For many years, cybersecurity lived comfortably in the technology function. It was discussed in terms of firewalls, system uptime, and compliance dashboards, often several layers removed from boardroom scrutiny. Today, that framing is no longer sufficient.

Cyber risk now sits at the intersection of strategy, reputation, financial performance, regulation, and trust. When cyber incidents occur, the consequences are not technical inconveniences. They are leadership failures, governance tests, and enterprise value shocks.

In this new reality, boards are being asked different questions. Not “Did IT follow best practice?” but “Did leadership make the right decisions?” Not “Can we stop everything?” but “How quickly can we detect, respond, recover, and communicate?”

To explore this shift, The Connectors Code speaks with Jummy Olaiya, Non-Executive Director and Cyber Governance and Digital Risk Leader, whose board-level experience spans critical national infrastructure, financial services, and the public sector. In this first part of our series, we examine why cybersecurity must now be understood as a core leadership discipline and what boards must do differently as a result.

Interview

Many leaders still see cybersecurity as an IT issue. Why do you believe this mindset is now outdated?
Historically, cybersecurity sat squarely within the technology function and was measured through technical controls such as firewalls, system availability, and compliance checklists. That made sense in an earlier era.

However, in today’s environment, cybersecurity is fundamentally about protecting enterprise value and sustaining trust.

That reframes it as a leadership issue, not a technical one.

When a cyber incident or breach occurs, the impact is immediate and far-reaching. Revenue can be disrupted. Reputation can be damaged. Shareholder value can be eroded. Regulatory investigations and public scrutiny often follow, and it is the board that is ultimately held accountable.

This is not something IT alone can resolve. It requires active board oversight and leadership involvement. When cyber fails, the most important question is no longer “What did IT miss?” but “What decisions did leadership make?”

You often describe cybersecurity as leadership capital. What do you mean by that?

A leader’s ability to understand, govern, and prioritise cyber risk has become a direct measure of their credibility and readiness to lead in a digital world.

In practical terms, cybersecurity now functions much like financial or reputational capital. Leaders who take it seriously demonstrate competence, responsibility, and integrity. Over time, that trust compounds. Once it is lost, it is extremely difficult to rebuild.

This also sends a clear governance signal. Boards and executive teams that treat cybersecurity as a leadership issue demonstrate foresight and accountability. Those that do not are often exposed when it matters most.

From your experience sitting on boards, what is the biggest misconception directors have about cyber risk?
The most common misconception is believing that cyber risk can be effectively delegated.

Once responsibility sits with the CIO, CISO, or IT function, many boards feel their role is largely fulfilled. Directors may take reassurance from compliance reports, maturity scores, or dashboards. But the reality is that cyber risk evolves far faster than reporting cycles.

The real question for boards is not “Can we stop everything?” but “How quickly can we detect, respond, recover, and communicate when something happens?”

Cyber risk is a leadership and governance responsibility. Boards that recognise this early are far better positioned to protect enterprise value and maintain stakeholder trust.

Where should cybersecurity sit on the board agenda: audit committee, risk committee, or the full board?

Cybersecurity affects strategy, operations, reputation, financial performance, regulatory exposure, and stakeholder trust.

Anything with that breadth belongs on the full board agenda.

That said, the Risk Committee should take primary ownership of cyber risk oversight. This is where boards can focus on threat landscape awareness, resilience, third-party exposure, incident preparedness, and alignment with enterprise risk appetite.

Cyber incidents carry board-level consequences, from operational disruption to regulatory scrutiny and reputational damage. As such, all directors need sufficient visibility and understanding to challenge management and make informed decisions.

What are the three questions every board should be asking about cyber today?

First, if a cyber incident happened tomorrow, how quickly would we know and who would be in charge? This speaks to visibility, clarity of roles and responsibilities, escalation processes, and decision-making under pressure.

Second, where are we most exposed? Is it within our own organisation, or through the third parties we depend on? Supply chain risk, vendor risk, cloud services, and outsourcing arrangements are often the weakest links.

Third, are we investing in resilience or only in prevention? Prevention will never be perfect. Boards must understand how well the organisation can withstand disruption and recover when incidents occur.
Closing Reflection

Cybersecurity is no longer a technical line item or a periodic compliance update. It is a test of leadership judgement, governance maturity, and organisational resilience.

In this first part of our series, one message is clear. Boards that treat cyber risk as a leadership issue are not only better protected, they are better positioned to lead with credibility in a digital world.

Part Two will explore how boards can practically elevate their cyber oversight and what “good” really looks like when things go wrong.

About Jummy Olaiya

Jummy Olaiya brings over 20 years of experience across critical national infrastructure, financial services, and the public sector. She is known for translating complex cyber risk into clear, strategic decisions for boards.