Leadership /

From Risk to Reality: The Board’s New Cyber Mandate

board new mandate

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

 

As cyber threats grow more sophisticated and relentless, Boards of Directors can no longer afford to treat cybersecurity as a technical issue buried in the IT department.

JC Gaillard — long-time cybersecurity strategist and founder of Corix Partners — has been calling for a fundamental shift in how Boards engage with cyber risk for nearly a decade.

In this conversation, he lays out why it’s time for directors to move beyond checklists and crisis reactions, and start treating cybersecurity as a core element of business survival — one rooted in leadership, accountability, and real-world understanding.

 

 

You’ve been writing about the Board’s role in cybersecurity for nearly a decade. Why has this topic remained so important to you?

Because the discussion keeps getting framed in oversimplified ways. There’s no “one-size-fits-all” answer to how Boards should engage with cybersecurity. The landscape is shaped by too many variables — economic context, industry threats, company history, and maturity levels. Yet we still see governance approaches that are either reactive or superficial. Boards need to move beyond compliance checklists and start thinking of cybersecurity as a core element of business protection.

 

What’s the biggest misconception Boards tend to have?

Many still treat cybersecurity as a technical issue that can be delegated downward, or as a risk that might or might not materialize. But in the current environment — where threats are constant — that mindset is outdated. It’s no longer about “if,” it’s about “when.” The Board has to own the business protection agenda and ensure it is grounded in real-world awareness, not just hypothetical risk models.

 

You’ve previously written about the Board’s response to high-profile breaches, like the TalkTalk breach in the UK in 2016, and again after WannaCry and NotPetya in 2019. How has your thinking evolved since then?

Those earlier pieces focused on how Boards react in the aftermath of major incidents. In crisis mode, Boards tend to have a clearer agenda — it’s easier to act when something has gone wrong. But that approach isn’t sustainable. In my 2022 piece, I challenged the idea that Boards can afford to remain passive until a breach occurs. They must take proactive ownership, even when there’s no immediate crisis.

 

How should Boards begin that proactive ownership?

First, by building a meaningful understanding of the threat landscape — not just in abstract terms, but in terms specific to their business: Who might target them? Why? With what level of sophistication? What systems or data would be attractive to attackers? If that knowledge doesn’t exist in the Boardroom, it must be brought in — either through independent directors or trusted advisors. But it needs to be expressed in language the Board understands, not just technical jargon.

 

And what about executive accountability?

That’s absolutely critical. The Board must establish clear, unequivocal accountability for cybersecurity at the executive level. Not buried three levels down in IT, but in the C-suite. And that accountability should be tied to remuneration and performance metrics. It’s no longer acceptable to wheel in the CISO twice a year after something has gone wrong or just to tick a compliance box. The conversation needs to be continuous and strategic.

 

What should that Board-executive dialogue look like in practice?

It should be grounded in the company’s historical experience with cyber threats. Every large organization has had incidents or near-misses by now. Boards should ask: What lessons were learned? Was the response adequate? Are we funding the right capabilities? Are we thinking in the right timeframes — especially when long-term change is needed? That’s how you avoid repeating mistakes and ensure resilience over time.

 

You’ve deliberately avoided using the word “risk” in some of your writing. Why?

Because “risk” implies uncertainty — things that may or may not happen. But in today’s landscape, the threat is constant. Framing cybersecurity as “risk” encourages a mindset of mitigation, transfer, or acceptance. We need to talk instead about business protection — about securing what matters in a world where threats are already present. It’s a deeper, more grounded way to engage.

 

So what’s your core message to Boards today?

Stop treating cybersecurity as someone else’s problem. Take ownership. Get the right knowledge into the room. Hold your executives accountable. And engage with cybersecurity as a strategic business imperative — not just a compliance exercise. It’s time to step up, because in today’s world, this is about survival and long-term trust.

 


JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.



Read more on our Security Transformation Leadership publication here on Medium