Strengthening Cybersecurity Governance

Strengthening Cybersecurity Governance

Written exclusively for PICG
by Fatima Ali , Consultant Board Services – PICG

Cybersecurity is no longer confined to the realm of IT departments—it has become a pressing strategic issue that demands direct and sustained attention at the highest levels of corporate governance. Recent political developments, both within Pakistan and globally, underscore the urgent need for boardrooms to enhance their approach to digital risk.

Globally, regulatory frameworks are shifting rapidly. The European Union’s Cyber Resilience Act, the United States Securities and Exchange Commission’s (SEC) cyber disclosure rules, and the UK’s proposed Cyber Security and Resilience Bill all signal a global pivot toward holding companies and their boards accountable for cybersecurity. Pakistan has mirrored this approach with a suite of new initiatives, including PKCERT ¹ and the PTA Cybersecurity Strategy. These are more than just policy updates; it’s a wake-up call for corporate boards. PKCERT provides critical threat intelligence and rapid response support, helping organizations stay ahead of cyberattacks. The PTA’s strategy sets clear national standards for telecom and ICT security, emphasizing data protection and workforce readiness. Boards that engage early will not only ensure compliance but also build the resilience and trust essential in today’s digital economy.

In tandem, Pakistan has also established the National Cyber Crimes Investigation Agency (NCCIA), replaced the FIA’s Cybercrime Wing and giving a dedicated institutional face to the country’s growing digital law enforcement capacity.

Corporate boards in Pakistan are yet to internalize the full scope of this transformation, despite the country’s high rank in the ITU’s² 2024 Global Cybersecurity Index, many corporate boards still treat cybersecurity as a technical issue instead of recognizing it as a critical business risk. This gap in perception not only exposes companies to financial and operational instability but also risks damaging their reputation, attracting regulatory penalties, and potentially threatening national security.

Effective board oversight of cybersecurity begins with a fundamental mindset shift:

acknowledging digital risk as a core governance issue. For companies in Pakistan, this involves

¹ PKCERT under Ministry of IT & Telecom (MoITT) serves as country’s central authority for detecting, preventing, and responding to cyber threat and incidents.

²Global Cyber Security Index is an initiative by International Telecommunication Union that assess countries’ commitment to cybersecurity across Five key pillars: legal measures, technical measures, organizational measures, capacity development, and cooperation.

approving formal resolutions to prioritize cybersecurity, integrating it into enterprise risk management (ERM) frameworks, and ensuring that cyber risk becomes a standing item on board agendas. Establishing specialized Technology Risk Committees and appointing board-level cybersecurity champions can help institutionalize this focus.

However, effective governance is only the starting point for comprehensive cybersecurity management. Boards must also insist on full assessments of their organization’s digital resilience using internationally recognized frameworks such as:

• NIST³ Cybersecurity Framework: Offers a structured way to assess, manage, and reduce cybersecurity risks.
• ISO/IEC 27001⁴: Establishes best practices for managing information
• MITRE ATT&CK Framework⁵: Maps real-world adversary tactics and techniques, enabling boards to assess whether the organization is prepared for realistic attack scenarios.

While widely used internationally, frameworks like MITRE remain underutilized in Pakistan. Boards can demand their use to ensure defenses are threat-informed, rather than based on vague assurances.

An educated Board is critical to success. A well-informed board is a resilient board. Board-level leadership benefits greatly from participating in awareness sessions, crisis simulations, and cyber breach drills. These exercises, tailored to realistic scenarios such as phishing, ransomware, or insider threats, help build the confidence and capability of directors to respond decisively under pressure. These are not IT trainings; they are strategic simulations for top leadership.

It all starts with cultural transformation and sustained efforts to drive change. Cybersecurity cannot be instilled through sporadic training alone. Emerging tools like the CLTRe Index and KnowBe4 can play a pivotal role.

CLTRe⁶ Index which measures an organization’s cybersecurity culture by analyzing how employees understand and behave around cyber risks. Boards can use this index to identify

³ National Institute of Standards and Technology, best known for its cybersecurity framework (CSF) based on five core functions: identify, protect, detect, respond, and recover. It’s used in both public and private sector organizations.

