Why Top-Down Governance Is Not Optional
Why Top-Down Governance Is Not Optional
Cybersecurity is not a technology problem. It is a governance problem. This first section establishes why the board is legally accountable — and what that means in practice.
1.1 The Systemic Nature of Cybersecurity
A firewall does not decide how much to spend on security. A SIEM does not decide whether to invest in staff training. A patch management system does not decide whether legacy OT systems will be replaced. These are governance decisions — made by the board. And the board is now legally accountable for them.
The board sets risk appetite. If the board has not been adequately briefed on cyber risk — in terms it can understand and act on — then the risk appetite it sets is uninformed. Uninformed risk appetite is not a defence. It is a governance failure.
The Three Failure Modes of Board Cyber Governance
Delegation without accountability
"We have a CISO — it's their job." The CISO implements; the board defines risk appetite, approves the programme, verifies its effectiveness, and holds the CISO accountable.
Budget without understanding
Approving a cybersecurity budget without understanding what it buys and what risks remain is not governance — it is a blank cheque that creates liability without assurance.
Policy without proof
Excellent policies on paper that are never verified. A policy that says "all data is encrypted" means nothing if no one has checked whether it is actually encrypted.