Skip to content
Cyber Security

Resilience is a board conversation now.

Cyber stopped being an IT line item the moment regulators started asking directors to evidence oversight. The question has moved from the server room to the boardroom, and most boards are not ready for it.

AuthorAmana Partnership
CategoryCyber Security
Published28 May 2026
Read5 min read

For years, cyber lived in the technology budget and stayed there. The board heard about it once a year, usually after an incident somewhere else in the industry. That arrangement is over. Across the UK and the Gulf, regulators now expect directors to demonstrate oversight, not delegate it.

From control list to board question

The old model treated security as a checklist owned by a security team. The new expectation is governance: evidence that the board understands its material cyber risks, has set a risk appetite, and can show how it holds management to account. That is a different kind of question, and it cannot be answered with a tooling slide.

Regulators are no longer asking whether you have controls. They are asking whether your board can prove it knows they work.

What a board should be able to answer

Three questions, in plain terms, separate boards that are ready from boards that are exposed.

  • What would hurt us most? Which systems and data, if lost or exposed, would genuinely threaten the business, and do we agree on that list?
  • How much risk have we accepted? Not a maturity score. A stated appetite, owned by the board, against which management makes decisions.
  • How do we know the controls work? Evidence that key controls are operating, tested, and improving, rather than a one-off assurance that has gone stale.

A board that can answer these confidently is in a different position from one that receives a green dashboard it cannot interrogate.

Building resilience people actually use

The trap is over-engineering. Security that ignores how the business runs gets worked around, and a control that is bypassed is worse than no control, because it gives false comfort. Resilience that lasts is built with the people who have to live with it, sized to the risk that matters, and designed to fail safely rather than to look impressive in a report.

That is the work: translate cyber from a technical control list into a question the board can own, then build the resilience underneath it so the answer stays true. It is less about new tools and more about clarity, ownership and evidence. That is where we spend our time.

Want your board ready for the questions it will be asked? Talk to a founder.

PreviousPDPL is coming for your data map.NextWhy transformation stalls at 60 percent.

Working through something like this?

Talk to us