Cybersecurity is a Board-level responsibility
Posted on August 8, 2025 by Dan May
In many organisations we support, “IT” is represented to the Board by a finance lead, an office manager, or quite often, not represented at all. This can lead to frustration when operational teams understand the risks but can’t influence the investment decisions required to manage them.
It’s time to be clear: cybersecurity is not just an operational issue. It is a core element of corporate governance, and Boards of directors carry a legal and fiduciary responsibility to oversee it.
What the law and guidance say
In the UK, directors have statutory duties under the Companies Act 2006 to act in the best interests of the company and to promote its success. This includes protecting assets, both digital and physical, and ensuring appropriate risk management.
The NCSC’s Cyber Governance Code of Practice (2024) was created specifically to help Boards meet these responsibilities. It sets out five principles that Boards should adopt, making clear that cyber risk is an organisational risk, not just an IT issue. Boards must own the risk, set the tone from the top, and provide strategic direction. Appropriate structures, policies and controls must be in place and properly resourced.
Government policy, including the UK’s National Cyber Strategy and various sector-specific regulations such as GDPR and NIS2 for critical infrastructure, reinforces this. Directors can no longer claim cybersecurity is someone else’s problem. Failing to act could expose a Board to regulatory action, reputational damage and even personal liability.
Steps a Board should be taking
A proactive Board sets clear expectations. Based on the NCSC guidance, these are the key steps:
- Set a cybersecurity strategy
Define the organisation’s risk appetite and ensure cyber resilience is built into business strategy, not bolted on. - Assign clear accountability
Nominate a Board-level lead for cybersecurity. This does not replace operational experts but ensures the topic is represented at the highest level. - Understand the risks and resources
Receive regular reporting on cyber risk, incidents and investments. Ask challenging questions such as: are we sufficiently resourced? Are we compliant with sector regulations? - Embed cyber into governance structures
Update policies, risk registers and Board reporting frameworks. Ensure supply chain risks and third-party dependencies are managed and visible. - Test, learn and improve
Commission independent assurance such as audits or simulated exercises. Treat cyber as dynamic; threats evolve, and so must your controls and culture.
Priorities for Boards
When I speak with clients, I often see that operational teams know what needs to be done but struggle to get traction with directors. Here are priorities every Board should be able to demonstrate:
✅ Visible leadership: Board minutes and strategy documents should reflect cyber risk discussions.
✅ Adequate budget: Investment decisions should be justified in the context of protecting assets and continuity.
✅ Culture and training: A Board that invests in staff awareness and leadership buy-in reduces human error, the biggest cause of breaches.
✅ External expertise: Whether through advisors or frameworks like Cyber Essentials, seek assurance that you’re meeting best practice.
In 2025, no Board can say they didn’t know. The UK government and NCSC have set out crystal-clear expectations. Directors are not expected to be cyber experts, but they are expected to lead, to question and to invest wisely.
If your Board doesn’t yet have cybersecurity on the agenda, it’s time to change that. Your organisation’s resilience, and your legal responsibilities, depend on it.
Curious about ramsac’s cybersecurity training for boards?
In a landscape where board-level cybersecurity training is often overlooked, ramsac’s in-depth workshops provide clear guidance on essential compliance responsibilities, helping leaders make informed, secure decisions.
