Why your startup's biggest security risk is your board

Written By Tom Bell

Picture this. A twenty-person B2B SaaS startup has spent three years building a genuinely impressive product. The technology is solid. The team is talented. The pipeline is healthy. Then a major enterprise prospect begins their vendor security assessment, and the deal starts to unravel.

Not because the product failed any technical test. Not because there was a breach. But because nobody at board level had ever seriously asked: what would happen if someone came looking?

No documented security policy. No clear incident response plan. No board-level accountability for cyber risk. The technical team had done a reasonable job keeping things running securely day-to-day, but that's not what enterprise procurement teams are looking for. They want evidence of governance. Deliberate, owned, board-level oversight of the risks the company carries.

The deal was lost. It took the company another eighteen months to rebuild the processes, get the certifications and win back a place on the shortlist.

This kind of story is more common than most startup founders would like to admit. And in almost every case, the failure wasn't technical. It was a failure of board literacy.

Cyber risk is a governance issue, not an IT issue

There's a persistent and dangerous misconception in many startup boardrooms: that cyber security is something the technical team handles. It belongs in the same category as server upkeep and software updates — necessary, unglamorous and safely delegated downward.

This framing is wrong and it's becoming more wrong by the year.

Cyber risk is a strategic risk. It affects revenue, reputation, regulatory standing, fundraising prospects, and in extreme cases, company survival. A ransomware attack that locks your production environment for seventy-two hours isn't an IT incident — it's a business crisis. A data breach that exposes your customers' information isn't a technical failure — it's a legal, reputational, and commercial catastrophe.

The board's job is to oversee the company's most significant risks. If cyber isn't on that list — not as a line item, but as a standing agenda item with real scrutiny — then the board is failing in one of its core responsibilities.

The board's job is to oversee the company's most significant risks. If cyber isn't on that list, the board is failing in one of its core responsibilities.

What does board-level cyber ignorance actually look like in practice? It looks like nobody in the boardroom knowing what the company's crown jewels are — the data or systems whose compromise would be genuinely existential. It looks like an incident response plan that was written two years ago, approved by nobody, and tested by nobody. It looks like the CISO (if there even is one) being excluded from board meetings because "it's too technical." It looks like Cyber Essentials being treated as a compliance checkbox rather than a baseline hygiene standard.

None of these things require technical expertise to fix. They require board members who ask the right questions.

The stakes are rising faster than board literacy

This was always a problem. It is becoming an urgent one.

AI-enabled attacks are lowering the barrier to entry for sophisticated adversaries. Phishing emails that once required native English fluency and significant effort can now be generated at scale, personalised to the target, and deployed by actors who previously lacked those capabilities. The volume and quality of attacks is increasing simultaneously.

Supply chain attacks — where an adversary compromises a vendor or tool to reach their actual target — have demonstrated that even a technically mature security posture can be undermined through the products and services you depend on. For startups, whose SaaS dependency stacks can run to dozens of vendors, this is an underappreciated and rapidly growing exposure.

Regulation is tightening. NIS2 significantly extends the scope of organisations subject to cyber security obligations across the EU and has implications for UK supply chains. DORA brings comparable pressure on financial services. And perhaps most immediately relevant for growing startups: Cyber Essentials certification is increasingly a prerequisite for public sector contracts, and enterprise procurement teams are beginning to treat its absence as a disqualifying signal during vendor assessments.

In short: the external threat is growing, the regulatory environment is hardening, and market access is becoming conditional on demonstrable security maturity. These are not IT team concerns. They are board concerns.

What good looks like

A board with genuine cyber oversight doesn't need to be populated with security experts. It needs one person who is, and the rest need to be willing to engage seriously with what that person brings to the table.

In practical terms, a board that's doing this well will have a clear, documented articulation of the company's risk appetite — how much cyber risk it is prepared to accept in pursuit of its commercial objectives, and where the hard limits are. It will receive regular, structured updates on the company's security posture: not technical updates, but strategic ones. What are the top three risks right now? What's being done about them? What would we do if the worst happened?

It will treat incidents as learning opportunities rather than embarrassments to be minimised. When something goes wrong — and something will always go wrong — the board's response will be calibrated and deliberate rather than reactive and chaotic, because it will have thought through the scenarios in advance.

And critically, it will understand that security posture is a commercial asset. A well-governed security programme is not just a defensive investment — it is a source of competitive advantage in markets where enterprise customers, regulated sectors, and government buyers are making their decisions on the basis of trust as much as capability.

What this means for your board

You don't need every board member to be a technologist. But you do need someone who can translate between the technical reality and the strategic conversation — someone who understands both the threat landscape and the commercial context well enough to ask the right questions, challenge incomplete answers, and hold leadership accountable.

That is not a role that a quarterly IT update can fill. It is a role that requires a standing seat at the table.

If your board currently has no one playing that role, the question isn't whether you need them. The question is: what is it costing you that you don't have them yet?

Five questions to ask your board today

  1. Can anyone in this room name our three most critical data assets? These are the things whose loss or exposure would be genuinely catastrophic for the business.

  2. When did we last review our incident response plan and who owns it?

  3. Do we know which of our SaaS vendors represent the greatest security risk to us and have we assessed them?

  4. Is our security posture sufficient to pass the vendor assessment of our most demanding prospective customer?

  5. Who on our board is accountable for cyber risk — not operationally, but at the governance level?

If your board struggles to answer most of those questions with confidence, that's not a sign that your technical team has failed. It's a sign that your governance hasn't yet caught up with your risk exposure.

The good news is that the gap is almost always smaller than it looks, and almost always cheaper to close early than it will be after the first serious incident. The first step is simply deciding that the board should own this — and finding someone who can help it do so.

Tom Bell
Previous

The risk register nobody builds until it's too late
Next

Staying Productive throughout the day