Chapter 3: Leadership Capability as Critical Infrastructure for Cyber Resilience 

Cyber resilience is rarely lost because an organization lacked another dashboard or policy.

More often, it is lost in the space between functions, in moments of ambiguity, or in the absence of leaders able to connect technology, operations, reputation, and long-term thinking. If Chapter 1 established cyber resilience as a board and leadership mandate, and Chapter 2 showed how AI has fundamentally altered the nature of cyber risk, the next question is unavoidable: what kind of leadership is truly needed to govern this changing reality? 

This is where many organizations still underestimate the challenge. They respond to digital risk by investing in tools, controls, and frameworks while leaving the leadership model largely unchanged. The World Economic Forum’s Global Cybersecurity Outlook 2026, surveying more than 800 leaders across 92 countries, found that 94% of respondents identified AI as the most significant driver of cybersecurity change, while 87% flagged AI-related vulnerabilities as the fastest growing risk over 2025. That same report noted that only 14% of organizations believe they have the security talent they need, a shortage that the World Economic Forum found grew 8% year on year. 

In that sense, leadership capability has become a form of infrastructure in its own right, as important to resilience as systems architecture, data governance, or regulatory compliance. When the environment becomes more volatile, more interconnected, and more AI-enabled, the strength of the leadership model determines whether an organization bends, adapts, and recovers, or fragments under pressure. 

From Specialization to Collaborative Leadership

Traditional executive leadership models were built around relatively stable domains with clear boundaries. Finance leaders governed capital; commercial leaders drove growth; operations leaders managed continuity; and technology leaders supported the enterprise. While cross-functional collaboration was always important, the model itself assumed a relatively clear division of responsibilities. 

That approach is becoming outdated, because AI and cyber risk now cut across every layer of the organization. A decision about where to store customer data, for instance in a third-party cloud environment versus on premises, can determine whether the company falls under one regulatory regime or three. A new AI-powered product, such as a customer-facing chatbot with access to account records, can open attack surfaces that the organization’s existing security model was never built to cover. AI is also compressing the timeline on the attacker’s side, generating convincing phishing emails at scale to get through the door, scanning for system weaknesses in minutes rather than days, and then deploying ransomware at machine speed, all with minimal human involvement. CrowdStrike’s 2026 Global Threat Report found that the average eCrime breakout time from initial access to lateral movement dropped to just 29 minutes, with the fastest recorded at 27 seconds. That compression means that by the time leadership becomes aware of an incident, the damage has often already spread across systems and sensitive data has already been exfiltrated.  

The Verizon 2025 DBIR found ransomware present in 44% of all breaches analyzed, up from 32% the prior year. These realities cannot be confined to separate departments. They demand collaborative, integrative leadership that can connect domains rather than defend silos. 

Boards therefore need to look beyond technical competence when assessing leadership readiness. The question is not simply whether leaders are excellent in their own field, but whether they can operate effectively in a system where the most material risks arise at the boundaries between fields. This changes the profile of leadership that organizations need, placing a premium on executives who can translate complexity across disciplines, make decisions with incomplete information, understand both technological possibility and organizational consequence, and sustain alignment when time pressure and uncertainty increase. 

The CEO’s Role: From Sponsor to Owner

In recent years, we have witnessed a fundamental change: the growing expectation that cyber resilience sits explicitly within the CEO’s mandate. Not because the CEO must become the technical expert, but because cyber risk now resonates with enterprise-level decisions, organizational continuity, stakeholder trust, capital allocation, and the very legitimacy of the organization. These are matters that sit squarely at the center of executive leadership. 

In many organizations, cyber has historically been delegated downward, often appropriately in operational terms but too far in symbolic terms, and that distance between ownership and accountability has a cost: decisions slow down, response quality drops, and the board finds out about problems only after they have become crises. Regulators worldwide are now closing that distance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has called on CEOs and boards to embrace corporate cyber responsibility as a matter of good governance, explicitly recognizing that the operating environment now demands direct ownership from company leadership. The EU’s NIS2 Directive goes further, holding management bodies personally accountable for cybersecurity failures and, for essential entities, allowing authorities to temporarily suspend executives from their roles if their organizations fail to comply. Singapore’s updated Cybersecurity Act, amended in late 2025, expanded regulatory scope and strengthened reporting obligations in ways that formally treat cybersecurity as a governance responsibility rather than a technical function. For any CEO whose organization operates across borders, serves customers in regulated industries, or depends on cloud infrastructure hosted in another jurisdiction, these converging mandates make it very difficult to argue that cybersecurity is someone else’s problem. 

