Making agentic AI work: What CFOs need to know
CFOs can turn agentic AI from experiment to enterprise value by mastering execution, autonomy, and goal-driven workflows....
Governance
Building digital resilience: Why cyber is no longer just a technology concern
From psychological manipulation tactics to social engineering and weaponized wearable technology, 2025 has seen it all.
We are living in a borderless cyberspace that is building in complexity by the day. We see the growing prowess and sophistication of cybercriminals, rapid advances in emerging technology like generative AI, and escalating international conflicts, both trade and turf, offering a stage for unparalleled cyberattacks. I often get asked by directors: “How can we become more proactive as a board?” And the answer might never have been more critical.
The answer, in short, is to stop looking at ‘cyber’ as a technology issue. Despite its definition being linked to the protection of digital devices, cybersecurity is a fundamental interdisciplinary risk that has several layers of complexity, and geopolitics and human psychology both have a part to play. It is vital, therefore, that we reframe the narrative to build digital resilience, and I use this article to offer a longer answer on how your board can achieve just that.
Interdisciplinary issue
Cybersecurity has traditionally been explored by academics as a technology problem; however, it is in fact an interdisciplinary issue involving business, people, and culture. Human error is the fundamental vulnerability in almost every breach we see play out in the boardroom today, and for any organization, the partners in its ecosystem are both the greatest asset and the biggest hindrance to a secure, resilient, and trustworthy digital future. (WEF 2025).
Take the correlated attacks on British retailers Marks & Spencer and Co-op, and the attempted attack on Harrods in April 2025, in which cybercriminals used social engineering to trick employees into giving out passwords and login access. The ransomware attack came via email from an employee of Indian IT giant Tata Consultancy Services, which has provided services to the retailers for over a decade. The Marks & Spencer website was impacted for three months while in ‘rebuild’ mode as the chairman told members of the British parliament, losing more than £300m ($399m) to the company and having profound implications for suppliers, employees, customers, and the total food supply chain.
The human error conversation was brought to life during the coronavirus pandemic when organizations realized their digital resilience relied on employee trust as much as IT infrastructure. In an instant, teams of thousands were forced to log in across the world, using their own Wi-Fi networks and, at times, technology, to access critical and sensitive data. We saw two very different responses unfold. The first was to pause operations and prevent remote working, the second was to trust their employees to make effective decisions.
This is an important first lesson in building digital resilience, so long as trust is accompanied by effective digital awareness training and a culture that encourages people to proactively practice cyber-safe behavior and come forward with mistakes. So how does a board ensure its workforce can be trusted?
“Sending phishing emails to employees in a controlled environment is one of the most popular training exercises, testing which employees interact with a suspicious link and take the bait.”
Awareness, training, compliance, and transparency
Digital awareness needs top-down sponsorship, but it begins from the bottom up, ensuring every employee is trained on the dangers of cyber weaknesses. This can range from cyber simulations to internal phishing exercises, but while conducting this type of cybersecurity training is a well-known practice, its effectiveness depends on factors such as sensitivity to humanistic values, frequency of training, and customization.
Empathy and enablement
Sending phishing emails to employees in a controlled environment is one of the most popular training exercises, testing which employees interact with a suspicious link and take the bait. While effective, these tests must be conducted in a safe culture that fosters empathy and enablement, educating staff and motivating them to protect the organization, rather than create a blame or fear culture within.
Continuous and customized training
Like most things, organizations should also commit to continuous learning in small increments rather than an annual exercise. This is particularly important for IT and Financial areas, which are the primary targets for social engineering.
Compliance
The story of the RMS Titanic serves as a reminder that regulatory compliance does not guarantee safety or security. Despite having 24 lifeboats, four more than required by the British Board of Trade, when the ship sank in 1912, they were still not enough to save the 1,500 casualties. Organizations must adopt a substantive approach to compliance, moving beyond a “tick-the-box” mentality and committing to meeting and exceeding expectations.
Transparency
Keeping the British theme, in the fall of 2023, we saw the UK National Library fall victim to a major ransomware attack that severely disrupted its operations and compromised sensitive data. The institution decided on a strategy of full transparency, producing and publishing a detailed report on the causes and nature of the attack and its initial recovery. The report offered important lessons for government organizations, NGOs, and businesses about cybersecurity vulnerabilities and crisis management. The British Library’s report went beyond merely explaining what happened and why; it outlined lessons learned and planned changes. This comprehensive approach should be considered standard practice and could potentially be incorporated into government expectations for private companies when they experience a breach.
The attack demonstrates that even institutions with extensive security measures can fall victim to sophisticated cybercriminals. Continual investment in modernizing infrastructure, enhancing security controls, and fostering a security-conscious culture is essential. The potential costs of prevention are far outweighed by the devastating impact of a successful attack on an institution’s operations and reputation.
Questions and considerations for board members
Breaches are inevitable in the rapidly changing environment that we work in, but directors must ask: How would we respond?
In my work with the IMD Board Program, I teach four elements of digital resilience, each of which poses critical questions for boards. These include:
- Oversight and governance: can the organization move from reacting to anticipating attacks? Is the organization working on security and privacy by design?
- Accountability: Is cybersecurity part of business continuity planning? Is the cybersecurity incident response sufficient and well executed with a follow-up assessment?
- Strategic guidance: How are you promoting cybersecurity culture? Is cybersecurity a factor in new business deals with third parties?
- Communication: Is there preparation for humble, timely, and honest communication? Is close contact ensured with impacted stakeholders?
To build digital resilience, boards must also consider the following:
- Your oversight should include emerging technology, but not in isolation. Your interaction with surrounding elements is critical.
- There is also no one kind of hacker. The motivation, target, perpetrator, and consequence of attacks will change.
- You inherit your vendors’ vulnerability.
- Cloud service providers are not immune to attacks.
- Prevention is only one of the key cybersecurity processes; resilience requires us to focus on response and recovery, too.
- Planning and road mapping for quantum-safe encryption must start today.
The WEF recently found regional differences in preparedness.
Organizational and country-level resilience
The conversation about proactive digital resilience should not be restricted to your organization either. The growing complexity of the cyber landscape is exacerbating cyber inequity, broadening the gap between smaller and larger, better-resourced organizations. The same can be said for developed and emerging economies, which is why there is a host of new initiatives focusing on developing intelligence on organized cybercrime. These include the World Economic Forum’s (WEF) Cybercrime Atlas, which uses open-source research to create new insights into the cybercriminal ecosystem.
The WEF recently found regional differences in preparedness. While only 15% of respondents in Europe and North America lacked confidence in their country’s ability to respond to a major cyber incident, for Africa, this figure doubled to 36% and tripled to 42% in Latin America.
When it comes to a cyberattack, board members are always one step behind, which prompts a reactive response.
Conclusion
When it comes to a cyberattack, board members are always one step behind, which prompts a reactive response. However, by building digital resilience from the board down, directors can become more proactive and have a comprehensive, practiced crisis response strategy in action that will protect the psychological safety of their staff and the security of their organization.
Ultimately, we can’t teach our systems without first training the humans who use them.
Authors
Related
The three questions keeping board members up at night
Find the answers you need to lead effectively in an era of AI. ...
Three ways artificial intelligence is transforming boards
From strengthening risk management to supporting decision making and improving efficiency, AI can act as a powerful ally for board members. ...
Navigating America's AI Action Plan
The US government has published a blueprint for ensuring that American businesses continue to dominate in the age of AI. Here's how global multinationals can respond effectively to this deregulatory shift while...
Learn Brain Circuits
Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Explore Leadership
What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Join Membership
Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.