Confidence in the Face of Weekly Attacks

Cyber attacks are no longer exceptional events. They are operational realities. Ransomware halts systems. Data breaches expose customers. Supply chains stall.

Yet most boards remain confident.

Joseph Hubback, Advisory Partner and CISO at Elixirr, reviewed research across roughly 1,000 companies. Ninety-four percent of boards said they felt comfortable with their security posture.

The statistic sits uneasily alongside the frequency of disruption.

“When the attack happens, the CISO will do all they can,” Joseph says, “but it’s the CEO and the executives that will be in the limelight.”

Cyber security, in that moment, becomes executive.

The issue is not whether frameworks exist. It is whether leadership understands what is truly at risk.

From Industrial Engineering to Cyber Governance

Joseph did not begin in cyber.

He started as an engineer, building chemical factories at ICI Plc. He later moved into commercial and strategic roles before becoming a partner at McKinsey & Company.

Security entered his career through client work in the late 2000s. It remained.

Today, at Elixirr, he advises clients globally while also serving internally as CISO. The combination keeps him close to both governance questions and operational exposure.

The Conversation Has Not Moved On

Executives often repeat that cyber security is no longer just a technical issue. It is a people issue. A leadership issue.

Joseph questions the novelty of that claim.

“Fifteen years ago we were talking about it as a people issue as much as anything else.”

In his view, the language has evolved without changing behaviour. Compliance frameworks have expanded. Certifications are widely pursued. Audit outcomes provide reassurance.

But attackers do not target frameworks. They target value.

The repetition of the insight has not produced structural change.

From Compliance to Asset Protection

Joseph believes education efforts are often misdirected.

Organisations train employees to recognise phishing emails and suspicious links. Attack techniques evolve constantly. The training ages quickly.

He proposes a simpler foundation: define the assets.

In the physical world, people instinctively protect wallets and keys. In the digital world, identity, data, intellectual property and operational systems carry equivalent weight. Yet many leadership teams have not clearly defined what must be protected first.

“If you explain to people what it is that is now important for them to protect,” Joseph says, behaviour changes.

At board level, this means identifying the value streams that generate revenue. Which digital systems enable trading. Which processes, if interrupted, would damage trust or liquidity.

In one client example, business leaders and security teams mapped these value streams together. The dynamic shifted. Security ceased to be viewed as “the department that says no” and became aligned with protecting continuity.

The conversation moved from standards to survival.

Comfort and Exposure

The 94 percent confidence figure remains central.

Boards often equate completed controls with resilience. Certifications and dashboards provide comfort.

Yet when an attack occurs, decisions escalate immediately.

Do we shut systems down.
Who do we inform first.
How do we communicate with customers.
How do we coordinate employees across regions.

“It becomes a collective exercise,” Joseph says. “When an attack happens, you’ll all be involved.”

The exposure is visible. Accountability shifts to the executive team.

Confidence, in that moment, is tested.

From Collaboration to Commitment

Collaboration is frequently cited as the solution.

Industry forums convene. Information is shared. Best practice circulates.

Joseph supports information exchange. He questions whether it goes far enough.

He points to the response following the NotPetya attack on DLA Piper. Clients and competitors provided practical support. Capacity was shared. Documentation was restored. Recovery depended on those relationships.

That cooperation was operational.

Joseph argues that organisations should define such arrangements in advance. Who provides temporary infrastructure. Who safeguards data copies. How supply chains will respond if one party is incapacitated.

Without defined commitments, resilience relies on goodwill.

The distinction is subtle but material. Discussion is not the same as agreement.

Urgency After the Breach

Joseph has observed a pattern.

Following a significant attack, executive attention intensifies. Investment rises. Governance improves. The urgency lasts three to four years.

Then it fades.

Digital transformation, however, continues to expand exposure. Cloud infrastructure grows. Systems integrate further. Ecosystems interconnect.

Risk compounds faster than memory.

Cyber security, Joseph argues, is not primarily a technology problem. It is a governance question.

“When the attack happens,” he says, “it’s the CEO and the executives that will be in the limelight.”

Preparation is quiet. The breach is public.

The distance between those two moments is leadership.