Those regulatory mandates are formalizing what the most resilient organizations already practice. Their CEOs treat cyber resilience not as an IT topic but as a leadership topic, which in practice means it shows up in the conversations that matter: board strategy sessions, acquisition due diligence, and product launch reviews. When the CEO treats cyber readiness as part of how the business runs, the rest of the organization follows. When it lives in a silo three reporting layers down, the organization reads that signal too. For boards, this means the evaluation of a CEO must go beyond their ability to speak fluently about digital transformation as an opportunity. The more relevant question is whether they can govern its downside with credibility, seriousness, and composure. 

Transforming the Role of Technology Leadership

As AI reshapes the business, technology leadership also changes in character. The CIO, CTO, CISO, and related roles are no longer simply guardians of infrastructure. Increasingly, they become interpreters of risk, connectors of domains, and trusted advisors to both the executive team and the board. This transformation is vital because organizations often still treat technology leaders as subject-matter specialists rather than enterprise leaders. Yet in AI-driven environments, the people who understand digital dependencies, model behavior, and system fragility are often closest to the fault lines that matter most. 

However, it increasingly seems that organizations are splitting into two camps: those elevating CISOs into executive-level roles, and those narrowing the position to a director-level tactical function. The practical difference is hard to overstate. In one type of organization, the CISO sits in board meetings, reports to the CEO, and has the standing to flag that a planned acquisition target has unpatched infrastructure before the deal closes. In the other, the CISO reports through the CIO and may only find out about the acquisition from an internal announcement.  

Deloitte’s Future of Cyber Survey reinforces the broader pattern, reporting that 41% of boards now address cyber issues on a monthly basis, with 30% engaging weekly, a cadence that would have been reserved for financial performance reviews a decade ago. 

That engagement frequency matters, but so does the quality of the leadership filling these roles. Boards should pay close attention to whether their technology leadership has the stature, credibility, and communication capability to influence enterprise decisions. A technically excellent leader who cannot translate implications upward may leave the board underinformed. A commercially fluent leader without sufficient operational grip may create false confidence. The most valuable leaders are those who can do both: understand the technical reality and convert it into meaningful choices for the business. Consider a CISO who discovers that the company’s AI vendor’s terms of service allow customer data to be used for model training. A leader confined to the IT silo might flag this as a compliance item in a quarterly report. A leader with enterprise stature walks into the next board meeting, explains the data leakage risk in plain language, and forces a decision before contracts are renewed. 

This is also where role design becomes increasingly important. In some organizations, the classical CIO or CTO profile may no longer be sufficient. There may be a need for broader connective roles, for example leaders responsible for transformation, resilience, digital trust, or enterprise risk integration. The title matters less than the mandate. What matters is whether someone is empowered to bridge technology, operations, governance, and future capability. 

Assessing Leadership Teams Under Stress: The True Test of Readiness

At the end of the day, the true measure of cyber resilience only emerges when routine assumptions begin to falter. Systems may be compromised, information may be incomplete, public scrutiny may intensify, and the organization may have to choose between speed, caution, transparency, and continuity. And these are not moments for fragmented leadership. They require a team that can function as a coordinated decision-making unit under stress. That coordination pays for itself: the IBM Cost of a Data Breach Report 2025 found that organizations using AI-powered security tools extensively contained breaches 80 days faster and saved nearly $1.9 million per incident. 

But coordination during a crisis only works if someone has done the preparation beforehand, and in many organizations, nobody has. That same IBM report found that 63% of breached organizations still lacked any AI governance policy, meaning nobody at the leadership level had defined who was responsible for overseeing AI tools, what data they could process, or how incidents involving them should be escalated. Boards that want to know whether their leadership teams can perform under pressure should start by asking whether those teams have put the basic governance in place before pressure arrives. Functional performance in stable conditions reveals very little about how an executive team will behave when systems are compromised and decisions about disclosure, communication, and continuity need to be made within hours. Incident simulations and scenario exercises are designed to surface exactly this, testing not just whether the operational response plan works, but whether the executives in the room can coordinate and make sound decisions with incomplete information. Resilience is partly a team quality, not only an individual one. A technically excellent organization can still respond poorly if its executive team becomes cautious, defensive, or misaligned under pressure. Conversely, an organization with imperfect systems may still preserve trust and continuity if its leadership responds clearly, decisively, and credibly. 

