By Martin Greenfield, Founder & CEO at Quod Orbis
For any professional who represents a brand, staying on top of the news agenda is a fundamental of the job so there’s no doubt that recent high-profile data incidents at Jaguar Land Rover, M&S, Co-op and others will have been the topic of discussion to some extent. Each of these incidents highlighted just how quickly customer trust, share price and brand equity can be damaged when data is reported to be leaked, leaving customer data at the disposal of threat actors.
Historically, it has been left to IT and security teams to mitigate the impact of such incidents, yet it’s the businesses, and their customers by association, who feel the impact. It’s therefore clear that data security must be on the agenda for the whole C-suite, yet boardrooms often remain misaligned on cyber risk. In its latest annual review, the National Cyber Security Centre (NCSC) and its CEO, Richard Horne verified the need for cybersecurity to become a boardroom priority now that incidents are increasing in frequency, sophistication, and impact.
The boardroom disconnect
When it comes to the way boards navigate cybersecurity reporting, our own research from a survey of 500 IT decision-makers found that while 89% say they are satisfied with the feedback they get from the reports they supply, some dismissive attitudes persist. As part of the survey, we asked for the most ill-informed questions that board members have asked IT teams, with responses including: “Hackers only target big firms”, “Can we just install some antivirus software and we’re good to go?”, and “Why do we need to invest in cybersecurity when our company does not have anything worth stealing?”
Such questions reveal a deeper disconnect and that many boards lack a practical understanding of cyber risk. The board is made up of experts in finance, legal or operations who are more accustomed to periodic dashboards than the real-time, fast-moving nature of cyber threats so whilst they may be satisfied with the contents of the board report, do they really understand what it means?
In some cases, leaders avoid deeper visibility altogether, wary that it might expose gaps they feel unprepared or under-resourced to address. Cultural inertia also plays a role so if board members aren’t prioritising continuous monitoring, boards rarely push for it themselves which is another reason why stronger guidance from government and regulators is increasingly necessary.
This disconnect creates operational risk. When leaders do not share a clear, consistent mental model of cyber threats, governance falters, decisions slow, responsibilities blur and reporting becomes fragmented or misunderstood. Effective alignment demands active engagement and a willingness to treat cybersecurity as a core business issue so leadership must come from the top, and it must empower technical teams to translate cyber risk into business risk with clarity and credibility.
Cyber risk equals brand risk
Cybersecurity has now moved well beyond the confines of IT to become a pivotal factor of brand reputation. Naturally, customers and investors judge organisations not just on whether a breach occurs, but on how quickly, clearly and honestly the organisation communicates. Ultimately, they want to be reassured that they can trust the brand to protect their sensitive information.
What is increasingly clear is that transparency, delivered confidently and consistently, can enhance trust. When organisations explain what has happened, what it means and what they are doing about it, stakeholders respond positively. Accountability and clarity is a far better approach than waiting for speculation to fill the vacuum.
To achieve this, marketing and communications teams must be part of the process from the outset. Their understanding of audience expectations, tone of voice and reputational risk makes them essential partners in shaping how cyber risk is communicated and managed long before an incident unfolds.
Building shared accountability across IT, Marketing and the Board
Closing the gap between different departments depends on creating a shared language of risk so that threat intelligence can be translated into operational, financial and brand impact that every leader can understand and act upon. This begins with accurate, real-time insights that provide business-level context alongside technical detail to give decision-makers a unified view of exposure and readiness.
Alongside this, clear ownership models ensure that teams know exactly who is responsible for communication, who is leading the technical response and who is accountable for governance and decision-making. When these elements are in place, organisations respond more quickly and more coherently, reducing both operational disruption and reputational harm.
What good incident reporting looks like today
Modern incident reporting is built on several core principles. It requires transparency without sensationalism, offering clear explanations of what is known, what is still being investigated and what steps are being taken. When a breach occurs, it can be just seconds before your brand is making headlines for a data leak, so an effective response demands timely updates that prevent speculation from filling the information gap.
Communicating a breach effectively should recognise that employees, customers, partners and investors each need tailored messages that address their specific concerns. It should ensure consistency across every channel and spokesperson, so the organisation speaks with one voice.
The most effective organisations today publish incident communications in a way that is simple to understand, explaining the nature of the risk and the controls in place without relying on jargon or technical depth. In an environment where trust can be lost in minutes, good communication is just as important as good containment.
The fact is that cyber incidents are almost inevitable, however their impact is manageable when leadership is aligned, reporting is integrated and communication is honest. Trust and integrity become the factor that determines whether stakeholders feel reassured or exposed.
