The podcast and the article are brought to you by The Better Boards Podcast Series.
Theory is one thing, but how can boards make cyber governance and broader technology oversight work in practice?
In this podcast, Dr Sabine Dembkowski, Founder and Managing Partner, is joined by Susanne Alfs. Susanne is a Non-Executive Director and Senior Technology Executive specialising in cyber governance and board-level technology oversight. Bringing both the NED lens and her executive leadership experience, Susanne helps boards translate complex cyber and technology risks into business trade-offs and investment decisions. Previously, she chaired the Group Board Technology Committee of a bank, strengthening oversight of cyber resilience and technology risk. Now, as the founder of Cyber4Directors, Susanne advises boards and senior leadership teams on strengthening cyber resilience, improving board reporting, and shaping effective technology and business dialogue.
“I find in too many boards, there is an unspoken hesitation. Some directors worry they are not technology savvy enough to challenge the technology team, and that hesitation can quietly shift the dynamic in the boardroom.“
Susanne realises boards are very human. Members hesitate to ask certain questions or push conversations because they worry about the depth of their technical knowledge, which compromises meaningful discussions of business impact and risk.
What helps? Susanne recommends that boards approach technology with the same rigour as finance or strategy discussions. Don’t let insecurities block conversations, or let the tech group drown the board in acronyms. Keep the focus on business impacts and risk assessment to steer discussions and shape priorities.
“The first point is to work as a team.”
Technology oversight and governance need to be a team effort. Just as you wouldn’t put just one person on a finance audit, neither should boards leave everything cyber or tech to one individual.
In practical terms, this team-based approach can look like sending questions to the technology group ahead of meetings. Three-letter acronyms are explained or banned outright. Have IT teams collaborate with business or executive teams to enable deeper, more useful board discussions.
Working as a team requires communication and collaboration. Susanne notes that a common language helps and suggests leaning on cyber governance or project execution terms as a foundational lingua franca. She also recommends using corporate secretaries as gatekeepers for board packs, ensuring overly technical materials are revised to allow better group discussions.
“No board should ask for the cyber security team or the technology team to keep them safe, or the organisation safe, because no one is safe, and you can’t avoid incidents.”
When Susanne hears a board call for total safety, she recognises that this simple language conveys unrealistic expectations. Policies and risk trade-offs need to be balanced with performance targets to avoid internal conflicts and offer reasonable protections.
She also recommends breaking down technology projects into shorter sprints. This sprint approach helps the board and business sponsor avoid preventable deviations and reduces the overwhelm of technology project management.
The three top takeaways from our conversation are:
- Work as a team. No board should have just one person focused on this area.
- Establish a common language, from cyber governance language or project execution frameworks, so that the board and executives can communicate clearly in a shared language.
- Get external assurance if you are not comfortable with the practices you are seeing in the organisation.
Join The Better Boards Community
We’d love to get to know you! If you’d like to become part of the Better Boards community, discover our unique approach, and explore ways to work with us or share your ideas on The Better Boards Podcast series, drop us a line at [email protected].
