May 12, 2026

What Good Cyber Governance Actually Looks Like for Boards and Executives

Insights from our latest webinar 

Cyber risk is already sitting on board agendas. 

The problem is that many boards and executive teams are still being asked to oversee cyber security without clear visibility into what “good” actually looks like in practice. 

As our director, Gerry Lynch opened in our recent Govn365 webinar with Daniel Watson (Vertech):

Cyber security can easily become an area where boards receive plenty of information but not always much confidence.

And that gap matters. Because cyber is no longer just an IT issue. 

It is now a core business, operational, leadership and governance issue that touches:

  • reputation
  • customer trust
  • operational continuity
  • compliance
  • leadership credibility

The challenge for boards is no longer whether cyber matters. It is whether governance approaches are keeping pace with the level of exposure organisations now face.

The uncomfortable reality: many organisations are relying on hope

Many organisations believe they are more prepared than they actually are. Not because people are negligent. But because reporting can sometimes create a false sense of assurance.

Boards are often told:

  • controls are in place
  • frameworks exist
  • systems are protected
  • compliance requirements are being met

But those things alone do not necessarily answer the real governance question:

Would we actually be ready if something went wrong?

As Daniel discussed throughout the session, effective cyber governance is less about technical detail and more about visibility, accountability and practical preparedness.

Cyber governance is not about becoming technical experts

A common concern among directors is feeling unequipped to govern cyber risk because they are not technical specialists. But the session made an important distinction:

Boards do not need to become cyber experts. They need to become confident in asking the right governance questions.

Questions such as:

  • What are our most significant operational vulnerabilities?
  • How do we know our controls are actually working?
  • Where are we relying too heavily on assumptions or trust?
  • What would materially disrupt the organisation today?
  • Are we measuring activity or actual resilience?

The discussion repeatedly returned to one key idea:

Good governance is not about understanding every technical detail. It is about ensuring enough visibility exists to support informed oversight and decision-making.

The hidden risk: reporting without clarity

Another prominent theme was the difference between reporting and understanding. Cyber reporting can easily become highly technical, overloaded with acronyms or focused on activity metrics that do not help boards assess real exposure.

In practice, this can leave leadership teams in a difficult position:

Receiving regular updates while still lacking confidence about organisational readiness.

As discussed during the session, one of the biggest governance risks is not a lack of information. It is information that creates comfort without clarity. This is where stronger communication between technical teams, executives and boards becomes critical.

Because governance visibility depends on translating cyber risk into business risk, not technical language alone.

Accountability matters more than ownership

The webinar explored where accountability for cyber security should sit across the organisation. A key message was that cyber cannot simply be delegated to IT. 

Technology teams play a critical role. But strong cyber outcomes depend on leadership alignment across the board, CEO, executives and operational leaders.

Cyber risk intersects with:

  • people
  • process
  • operational behaviour
  • third-party relationships
  • decision-making discipline

Which means accountability cannot sit in one function alone.

The organisations building stronger resilience are typically the ones where cyber governance is treated as an organisation-wide leadership responsibility rather than a standalone technical function.

What boards should actually be tracking

The need for boards to focus less on volume of activity and more on indicators of capability and resilience.

That means moving beyond questions like:

“How many risks were reported?”

And focusing more on:

  • whether preparedness is improving
  • whether visibility is increasing
  • whether response capability is being tested
  • whether leadership teams understand their responsibilities during an incident

Because more reporting does not automatically create stronger governance.

In some cases, it can actually obscure where the real risks sit.

Final thought

As cyber threats continue to evolve particularly with AI accelerating both the speed and sophistication of attacks, governance approaches also need to evolve.

The organisations that will navigate this best are not necessarily the ones with the most complex frameworks or the most reporting.

They are the ones creating:

  • clearer accountability
  • better visibility
  • stronger organisational alignment
  • disciplined oversight

Because ultimately, strong cyber outcomes do not come from hoping protections are working. They come from leaders having enough clarity to know whether they are.

 

Want to explore this further?

Watch the full webinar discussion here

 

Additional Resource 

As part of the discussion, Daniel Watson has offered a practical starting point for organisations looking to strengthen their cyber preparedness.

Boards and executives interested in developing an AI-assisted cyber policy template can contact Daniel directly through Vertec to access a complimentary template resource.

For organisations looking to develop or strengthen a more comprehensive incident response plan, Daniel also offers tailored advisory sessions to work through key considerations, identify gaps and help build a fit-for-purpose response framework aligned to the organisation’s operational environment.

As cyber threats, operational disruption, and leadership accountability continue to converge, the real test of governance is no longer what exists on paper but how boards and executives respond under pressure.

We’ll be continuing this conversation in our upcoming webinar:

Crisis Ready or Crisis Exposed? The Governance Test Most Boards Aren’t Prepared For 

Joining us for this session is George Adams — Professional Director, 2024 Deloitte Chair of the Year finalist, and 2025 Lifetime Achievement Award recipient for his contribution to safety leadership in New Zealand. George brings decades of board-level experience navigating high-stakes governance challenges, and his perspective on what real crisis readiness looks like is not to be missed.

This is a session you won’t want to miss, whether you’re a board director, executive, or governance professional looking to stress-test your organisation’s readiness before a crisis hits. 

Register here

If you’re starting to think about how this applies in your organisation, we’re always open to a conversation.

Start a conversation with Govn365

Recent blogs

Mar 29, 2026

AI Is Moving Fast — But Governance Is Falling Behind

Mar 12, 2026

When Governance Looks Good on Paper but Fails in Practice

Mar 2, 2026

The New Essentials of Strategy. Stay Relevant in a Changing World.

Nov 26, 2025

Getting Your Board Dynamics Right and Keeping Them Right

Sep 29, 2025

Why Most Business Successions Fail – and How Yours Can Succeed

Aug 12, 2025

Creative Governance: Balancing Innovation and Risk

Jul 3, 2025

From Crisis to Culture: How Ports of Auckland Rebuilt Trust and Performance

Jun 4, 2025

AI: Friend, Foe, or Free for All? Why Boards Can’t Afford to Sit This One Out

May 1, 2025

The Geopolitical Blindspot: Why Ignoring Global Trends Could Cost Your Company Millions

Apr 2, 2025

Governance for Rebels: Rethinking What Really Matters in the Boardroom