By Dr. Kiran Kewalramani, CEO & Founder, Cyber Ethos
Every week, another corporate brand finds itself in the headlines for all the wrong reasons. Optus. Latitude. iiNet. Qantas. Different industries, different challenges, but one strikingly similar stumbling block: customer trust evaporating almost overnight. What links these cases is not simply a technical breakdown. It’s a failure of governance.
Cybersecurity is no longer an “IT issue” tucked away in the basement of the organisation. It is a strategic risk that belongs in the boardroom. Yet too many directors remain cyber illiterate, nodding politely at technical briefings without knowing what questions to ask or how to hold management accountable. That lack of literacy has become one of the greatest vulnerabilities in modern corporate life.
As an acclaimed technologist specialising in cybersecurity, data privacy, and cloud solution enablement, I often tell boards the same thing. You don’t need to know how to configure a firewall, but you do need to know which questions cut through the noise. Directors should (or could) be asking: What data would cripple us if it leaked? How do we measure our cyber resilience? Are we keeping pace with peers or lagging behind? These aren’t technical questions. They are governance questions. And when they go unasked, shareholders and customers pay the price.
Some Hard Learned Lessons From Optus, Latitude, and Beyond
The cautionary tales of recent years reveal a common blind spot. Latitude and Optus stumbled in the public eye, their responses leaving customers feeling abandoned. iiNet and Qantas also found themselves caught on the backfoot. Though Qantas, to its credit, weathered its own incident with more composure, but even there the board was forced into crisis management under the glare of the media.
These failures underline a simple truth. Customers expect their data to be protected. Regulators are catching up to that expectation. The government’s recent $694,000 fine on Exetel for anti-scam breaches is a signal that corporate Australia can no longer treat cyber lapses as isolated mishaps. Accountability now rests squarely with the board.
In each of these cases, the boardroom was the weak link. Directors failed to anticipate the storm, failed to demand evidence of preparedness, and failed to understand that trust is now as valuable a corporate asset as capital.
The CFO Trap
One of the most common mistakes I see is boards defaulting to the CFO to manage cyber risk. On the surface, it feels like an elegant solution. Folding risk into the finance function, which already has oversight of enterprise controls. But in practice, it is a dangerous abdication.
CFOs excel at balance sheets, cashflow, and financial risk management. But cybersecurity and threat management rarely fall within their expertise. To ask them to lead on cyber is like asking the head of marketing to sign off the financial statements. It’s outside their training and unfair to them, and it leaves the organisation exposed.
The smarter course is to bring cyber expertise into the boardroom deliberately. That might mean appointing a director with the right background, engaging independent advisors, or creating a dedicated cyber risk committee. However it is achieved, the outcome must be the same: boards cannot afford to steer blind on the single most pressing risk to resilience in 2025 and beyond.
What Real Cyber Governance Looks Like
Strong cyber governance isn’t a glossy binder of policies that gather dust. It is a lived practice that evolves with the threat landscape. Policies must be treated as living documents, updated and stress-tested regularly.
Yes, frameworks such as ISO 27001, NIST, RFFR, SMB1001 and the Essential Eight provide structure and discipline. But they only matter if the board insists on translating those frameworks into action. That means cyber is a standing agenda item at every board or audit and risk committee meeting. It means maturity assessments and independent reviews are commissioned and discussed. It means directors themselves are investing in their own literacy, through programs like the AICD’s Cyber at the Board Level course, rather than assuming knowledge will trickle up from management.
Most importantly, it means boards making their appetite for cyber risk clear and consistent. Where the appetite is low, they must back that stance with investment and oversight. Where the appetite is higher, they must be transparent about the trade-offs. Governance comes alive only when directors see cyber as part of the organisation’s strategy, reputation, and resilience, not as a compliance tick-box.
The Cost of Poor Hygiene
Poor cyber hygiene is no longer an IT slip-up. It is a direct liability. ASIC and APRA have already made it clear that directors are accountable. Class actions are a live risk. The Australian Institute of Company Directors has amplified that warning to its members.
But the market often punishes faster than regulators. A breach can trigger an immediate dip in share price. Customers defect to competitors. Investors demand answers directors may not have. Optus, Medibank, Latitude, Medisecure, the names are different, but the story is the same. Trust disappears in days, while reputational damage lasts for years.
For directors, the writing is on the wall. Cyber resilience is now integral to fiduciary duty. It cannot be outsourced, delegated to the wrong executive, or ignored. In a marketplace where trust underpins value, your board’s posture on cyber risk is inseparable from your organisation’s valuation.
For Boards wanting to close this gap, the smart move is to build cyber capability into the governance structure. At Cyber Ethos, we work directly with Boards throughout Cybersecurity at the Board program, designed to give directors the clarity, framework and confidence they need to oversee cyber risk appropriately.
A Call to Directors
As a fellow board director, here is what I remind my peers: cyber risk is not something you delegate away. It’s a boardroom blind spot and a leadership responsibility. In 2025, the weakest link in cyber resilience is not the firewall. It’s the boardroom.
Directors can stay complacent, or they can choose to evolve. The boards that lead will embed cyber at the heart of their decision-making, and those that don’t will be explaining themselves in courtrooms and shareholder meetings.
