InsightsArticlesBeyond the Firewall: Leadership and Governance Insights for Cyber Resilient Organisations

CEO Report Banner Full

Illustration by Kouzou Sakai/Folio Art.

Beyond the Firewall: Leadership and Governance Insights for Cyber Resilient Organisations

Read our new research on the evolving state of global cyber governance.

Access Report

Illustration by Kouzou Sakai/Folio Art.

"Security, privacy, data, resilience, AI ethics — they all end up on my desk."

- CISO of a US tech company

PUBLISHED BY

Cyber governance is now firmly a board-level priority. While no doubt this presents challenges for CISOs, it is also an opportunity to shine a light on the true demands of both leaders and their teams. M&S Chair Archie Norman described the attack by Scattered Spider as an “out of body experience”. However, the landscape is shifting from human-led attacks to automated ones; the release of frontier AI models like Anthropic’s Mythos—capable of autonomously identifying and exploiting zero-day vulnerabilities—marks a new era of agentic AI threats. Compounded by this rapid AI diffusion and geopolitical unpredictability, the CISO’s role is set for a further evolution from technologist to a strategic guardian of resilience.

To support leaders through this shift, ISTARI and the University of Cambridge’s Judge Business School, led by Dr Simon Learmount, have launched a programme of research into how the CISO role is changing, and what boards and executives can do to set it up for success.

 

  • What responsibilities are creeping into the remit?
    CISOs are now managing everything from AI ethics to building and retaining the teams that deliver it — all on top of the "architectural debt" of the pandemic era.

     

  • How well prepared are CISOs to take on these expanded roles?
    Many feel the role has become "unsustainable," acting as part-diplomat and part-shrink without sufficient "bench strength" or board buy-in    .

     

  • What enablers do CISOs, CEOs and boards need to ensure next-generation cyber resilience?
    Compliance frameworks need to be more than a tickbox exercise; they must serve as a shared language that allows boards to govern autonomous systems they may not fully understand    .

 

Emerging global themes

Through analysis of in-depth interviews with CISOs, board directors, policy makers, regulators and other security professionals, this report offers rich, on the ground insights into how the complex and continuously changing world of cyber governance continues to evolve.

Several key themes emerged that echo and expand upon the current concerns voiced in the industry and mainstream media. These include:

Research Report Landing Page icons Emerging Global Themes Blue

1.

The lack of shared language for effective understanding and management of cyber risk and metrics for successful cyber governance.

2.

The conflation of compliance frameworks and resilience planning leading to narrow metrics of success that could leave the company vulnerable.

3.

A lack of mechanisms to fully visualise supply chain risk across complex supply chains.

4.

Unrealistic expectations of CISOs bandwidth and skillsets with them taking on responsibilities from “shrink” to “diplomat.”

5.

Increased pressure from fragmented and misaligned governance requirements is leaving leaders to juggle complex compliance obligations in multiple jurisdictions.

Research Report Landing Page icons Emerging Global Themes Blue

24 hours of conversations with leaders across the industry

See what they said

"Boards sometimes treat frameworks like a talisman – tick ISO and you’re safe.

Attackers don’t read ISO.
"

'Cover is shrinking; you can’t transfer reputation.'

- Deputy CISO, Multinational Bank

To strengthen cyber resilience, organisations need clearer governance, shared accountability and better decision-making. The report sets out practical recommendations for boards and CISOs to improve cyber posture and long term resilience.

Recommendations for boards

Research Report Landing Page icons Recommendations For Boards Grey

1.

Create a bridge between the CISO and the board through dedicated interdisciplinary cybersecurity committees that can help provide a 360 degree view of the risk of board members with some cyber experience.

2.

Recognise that building cyber resilience is a “whole-of-organisation” endeavour with platforms and processes for continuous cyber literacy training throughout the organisation at all levels.

3.

Develop mechanisms for a unified and enterprise-wide governance approach for addressing diverse compliance obligations.

4.

Build a culture of responsible cyber governance as a business enabler with a clear plan for preserving accountability towards and trust of stakeholders in the event of a cyber incident.

Research Report Landing Page icons Recommendations For Boards Grey

Recommendations for CISOs

Research Report Landing Page icons Recommendations for CISOs Grey

1.

Advocate for cyber security needs and challenges using frames and language that resonate with board interests and priorities.  Appeals to strategic business imperatives and reduction of liability will land more strongly than technical evidence.

2.

Seek support for new partnerships that can help increase visibility of supply chain risk and build towards managing ecosystem level risk.

3.

Ensure access to continuous professional development on cyber governance and leadership for cyber governance for the CISO team.

Research Report Landing Page icons Recommendations for CISOs Grey

In a volatile and uncertain world, any organisation can find itself exposed to malicious, opportunistic or ideologically motivated threat actors. Increasingly, these actors aim not only to disrupt individual organisations, but to create wider societal impact in the jurisdictions where they operate. Responding to adversaries that are creative, persistent and increasingly enabled by new technologies cannot sit solely with one CISO and a technical team.

Cyber resilience now demands a new approach to governance. It must be shared across leadership, embedded in decision-making, and treated as a foundation for long-term stability and growth. This is no longer optional. It is a strategic imperative and a collective responsibility.

Unlock the full report

Download Report

PUBLISHED BY

Lighthouse Emblem Lighthouse Emblem Grey

For more information about ISTARI’s Cyber Resilience Leadership programmes for individuals or boards, explore our board enablement programme, LIGHTHOUSE. 

Meet the Author

Dr. Simon Learmount

Dr. Simon Learmount

Simon Learmount is a Fellow of Pembroke College, University of Cambridge and Associate Professor of Corporate Governance at Cambridge Judge Business School. He has served as Director of both the MBA and Executive MBA Programmes at Cambridge, and is recipient of the Pilkington Prize, awarded by the University of Cambridge to honour outstanding teaching across the university. His focus is on international corporate governance, sustainable business practice and ethics (especially in the US, UK, Japan and China) and digital governance (including cyber-security and AI). He serves as co-chair of the World Economic Forum Climate Governance Expert Committee, is a member of the Global Futures Council on Climate and Nature, advises multiple organisations on climate and digital governance, sustainability and green transition, risk management and director development. Before joining Cambridge Simon was a successful entrepreneur.

Read more