October 16, 2025

It’s not if, its when: the strategic role of Boards in the cyber-risk age | Beatrice Devillon-Cohen, Senior Independent Director and Chair of Risk Committees

23 minutes

Send us a text

Cybersecurity is a core business risk that can impact the entire organisation. Boards are challenged to understand how cyber threats impact financial performance, reputation, and regulatory obligations. Boards need to build awareness of their organisation’s cyber security posture, protection measures, and incident response protocols.

In this podcast, Dr Sabine Dembkowski, Founder and Managing Partner of Better Boards, is joined by Beatrice Devillon-Cohen. Beatrice has over 25 years of investment banking experience, having led traders’ teams across the UK, Europe, Asia, and the US. She has now developed a portfolio of non-executive positions, having recently served on the Audit Committee of the European Investment Bank and the Finance Committee at King’s College, London.

“The Rule of Three is important when it comes to cybersecurity.”

As Boards seek to manage and survive cyber threats, the Rule of Three comes into play. On average, in a cyber event, there are three days of chaos, three weeks of systems rebuilding, and three months of constant IT problems.

“What has been changing over time is the cyber-criminal groups. They are now running their operation as a business, selling cyber attacks as a service.”

The criminal ecosystem has gone professional. While there will always be bored teenagers or disgruntled employees, the more serious players run their operations like business ventures. They sell cyberattacks as a service, backed by deep resources, skilled talent, and vast networks.

“You need to work on mitigation, responding to an attack, and recovering. That's your battleground.”

While cyber threats can’t be entirely avoided, Beatrice counsels Boards not to despair. There is plenty that can be done. It begins by understanding how threats work.

A primary attack path is through links in emails. One-click installs malware that hackers can use for access. Caution and education can help prevent this.

Another primary attack path is third-party providers. External suppliers are compromised and used as a bridge into your own internal system.

“Never hope for the best when it comes to cybersecurity, because hope will not be a strategy.”

Boards are accountable for cyber risk oversight (see the UK Cyber Governance Code of Practice). They need to make it a strategic priority. Build relationships with IT heads, show curiosity, and build trust.

Get a strong dialogue going. Educate within the organisation and with third-party partners. Create a no-blame culture so that if something happens, it is escalated immediately, which can limit its impact.

“It's our own duty to upskill, stay current, and think around the corner on that subject, like any other subject in the boardroom.”

Cyber culture starts at the top. It is not “too complicated” to pick up basic cyber safety skills or understand risk. Plus, with AI and quantum computing on the horizon, any actions Boards can take—and lead their companies to take—will help prepare for future risks.

The three top takeaways from our conversation for effective boards are:

1. Cyber risk is a business risk. Own it as such.

2. Don't hide, as a Board member, behind “it's too technical and not for me”. Upskill, be curious, and engage with executives.

3. Prepare for it. Run exercises and test regul

If you would like to become part of the Better Boards community, learn about our distinctive approach and explore opportunities to work with us or contribute to The Better Boards podcast series, get in touch at [email protected]. We love to hear from you.

...more

View all episodes

By Dr Sabine Dembkowski

11 ratings