A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the fourteenth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Most business owners end up revenue and P&L (Profit & Loss) focussed out of necessity; ask them any question you like about it and they will usually be able to answer off the top of their head. They will also likely have worries about risks to their business that might impact them and might be able to articulate those risks in broad terms, even if they don't understand the detail of how the risk could materialise. The larger an organisation gets (in headcount terms), the less likely they are to be across the operational and technical details and the more likely they are to have delegated responsibility to more junior executives. Once a business is large enough and professionalised enough to have a proper Board above the management team, this problem exacerbates. It is therefore critical as early as possible that businesses start getting the relevant people in a room to discuss risks to the business and how to actively manage them.
Businesses face all sorts of risks, from the macro of markets, regulation and geopolitics to the micro of key person risk. Cyber risk however stands out as needing particular attention due to its systemic nature and the high impact associated with a severe incident. How cyber risk manifests into its most dangerous and high impact form varies from business to business, but if you think about the worst possible thing that could happen to your business, that would make you go bust in days, there will almost certainly be a cyber risk at the heart of it. For example:
A Software as a Service company where your product goes down due to a ransomware attack and you are unable to recover.
A financial services company where you lose a huge amount of your clients money due to compromised systems in your payments process.
A professional services company where your biggest clients' sensitive data is leaked.
The cyber security controls to mitigate the above risks are well known, and if well implemented can mean the difference between an annoying day at work and one of the worst days of your life. Unfortunately, they are constantly evolving and require a fair amount of technical knowledge to stay on top of. For that reason it is important to create a regular forum with all the key people in the room to discuss the risks and how to mitigate them. You can then use that forum to identify and rank the business risks that are of most concern, and target cyber resilience measures to where they will have the greatest impact the fastest. As cyber controls are established and the cyber maturity of a business increases, that forum provides a useful setting for challenge, re-assessment and re-prioritisation, ensuring complacency doesn't creep in.
For institutional investors, the stakes are even higher. Investors, clients, and regulators all expect that there are strong governance processes in place to ensure cyber risks are not just managed, but continually reviewed and reduced. Regular executive-level risk reviews are central to these governance processes, enabling boards and committees to make informed decisions, demonstrate due diligence, and respond rapidly to changes in the threat environment.
The technical nature of cybersecurity can make risk discussions challenging for non-technical leaders. However, this shouldn’t be a barrier to effective engagement. It is crucial for senior leaders to ask probing questions, seek clarification, and insist on plain-English explanations of risks and controls. This ensures that decisions about risk are based on understanding, not assumptions.
In smaller organisations a virtual Chief Information Security Officer (vCISO) can play a pivotal role in supporting non-technical executives and boards. Operating as a trusted advisor, a vCISO helps translate technical jargon into business impact, prioritises risks in the context of organisational objectives, and ensures that the right governance and review processes are in place. For many organisations—especially those without a dedicated in-house CISO—a vCISO provides both strategic oversight and practical guidance, making sure that risk management stays firmly on the executive agenda.
Cybersecurity is not just an IT problem; it is a business risk that demands ongoing executive attention. Regular, structured risk management reviews—supported by clear communication and, where appropriate, the expertise of a vCISO—ensure that organisations remain resilient in the face of ever-changing threats. For institutional investors, this is not just good practice; it is essential to fulfilling their governance and fiduciary responsibilities.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