⁴ The international standard for Information Security Management Systems (ISMS) provides a framework to protect sensitive company and customer data by managing information security risks, ensuring confidentiality, integrity, and availability, and implementing controls to enhance cyber resilience and reduce breaches.

⁵ MITRE ATT&CK Framework is a globally recognized knowledge base cyber adversary behavior, used to improve cyber security defense through understanding how attackers operate.

⁶ CLTRe Index measures an organizations security culture across seven key dimensions: Attitudes, Behaviors, Cognition, Communication, Compliance, Norms, and Responsibilities.

cultural weaknesses and track improvements over time and KnowBe4⁷ which is a training platform for employees, executives and boards. It provides customized modules to raise director- level cyber competence, helping fulfill governance responsibilities, help measure and embed cybersecurity culture, enable boards to track staff behavior change over time.

Financial quantification of cyber risks is another emerging governance frontier. The FAIR (Factor Analysis of Information Risk) model, increasingly used by Fortune 500 companies, allows boards to estimate the monetary impact of cyber incidents—enabling better investment decisions and more meaningful dialogue between CIOs and CFOs. In Pakistan, where questions about the ROI of cybersecurity are common, Cyber Risk Qualification (CRQ)⁸ tools like FAIR⁹ could transform how boards evaluate digital investments.

The role of third-party vendors has emerged as a blind spot for many companies. Modern cyberattacks often exploit third-party systems including cloud services, HR platforms, even outsourced marketing tools. Boards should require comprehensive third-party cybersecurity risk assessments and incorporate cyber-specific clauses into all vendor contracts. International standards such as SOC 2 Type II (an auditing standard) and CSA STAR (certification tailored to cloud service providers) offer robust benchmarks for vendor assurance.

Regulatory compliance to cybersecurity policies is gaining momentum in Pakistan. The SECP and SBP have issued technology governance guidelines and digital banking regulations, and while disclosure of cyber incidents is not yet mandatory, informal pressure is mounting. Boards must now consider how they would manage reputational fallout from a breach, and whether they have prepared clear disclosure protocols, legal stances, and communication plans.

Globally, the integration of cybersecurity into environmental, social, and governance (ESG) disclosures is also gaining traction. Organizations like the International Sustainability Standards Board (ISSB) and the Institute of Chartered Accountants in England and Wales (ICAEW) are working to standardize cyber risk reporting within ESG frameworks. Early adoption of such standards by Pakistani firms could attract ESG-aligned capital and signal operational maturity to international investors.

The path forward is clear. Boards must move beyond minimal compliance and embrace proactive, structured, and metrics-driven cybersecurity governance. This includes integrating

⁷ KnowBe4 is a leading security awareness training platform that helps organizations manage risk. CLTRe is part of its approach to organizations security culture

⁸ Cyber Risk Quantification (CRQ) tools help organizations translate cyber risks into financial terms, allowing better decision making and risk prioritizations at board levels. Popular tools include Safe Security (SAFE), FAIR, X-Analytics, BitSight, CyberSaint CyberStrong, Axio360, and C-Risk,

⁹ Factor Analysis of Information Risk – Quantifies risk in monetary terms, prioritize cybersecurity investments by assessing probability and impact of threats. Understand threats, vulnerabilities and loss events and support better communication of risk by translating technical risk into business language.

cybersecurity into ERM, aligning internal policies with global and local standards, engaging with national bodies like PKCERT and NCCIA, and reporting transparently on governance posture. These are not just defensive moves—they are strategic enablers of trust, continuity, and resilience in a volatile digital era.

The recent cyberattack on Karachi Port Trust (KPT) and the X account of the Ministry of Economic Affairs (The Express Tribune, May 2025) by an Indian hacking group, followed by Pakistan’s retaliatory digital offensive (India Today, May 2025), serve as a stark reminder: cyber threats now straddle the domains of national security, economic continuity, and corporate survival.

As cyber threats become more complex and geopolitical in nature, corporate boards in Pakistan face a pivotal choice: lead the transformation toward digital resilience, or remain vulnerable in an increasingly unforgiving threat landscape. For those willing to act, the tools, frameworks, and regulatory backing now exist. What is required is board-level courage, commitment, and capacity.