Boards should adopt a more probing inquiry than simply asking, “Do we have the right people?” The real question is: have we observed how these leaders perform when complexity becomes acute? 

Succession Planning in a Cyber-Resilient Organization

If cyber resilience now depends as much on leadership quality as it does on technical controls, then succession planning has to reflect that. Many organizations still define succession primarily in terms of commercial leadership, sector experience, financial capability, or cultural fit. All those criteria still matter, but AI and cyber volatility have added a second layer of traits that boards cannot afford to ignore: systems thinking, digital and technological fluency, learning agility, judgment under uncertainty, and the ability to lead credibly across disciplines. 

A BDO survey of more than 200 directors of public U.S. companies found that 34% ranked succession planning for the CEO and other C-suite executives as their top priority for 2025, above AI strategies (25%) and geopolitical risk (10%). That same survey noted that more than a quarter of directors considered their board ineffective at obtaining continuing education on emerging risks, including cyber. This applies not only to CEOs and technology leaders, but also to non-executive directors and chairs. Board composition itself becomes part of the resilience equation. A board that lacks the confidence or literacy to challenge management on AI-related cyber exposure will struggle to fulfill its mandate, even if formal governance structures are in place. 

This is where leadership search and succession advisory quietly enter the picture, not as the center of the conversation, but as an important governance lever. If cyber resilience is partly a people issue, then identifying, assessing, and appointing leaders who can operate in this new reality becomes an act of risk management in its own right. The appointment of the wrong profile can create fragility that remains invisible until it is tested. The appointment of the right person can improve resilience well beyond the technical domain. 

Culture: The Multiplier of Leadership Quality

Leadership capability does not operate in isolation; it shapes culture, which in turn influences resilience. Organizations with well-developed cyber resilience tend to exhibit cultural traits that are driven by leadership: clear ownership, openness to escalation, a willingness to confront uncomfortable truths, and a lack of blame when early warning signs are raised. These traits do not emerge on their own. 

A World Economic Forum white paper on the evolving CISO role emphasized that the highest maturity in cybersecurity is reached when non-technical employees understand why controls exist and do not experience them as arbitrary friction. That outcome is cultural, and it flows directly from the tone leadership sets. Consider the difference between two organizations that receive the same alert: unusual API traffic at 2 a.m. In one, a junior analyst flags it immediately and the incident response team is activated within the hour. In the other, the analyst hesitates, worried about raising a false alarm that will reflect badly on the team, and by morning the window for containment has closed. The technology was identical in both cases. However, the culture was not. 

Boards should pay attention not only to executive competence, but to the cultural signals leadership teams create. Do people escalate concerns early, or wait until issues become visible? Are near misses treated as learning opportunities, or reputational threats? Does the organization reward transparency, or polished reassurance? 

In AI-enabled environments, where risks can emerge subtly and escalate with speed, culture becomes a decisive multiplier. Even sophisticated systems will underperform if leaders create silence, ambiguity, or fear. Conversely, a culture of responsible challenge and early escalation can significantly strengthen organizational resilience. The Australian Signals Directorate now advises organizations to adopt an “assume compromise” mindset, planning and governing as though an intrusion has already occurred or will occur. In that context, the cultural signals a leadership team creates are as consequential as the technical controls it deploys. 

Leadership Readiness as a Governance Priority

The broader conclusion is clear: cyber resilience in an AI-driven world depends less on static leadership excellence and more on adaptive leadership readiness. Organizations need leaders who can interpret ambiguity, bridge domains, act under pressure, and maintain trust while governing technological complexity. 

For boards, leadership assessment must evolve, because asking whether executives have delivered results in stable conditions is no longer enough. The more relevant question is whether they can govern responsibly in unstable situations. Leadership capability should be treated as part of the organization’s resilience infrastructure, deserving the same seriousness as risk frameworks, security architecture, and compliance mechanisms, and reflected in executive role design, succession plans, board composition, and the cadence of board and management dialogue. 

The final chapter will shift from leadership capability to practical governance: how boards can apply this understanding to create a more resilient operating model, improve oversight, and make more future-ready leadership choices. 

About the Author

Jan-Bart Smits is a Managing Partner at Stanton Chase Amsterdam. He began his career in executive search in 1990. At Stanton Chase, he has held several leadership roles, including Chair of the Board, Global Sector Leader for Technology, and Global Sector Leader for Professional Services. He currently serves as Stanton Chase’s Global Subsector Leader for the Semiconductor industry. He holds an M.Sc. in Astrophysics from Leiden University in the Netherlands.