Mark Freebairn, Partner and Head of the Board and CFO Practices at global headhunter Odgers explains how boards are driving cyber-resilience by turning cybersecurity into a shared, board-level responsibility.
Cyberattacks are now a defining threat to corporate stability.
They are not just technical disruptions but business crises that strike at financial performance, brand trust and operational continuity.
According to the Wall Street Journal, Amazon now faces more than 750 million attempted cyber-attacks every day.
The recent “Scattered Spider” breach at Marks & Spencer, which exposed customer data and disrupted distribution networks, underscored that even highly resourced companies are not immune.
Yet many boards still treat cyber-risk as a technology issue to be delegated rather than a strategic concern to be owned.
The companies that will remain resilient are those whose boards see cyber as a shared leadership responsibility.
This requires a shift in mindset from oversight to accountability and from isolated expertise to collective fluency.
Board engagement with cybersecurity has improved, but structural gaps remain.
The National Association of Corporate Directors reports that 77% of boards now discuss the financial consequences of cyber-incidents.
However, only around one in five have a dedicated technology or cyber committee.
In many organisations, oversight still sits within IT or risk subcommittees, which can leave the full board underinformed when a breach occurs.
The next evolution in governance needs to see cybersecurity embedded into the same rhythm as financial and ESG reporting.
This includes regular updates, scenario reviews and quantified risk assessments to help directors track exposure as rigorously as they track capital allocation.
The goal is not to make every director a cyber specialist, but to ensure every director has the confidence and context to make informed decisions.
Many boards are tempted to address the challenge by adding a single cyber expert.
While valuable, this approach is not sufficient.
Cyber-resilience depends on the full board’s ability to connect technical risk with strategic judgment.
Generalist directors who are fluent in technology, innovation and risk management bring greater long-term value than a lone specialist who speaks in technical terms few understand.
Experienced Chairs increasingly seek directors who have led digital transformation or managed large-scale technology operations.
These individuals understand how to translate risk into opportunity and can challenge assumptions without losing sight of the wider business agenda.
Building this breadth of capability is what allows a board to oversee technology as an enabler, not a mystery.
The scope of risk has expanded far beyond internal systems.
SecurityScorecard’s 2025 data found that more than 35% of breaches last year were linked to third-party suppliers.
Complex digital ecosystems mean that one weak vendor can compromise an entire organisation.
Boards must now approach supplier oversight with the same rigour as financial audits.
That includes regular risk evaluations, contractual obligations for incident reporting and joint simulations that test readiness across the supply chain.
These actions signal to regulators, shareholders and customers that the board recognises its role in safeguarding resilience across the full business network.
The Chair is uniquely positioned to convert awareness into effective action.
Increasingly, Chairs are introducing scenario-based rehearsals to stress-test response strategies and decision-making.
Many are also ensuring the Chief Information Security Officer has a direct reporting line to the board.
This transparency enables faster escalation and more informed discussion.
Equally, the tone set by the Chair determines whether cyber issues are treated with openness or apprehension.
Where leaders encourage challenge and admit uncertainty, management teams are more likely to raise risks early and collaborate on solutions.
Technology alone cannot defend against an evolving threat landscape.
Effective cyber-defence is as much about people and culture as it is about systems.
Boards that model curiosity, transparency and accountability create conditions where employees feel empowered to report anomalies and ask questions.
Some boards now invite CISOs to attend meetings, not just to brief directors but to understand how strategy is built.
This helps technical leaders align security priorities with business outcomes.
Building a first line of defence across the organisation relies on leaders who can recognise issues and act decisively.
The same principle applies at the top: Cyber-literacy begins with the board.
Artificial intelligence, geopolitical conflict and interconnected supply chains are all reshaping the risk landscape at unprecedented speed.
The companies that succeed in this environment will be those whose boards embed cyber awareness into every level of governance.
Effective boards will treat cyber-risk as a continuous strategic discussion, not a quarterly update.
They will recruit directors who combine technical literacy with commercial judgement.
And they will foster cultures that learn, adapt and respond before the threat arrives.
Cybersecurity has become a central test of leadership competence.
For today’s boards, success is no longer defined by avoiding a breach, but by demonstrating the foresight, coordination and culture required to withstand one.
