At the recent GRC: BeConnected! event, three experts came together for a fire talk to unpack what this shift means in practice. Adriana Cavaliere, Senior Risk Leader at Skeyes, focused on resilience and integration. Susanne Alfs, Founder of Cyber4Directors, addressed accountability and evidence. Johan Meire, CISO at ING Belux, explored metrics and decision-making. The fire talk was moderated by Henk Dujardin, CEO of the Cyber Security Coalition.
Together, their insights highlighted how boards must move from passive oversight to active leadership, embedding cyber security as a core business risk and a driver of long-term resilience.
Bridging the gap: from risk management to strategic resilience
Adriana Cavaliere addressed the necessity of breaking down traditional corporate silos. In an era where technological acceleration and infrastructure vulnerabilities collide, governance models must evolve to be faster and more connected.
Adriana Cavaliere opened the discussion by framing cyber security within a broader GRC perspective. She argued that the primary challenge is “bridging cyber security with strategic business risks” to turn fragmented management into a unified board strategy. This shift is no longer a luxury but an essential survival tactic, as cyber security is no longer an IT issue, it has become a boardroom issue.
Drawing on the World Economic Forum’s Global Risk Report, she highlighted a new competitive order shaped by geopolitical confrontation and social fragmentation. In this interconnected environment, risk leaders must adopt a new mindset. “We are moving from risk to resilience,” she explained, noting that old models only provide assurance of fragmented governance, which creates silos and costly delays that damage a company’s reputation.
A strong resilience strategy requires a clear risk approach, supported by risk leadership and a risk culture embedded across the entire organisation, Adriana Cavaliere argued. Collaboration is essential, with active board involvement translating complexity into actionable insight and leadership helping boards to take risk decisions.
Cyber security must be treated as a strategic business risk, not an isolated IT issue, and fully integrated into the company’s overall risk profile. Boards need a unified view of key risks, preparedness gaps, and investment priorities, grounded in a business impact analysis that surfaces dependencies and single points of failure. This integrated, all-hazards picture – the foundation for sound risk architecture – is based on a business impact analysis, which in turn is driven by priorities, not systems. With regulatory expectations rising and cross-border dependencies growing, siloed reporting is no longer an option, Adriana Cavaliere concluded.
The accountability trap: assurance vs. evidence
Susanne Alfs explored the topic of board accountability for cyber security by first asking the audience a simple question: who believes boards are accountable for cyber security? Most hands went up. She then challenged the audience further: if boards are indeed accountable, how many act accountably, accepting that reality and translating it into governance activity?
To answer that, Susanne Alfs highlighted three signals that a board is acting on its accountability. First, boards ask for evidence rather than relying on reassurance, illustrated by the example of a technology executive claiming systems were patched without proof. Boards shouldn’t expect controls comparable to finance processes because technology controls are often less mature. Second, boards actively make decisions, on cyber risk appetite, risk acceptance, and security investments. Third, boards ask challenging questions of their executives, rather than passively receiving updates.
Transitioning to the practicalities of the boardroom, Susanne Alfs explored what accountability looks like behind closed doors. She argued that the idea of a dedicated “Cyber-NED” should be dropped, as it places too much burden on a single director and can lead others to rely on that expertise. Instead, she stressed the need for cyber literacy across the board, or at least a group of directors, so that accountability remains collective. She also highlighted the challenge of aligning perspectives from risk, compliance and audit so the board receives a joined-up picture.
Finally, Susanne Alfs outlined how technology executives can better support the board: aligning across silos before presenting, keeping jargon out, and providing clear business context. When equipped in this way, boards can act with authority and become a powerful ally in driving cyber resilience.
Translating complexity: metrics that drive action
Johan Meire focused on the operational reality of cyber threats and the need for a probabilistic approach to risk. He emphasised that technical data must be translated into a language that business leaders can act upon.
Johan Meire brought the discussion to the “front lines” by asking the audience to imagine a total system shutdown. He stressed that such an event is not just a security issue but an economic, reputational, and communication issue. He pointed out that board members are often unprepared for cyber incident realities such as ransomware, specifically the difficult decision of whether or not to pay a ransom.
A major challenge, Johan Meire argued, is the rapidly changing regulatory landscape, such as NIS2, CRA and DORA. Board members need to be aware of their responsibilities and accountability. “Even for a CISO, keeping up with all regulations is challenging. Yet, they are still expected to guide the board and provide training on them,” he explained. Johan Meire also touched upon the inherent risks of modern tech dependency, noting that the majority of solutions we use are not European. The line between what is cyber security and what is business has become very thin.
To bridge this gap, we need to bring insights into language that board members understand. These need to be so-called output-driven metrics. Johan Meire illustrated this by comparing two approaches: “Instead of saying we had ten thousand vulnerabilities… you show the patching cadence”. This enables the board to make informed decisions about where to invest first to improve the actual security posture rather than just causing panic with raw data.
Metrics need to be acted upon, he concluded. But there is no silver bullet for calibrating risk appetite. The goal is to trigger a conscious, cautious decision from the board.
Key takeaways beyond the fire talk
Following the fire talk, a short Q&A session further sharpened the topic. The exchange opened with how to avoid “scaremongering” when presenting cyber risks to the board. Johan Meire stressed the need for a balanced, realistic perspective rather than inflating threats. Susanne Alfs added that impact is best achieved by moving beyond metrics, through peer exchanges or immersive simulations that let directors experience the pressure of a real incident. Adriana Cavaliere reinforced the value of regular reality checks to build a shared language of risk across the organisation.
The discussion then turned to governance and the power the cyber professional has to determine the context. Susanne Alfs highlighted the importance of the three lines of defence to prevent any single perspective from dominating, while Johan Meire noted that boards increasingly rely on external assessments to validate internal reporting. On regulation, the panel agreed that frameworks like NIS2 and DORA can act as useful catalysts for accountability, even if they lag behind reality. As Adriana Cavaliere concluded, leading organisations use regulations not just for compliance, but as a driver for strategic resilience.
From compliance to resilience
Cyber security is no longer a technical issue to be delegated; it is a strategic responsibility that demands active board engagement. From embedding a risk-aware culture and strengthening accountability, to translating complex data into meaningful decisions, the panel makes clear that resilience must be built across the entire organisation.
Ultimately, boards that succeed will be those that move beyond compliance-driven thinking and adopt a unified, forward-looking approach to risk—one that connects cyber security directly to business continuity, value creation, and long-term stability.
Picture 1 – Susanne Alfs
Picture 2 – Adriana Cavaliere
Picture 3 – Johan Meire
