How cyber and information risk have become a boardroom test of resilience, governance, and executive judgment.
Cybersecurity has moved far beyond the IT function. For boards, CEOs, CFOs, and senior executives, the question is no longer whether the organization can avoid every attack. The real question is whether it can withstand one.
For Tobias Jaeger, expert in risk management and organizational resilience and Founder & CEO of Falcone International, this marks a fundamental shift in executive responsibility. Cyber risk is now about continuity, customer trust, financial exposure, regulatory accountability, and the ability to make high-stakes decisions under pressure.
In this interview, Jaeger explores the shift from prevention to resilience, the board’s growing accountability under NIS2 and DORA, and the human discipline required to lead through cyber incidents.
Tobias Jaeger, Founder & CEO, Falcone International
“Cyber is no longer a department. It is the business.”
– Tobias Jaeger, Founder & CEO, Falcone International
Cyber risk now lands on the board’s desk
Tobias Jaeger sees the urgency clearly. “We’ve reached a tipping point where ‘Digital & IT’ is no longer a department; it is the business,” he says. “If your systems are down, your revenue is probably zero.”
That operational reality is now reinforced by a changing regulatory landscape. NIS2 and DORA have, in his words, “fundamentally changed the stakes by introducing personal accountability.”
“In the past, an executive could shrug and say, ‘Talk to the CISO.’ Today, the regulator says, ‘We’re talking to you.’ These frameworks demand that leadership doesn’t just ‘approve’ a budget, but actively oversees risk and understands the threat landscape.”
That does not mean every executive needs to become a technical specialist. But it does mean cyber literacy is becoming a leadership requirement. “It’s no longer about avoiding a hack, that’s nearly impossible, it’s about ensuring the organization is resilient enough to survive one,” Jaeger argues. “If you can’t demonstrate that oversight, the legal and financial consequences now land directly on the desks of the board.”
The false comfort of the ‘Firewall Fallacy’
When executives and board members believe they have cyber risk under control, one dangerous assumption appears again and again. “The most dangerous misconception is the ‘Firewall Fallacy’, the belief that because we’ve spent millions on sophisticated software, we are ‘safe.’ Technology is only as good as the humans operating it and the processes supporting it.”
The deeper blind spot, however, often lies outside the organization itself. Jaeger points to supply chain vulnerability as one of the areas where leaders most frequently underestimate cyber risk. “Executives often feel confident about their own house but forget that they are digitally ‘married’ to hundreds of third-party vendors. If a niche software provider for your logistics chain gets hit, your entire operation grinds to a halt.”
That is where formal oversight can create false comfort. “Leaders often have oversight of their internal IT, but are flying completely blind regarding the digital resilience of their broader ecosystem.”
“If the CEO is waiting for the CISO to tell them whether to shut down the production line, the battle is already lost.”
Program spotlight: Cybersecurity for Executives
Cyber risk is now a boardroom issue. This hands-on executive program helps senior leaders engage credibly with cybersecurity, IT, risk, compliance, legal, and communications teams. Learn to assess cyber and information risk at executive level, strengthen governance and oversight, and lead effectively through cyber incidents.
Become boardroom-fluent in cyber in 2 days:
Explore the program or contact AIF for personal advice: +31 20 246 7140 | info@aif.nl
Executives should own the ‘so what?’
In a cyber crisis, technical expertise is essential. But Jaeger is clear about where the executive role begins and ends. “Executives should never try to be the ‘keyboard heroes.’ You don’t need to know how to patch a server, but you must own the Value-at-Risk and the Decision-Making Framework.”
The distinction is crucial. “The technical experts own the ‘how’: they stop the breach, isolate the virus, and restore the data. The executives own the ‘so what?’: they decide which business processes to prioritize during a recovery, how to communicate with the markets, when to notify the regulators, and how much ‘loss’ the company can absorb before it becomes existential.”
That is why cyber leadership is not merely a technical response. “In a crisis, the technical team needs a leader who can make high-stakes trade-offs under pressure. If the CEO is waiting for the CISO to tell them whether to shut down the production line, the battle is already lost.”
Inside the ‘Golden Hour’ of a cyber crisis
Jaeger helps executives become ‘boardroom-fluent’ in cyber. One exercise, in particular, tends to create the most significant shift in perspective. “The biggest ‘Aha!’ moment almost always happens during our ‘Golden Hour’ simulation. We put participants in the hot seat during the first 60 minutes of a major, unfolding breach.”
What surprises many participants is not the technical complexity of the incident. It is the speed at which uncertainty takes over. “They quickly realize that their biggest problem isn’t the code, it’s the information vacuum. They see how fast internal communication breaks down and how difficult it is to make a ‘good’ decision with only 20% of the facts.”
For Jaeger, that experience reframes the executive conversation. “What I hope they start doing differently is asking ‘What is our maximum tolerable period of disruption?’ rather than just ‘Are we secure?’ This shift from prevention to resilience is the hallmark of a mature executive.”
“You can have the best encryption in the world, but if your culture rewards speed over verification when the boss calls, you are vulnerable.”
Deepfakes expose the human side of cyber risk
Asked which real-world development every executive should recognize sooner, Jaeger points to a threat that often looks deceptively familiar. “Recently, we’ve seen a rise in ‘identity-based social engineering’ at the executive level, using AI-generated voice and video, deepfakes, to bypass standard authorization.”
The lesson, though, is not mainly about the sophistication of the technology. “What makes this so instructive isn’t the ‘cool’ technology used by the hackers; it’s how easily the existing human processes crumbled. A CFO receives a video call from the CEO and transfers millions. The technology worked, but the governance, the simple rule of ‘never authorize via video without a secondary out-of-band verification’, was non-existent.”
That realization shaped his thinking by proving that cyber leadership is actually about human psychology and process discipline. “You can have the best encryption in the world, but if your culture rewards ‘speed over verification’ when the boss calls, you are vulnerable.”
Cyber leadership, Jaeger concludes, is about building a culture where ‘trust but verify’ applies to everyone, especially the C-suite.
Read more: Risk programs in 2026: Mastering risk in modern finance.
Meet the expert
Tobias Jaeger, Founder & CEO, Falcone International
Tobias Jaeger is an expert in risk management and organizational resilience, with more than 15 years of international experience across finance, energy, software, media, and other sectors. He is the Founder and CEO of Falcone International.
Read more about Tobias Jaeger’s expertise and programs.
Program spotlight: Cybersecurity for Executives
Cyber risk is now a boardroom issue. This hands-on executive program helps senior leaders engage credibly with cybersecurity, IT, risk, compliance, legal, and communications teams. Learn to assess cyber and information risk at executive level, strengthen governance and oversight, and lead effectively through cyber incidents.
Become boardroom-fluent in cyber in 2 days:
Explore the program or contact AIF for personal advice: +31 20 246 7140 | info@aif.nl