Beyond the Firewall
Cyber governance is now firmly a board-level priority. While no doubt this presents challenges for CISOs, it is also an opportunity to shine a light on the true demands of both leaders and their teams. M&S Chair Archie Norman described the attack by Scattered Spider as an “out of body experience”. However, the landscape is shifting from human-led attacks to automated ones; the release of frontier AI models like Anthropic’s Mythos—capable of autonomously identifying and exploiting zero-day vulnerabilities—marks a new era of agentic AI threats. Compounded by this rapid AI diffusion and geopolitical unpredictability, the CISO’s role is set for a further evolution from technologist to a strategic guardian of resilience.
To support leaders through this shift, ISTARI and the University of Cambridge’s Judge Business School, led by Dr Simon Learmount, have launched a programme of research into how the CISO role is changing, and what boards and executives can do to set it up for success
"Security, privacy, data, resilience, AI ethics — they all end up on my desk."
- CISO of a US tech company
Recommendations for leadership
01
Create a bridge between the CISO and the board through dedicated interdisciplinary cybersecurity committees that can help provide a 360 degree view of the risk of board members with some cyber experience.
Recognise that building cyber resilience is a “whole-of-organisation” endeavour with platforms and processes for continuous cyber literacy training throughout the organisation at all levels.
Build a culture of responsible cyber governance as a business enabler with a clear plan for preserving accountability towards and trust of stakeholders in the event of a cyber incident.
02
Advocate for cyber security needs and challenges using frames and language that resonate with board interests and priorities. Appeals to strategic business imperatives and reduction of liability will land more strongly than technical evidence.
Seek support for new partnerships that can help increase visibility of supply chain risk and build towards managing ecosystem level risk.
Ensure access to continuous professional development on cyber governance and leadership for cyber governance for the CISO team.
text
In a volatile and uncertain world, any organisation can find itself exposed to malicious, opportunistic or ideologically motivated threat actors. Increasingly, these actors aim not only to disrupt individual organisations, but to create wider societal impact in the jurisdictions where they operate. Responding to adversaries that are creative, persistent and increasingly enabled by new technologies cannot sit solely with one CISO and a technical team.
Cyber resilience now demands a new approach to governance. It must be shared across leadership, embedded in decision-making, and treated as a foundation for long-term stability and growth. This is no longer optional. It is a strategic imperative and a collective responsibility.
Meet the Author
.
