Cyber strategy: where risk appetite meets resilience
Once board directors start engaging with cyber security, many are surprised by the breadth of the topic. Cyber resilience is not built by the technology team alone, and it is not achieved simply by having an incident response plan. Response capability matters, but boards also need to think about prevention, recovery, ownership, culture, third-party dependencies, and whether investment is aligned with the organisation’s priorities. The UK Cyber Governance Code of Practice[1] reflects that reality by treating Strategy as a distinct board governance principle.
A cyber strategy should explain, in business language, how the organisation intends to achieve and maintain the level of cyber resilience it needs. It should connect cyber priorities to business objectives, operating context, regulatory obligations, and risk appetite. Without that anchor, cyber tends to surface through disconnected board items: digital transformation programmes, HR and culture initiatives, budget planning, audit observations and compliance submissions, rather than as a coherent strategy. The result is activity without a clear line of sight to resilience.
A good cyber strategy helps the board answer four fundamental questions.
1. What matters most to protect?
2. How resilient are we today?
3. What level of cyber risk are we willing to accept?
4. What actions and investments are required to close the gap?
A framework developed by NIST[2] (the US National Institute of Standards and Technology) is useful here because it distinguishes between a Current Profile and a Target Profile. In other words, it expects organisations to describe where they are now, where they need to get to, and which priorities will move them forward. That is strategy.
The World Economic Forum[3] frames this as a governance duty: directors should test the organisation’s business strategy and growth drivers through a cyber-risk lens. The board-level takeaway is that cyber strategy shouldn’t sit alongside business strategy, it should be a companion strategy that maps directly to business priorities and makes the dependencies explicit. If the organisation is pursuing digital transformation, outsourcing, AI use, or expansion, the cyber strategy should show how cyber resilience will be built into those moves and what investment is required to deliver them safely.
What should directors ask for when commissioning a cyber strategy?
Make it interdisciplinary. Ask the cyber strategy to be developed jointly across business, technology, risk, legal, compliance, and other relevant teams.
Address what matters most. The strategy should start with critical services, disruption scenarios, and recovery.
Be explicit about risk appetite. The strategy should show what is above tolerance today, what will be reduced first, and what the board is asked to accept.
A prioritised portfolio. Request a sequenced portfolio of initiatives with cost bands, owners and dependencies, linking proposed actions to improved resilience.
For boards, the value of a cyber strategy is simple: it turns cyber from a scattered set of concerns into a coherent resilience agenda that can be discussed, challenged, funded, and overseen. If your organisation doesn’t yet have a cyber strategy, consider commissioning one. We have created a cyber strategy template that you can use as a commissioning brief and review checklist for you to download here: C4D Cyber Strategy Template.
[1] UK Department for Science, Innovation and Technology, Cyber Governance Code of Practice, 2025 https://assets.publishing.service.gov.uk/media/67ffbb30b73354468d135556/Cyber_Governance_Code_of_Practice_-_one_page_summary.pdf
[2] National Institute of Standards and Technology, 2024, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf, page 3
[3] World Economic Forum, Principles for Board Governance of Cyber Risk, Insight Report, March 2021, https://www3.weforum.org/docs/WEF_Cyber_Risk_Corporate_Governance_2021.pdf