two artifacts: a jargon-free board pack and a credible responsible executive presenting. Boards should ask blunt questions: “How long can we be down? What’s the cost of downtime?” Accountability must be clear, with the CISO as translator and the CIO/CEO as owner.