Cyber risk now has a seat at the board table, but is anyone sitting in it?

"This is the worst day of my professional career."

I have sat with senior executives who have said those words. They are never the people you would expect  Not the reckless ones, not the negligent ones. They are experienced, serious professionals watching as their organisation grind to a halt, uncertain how bad things are or when it is going to end, while their technical teams work through the night.

That is the moment when every prior decision about cyber risk gets re-examined. The underinvestment. The assurances taken on trust. The risk register entry that stayed red for three consecutive years. It is a brutal and unexpected audit, and it happens in public.
Getting ahead of this requires boards to treat this as what it is - a governance problem, not a technology problem.

What We Are Actually Facing

Ireland's National Cyber Security Centre recently published our National Cyber Risk Assessment. The assessment is stark. Three systemic risks dominate:

• a geopolitical security environment that has deteriorated significantly; 
• the security implications of rapid advances in emerging technology, such as AI and Quantum computing being adopted faster than organisations can secure it; and 
• supply chain vulnerability: an increasingly interdependent and fragile digital ecosystem.

These are not abstract threats. In November 2023, a state-aligned actor accessed programmable logic controllers in an Irish water facility and left roughly households in the West of Ireland without water for days. Similarly, just last month global US medical device firm was attacked on foot of the US/Israeli attack on Iran leading to production halting on several large manufacturing sites in Ireland. These attacks were not aimed at Ireland; however, we were caught in a wider campaign, but that is precisely the point. You do not need to be the target to be the victim.

The geopolitical dimension matters here in ways that Irish boards need to understand directly. Russia's war in Ukraine has been accompanied by sustained cyber operations against European infrastructure. Chinese state-sponsored actors are conducting long-term pre-positioning campaigns against critical networks across the West, establishing footholds years in advance of any potential use. Hacktivist groups, frequently operating as proxies for state interests, are targeting democratic institutions and the organisations around them.
Ireland's profile in this environment is higher than many appreciate. We are home to the European headquarters of many of the world's largest technology companies. Our subsea cable infrastructure is strategically significant. And from July 2026, Ireland assumes the Presidency of the Council of the European Union - six months during which the Irish Government will be at the centre of sensitive negotiations, managing complex legislative files, and representing European interests internationally. The experiences of previous Member State presidencies have demonstrated that the State can expect increase in hybrid activity, including cyber attacks from nation state, criminals and hacktivists alike.

What the Law Now Requires

The Irish Government is transposing the EU's NIS2 Directive through a new National Cyber Security Bill in the coming months. The obligations it creates are significant, and they land squarely on boards. Article 20 of the NIS2 directive is explicit. Management bodies must approve and supervise cybersecurity risk management measures. Boards now also have a responsibility to undergo training to allow them to assess and manage that risk appropriately. This is not something that can be delegated downward and forgotten. The board owns it. That is the right outcome. Not because of the compliance burden, but because it reflects the reality of where decisions about resource, risk appetite and organisational priority actually get made. They get made in boardrooms. That is where cyber risk needs to live.

The Questions That Matter

That does not mean that boards need to become extremely technically proficient. It means they must do what they already do with every other material risk - interrogate it.

There is a short set of questions that any board should be able to answer, or have answered for them, on a regular basis.

• What is our current cybersecurity posture, and what data do we have to measure it? 
• Where are our significant gaps, and what is the plan to address them? Is that plan resourced, or is it aspirational?
• Which systems are genuinely critical to our ability to operate? Have we mapped that technology dependency to business impact?
• If we suffered a serious attack, do our business continuity and disaster recovery plans work? When did we last test them properly - not a tabletop exercise, but something that revealed whether the plans reflect the complexity of reality?

These are not technical questions. They are governance questions. Boards that cannot answer them are carrying significant risk.

The Calibration Problem

There is a specific deficiency I see repeatedly. An organisation states a very cautious risk appetite - they do not want to be exposed and take their responsibilities seriously - but the resource committed to cybersecurity does not reflect that position. The gap between stated appetite and actual investment is where organisations get hurt.

Cybersecurity must be a cost of doing business. For regulated entities, or those operating in critical supply chains there is no longer a choice about whether to resource it. The question is whether you resource it before the incident or after it - and the cost differential between those two options is not small.

The executives I have sat with who used those words - worst day of my professional career - were not reckless people. They had not been given the right information. They had not asked the right questions. And their boards, without malice, had not ensured the organisation was genuinely protected, only that it appeared to be. That is the distinction boards need to sit with. Not reassurance. Assurance.

This article is the view of the author(s) and does not necessarily reflect IoD Ireland’s policy or position.

About the Author

Joseph Stephens is Director of Resilience at the Ireland's National Cyber Security Centre (NCSC‑IE), where he leads functions spanning strategic threat assessment, critical infrastructure compliance, and national cyber capacity development. 

He previously served as an officer in the Irish Defence Forces, including a specialist role within the Army Ranger Wing. He represents Ireland on several international cybersecurity forums, including the EU NIS Cooperation Group and the International Counter Ransomware Initiative, and sits on the board of the European Cyber Security Competence Centre. 

He holds an MSc in Forensic Computing and Cybercrime Investigation from University College Dublin and was a Fulbright Cybersecurity Scholar and visiting researcher at Boston College.