For years, cyber lived in the technology budget and stayed there. The board heard about it once a year, usually after an incident somewhere else in the industry. That arrangement is over. Across the UK and the Gulf, regulators now expect directors to demonstrate oversight, not delegate it.
From control list to board question
The old model treated security as a checklist owned by a security team. The new expectation is governance: evidence that the board understands its material cyber risks, has set a risk appetite, and can show how it holds management to account. That is a different kind of question, and it cannot be answered with a tooling slide.
Regulators are no longer asking whether you have controls. They are asking whether your board can prove it knows they work.
What a board should be able to answer
Three questions, in plain terms, separate boards that are ready from boards that are exposed.
- What would hurt us most? Which systems and data, if lost or exposed, would genuinely threaten the business, and do we agree on that list?
- How much risk have we accepted? Not a maturity score. A stated appetite, owned by the board, against which management makes decisions.
- How do we know the controls work? Evidence that key controls are operating, tested, and improving, rather than a one-off assurance that has gone stale.
A board that can answer these confidently is in a different position from one that receives a green dashboard it cannot interrogate.
Building resilience people actually use
The trap is over-engineering. Security that ignores how the business runs gets worked around, and a control that is bypassed is worse than no control, because it gives false comfort. Resilience that lasts is built with the people who have to live with it, sized to the risk that matters, and designed to fail safely rather than to look impressive in a report.
That is the work: translate cyber from a technical control list into a question the board can own, then build the resilience underneath it so the answer stays true. It is less about new tools and more about clarity, ownership and evidence. That is where we spend our time.
Want your board ready for the questions it will be asked? Talk to a founder.



