Featuring Glen Williams, Cyberfort CEO
Boards across the UK — and indeed the world — are under pressure to evolve for the digital age. But who’s leading the change?
There was a time when technology was treated as a support function — something for the CIO to handle, outside the boardroom and out of scope for most non-executives. That time has passed.
Digital transformation, cybersecurity, and artificial intelligence now sit squarely in the path of corporate strategy, and boards are being challenged to adapt. Investors, regulators, and risk committees are asking whether boards truly understand the technologies shaping their businesses — and whether they are capable of overseeing them responsibly.
Yet recent data paints a stark picture. Fewer than 15% of large UK companies identify a named board member or committee responsible for cyber oversight. Only 3% of new FTSE 350 non-executive director (NED) appointments in 2022 came from a cybersecurity background. And in a global Deloitte survey, just 14% of boards reported that AI appears on every meeting agenda.
For years, boards approached cyber risk as a technical or compliance issue — a matter for the IT function. That’s now shifting. “It is no longer just about reactively putting firewalls in place or ticking boxes for compliance,” said Glen Williams, CEO of Cyberfort. “The conversation has evolved to focus on proactive resilience — especially as AI has started to shape both the threat landscape and the potential solutions.”
This shift has revealed significant capability gaps. According to Spencer Stuart’s UK Board Index 2024, digital transformation experience is now one of the top three criteria in NED recruitment briefs — yet the talent pool remains limited. Heidrick & Struggles notes a growing demand for directors with operational tech expertise, rather than just plc credentials.
Williams is seeing that trend first-hand. “Boards want people who can challenge assumptions, ask the right questions of their executive teams, and provide insight when critical tech-related decisions are on the table,” he said. That includes directors with experience in cybersecurity, data governance, and cloud infrastructure — but also those with backgrounds in inclusive innovation and change leadership.
James Lei, COO at Sparrow, confirmed that boards are increasingly open to non-traditional candidates. “Non-executive director appointments increasingly prioritise candidates with strong backgrounds in technology, data science, and cyber governance,” he said. “Boards are becoming more open to recruiting beyond traditional public company executives, welcoming leaders from tech firms and startups who bring fresh perspectives and agility.”
Still, the pace of change has been uneven. “Some boards are fluid and adaptable,” said Ciaran Bollard, CEO of the Corporate Governance Institute. “Others are very prone to groupthink and traditionalism, and so will not actively seek to branch out into experience from tech or startups.”
Changing the game
One consequence of this shifting landscape is a redefinition of what it means to be “board ready.” Technical literacy, once a desirable add-on, is increasingly seen as a prerequisite. According to Odgers Berndtson, there has been a 60% rise in mandates for digital or cyber-risk NEDs across FTSE 350 and large private companies.
That change isn’t limited to new appointments. Many boards are investing in upskilling for existing members. The National Cyber Security Centre now offers a free governance training package for board use, while the Institute of Directors and CGIUKI have launched dedicated AI bootcamps. Major consultancies such as PwC and KPMG are also running board-focused modules on AI assurance and quantum-resilient cyber controls.
“Forward-thinking boards are doing both,” said Williams. “Upskilling existing board members is essential but so is bringing in fresh expertise that accelerates that learning and brings a different lens to the table.”
Bollard agrees that board learning and succession planning are central to bridging the capability gap. “Board committees are a very important aspect of ensuring expertise in particular areas like Risk and AI,” he said.
Despite growing awareness, many boards still struggle to manage digital risk at the right level. “Too many boards are still structured around models that were built for a different era,” said Williams. “AI in particular is not just a technological issue but presents a governance challenge that cuts across every committee — from audit to risk to strategy.”
Failure to adapt can have real-world consequences. When TSB suffered a catastrophic IT migration failure in 2018, an independent review found that the board lacked deep integration experience and relied too heavily on executive assurances. In 2023, Capita was hit with a ransomware breach that cost £25 million — and faced scrutiny for lacking a dedicated cyber-risk director. At the British Library, a cyberattack led to months of disruption after vulnerabilities in ageing infrastructure were left unaddressed.
The risk environment is growing more complex. “Cybersecurity is a dynamic industry where new threat vectors are appearing faster than ever,” said Sam Thornton, COO of Bridewell. “A continuous improvement and upskilling programme should be an ongoing requirement for individuals operating in the sector.”
That means rethinking oversight structures, too. Some boards are responding by establishing dedicated digital or risk committees. Tesco now operates a Technology & Data Committee at board level, chaired by an independent NED with a CIO background. NatWest recently elevated its Chief Digital & Data Officer to the main board. Rolls-Royce appointed a former Microsoft UK CEO to a newly created digital oversight role, folding cyber risk into its Safety and Sustainability Committee.
What boards should do next
For boards still catching up, several practical steps can help close the risk-readiness gap:
- Conduct a digital skills audit of the board and its committees to identify critical shortfalls in oversight capacity.
- Establish a formal responsibility for cyber, AI, or digital risk within an existing committee — or create a dedicated subcommittee.
- Allocate recurring agenda time to technology risk, not just in response to incidents but as part of strategic oversight.
- Invest in independent board training, such as the NCSC’s Cyber Governance Toolkit or specialist AI literacy sessions.
- Engage with external advisors or digital non-executives who can provide challenge and independent perspective on technology investments and risk.
Each of these actions supports a more resilient, responsive board — one capable of meeting today’s risks and preparing for tomorrow’s.
What next-gen boards look like
These are not isolated moves — they point to a broader shift in what effective governance will require. Progressive boards are moving beyond token appointments and one-off workshops. They are rethinking structure, culture, and competence.
“Boards that embrace continuous learning, diverse thinking, and cross-functional collaboration will be much better placed to thrive in this new complexity,” said Williams.
Thornton notes that investor scrutiny is also playing a role. “Cyber budgets are coming under increased pressure and therefore the discussions around cyber risk are becoming more common place in the boardroom,” he said. That pressure, he suggests, is driving organisations to mature faster in their risk assessments and board-level readiness.
According to John Young, Principal Consultant at TSG Training, the most resilient boards are those that strike a balance. “Balancing these approaches helps boards maintain continuity while injecting the knowledge needed to navigate rapidly evolving digital landscapes,” he said.
Mehdi Paryavi, Chairman of the International Data Center Authority, takes a wider view. “Boards must be highly aware of risk management in creating and maintaining their data and digital assets,” he said. “Cybercrime and cyberterrorism today is not just about potential financial loss, but the real existential threat these attacks pose to all organizations.”
The challenge for UK boards is no longer awareness; it’s action. The technological landscape is evolving faster than most governance models were designed to handle. That makes structure, training, recruitment, and cultural adaptation all the more urgent.
“If the board cannot adapt,” said Bollard, “then its structure is not fit for purpose: plain and simple.”
For those willing to evolve, the opportunity is clear: to build boards not only fit for today, but ready for whatever comes next.
Read the article on Business Quarter here: https://businessquarter.substack.com/p/boardroom-skills-for-the-next-economy
