In today’s more treacherous cyber security environment, organisations with the biggest targets on their heads can’t afford not to employ a dedicated data security expert, such as chief information security officer (CISO) or similar title, not only to keep the organisation safe from malicious actors – and complacent staff, but also to ensure adherence to the latest laws, regulations and compliance requirements around the handling of data. Yet even those that do aren’t necessarily achieving the protections they should because of entrenched cultural issues, especially in terms of how boards think about and manage risk. Many executives remain focussed on financial risk and don’t fully appreciate the cyber variety until a major incident slaps everyone in the face, and then suddenly spending on cyber has a more obvious ROI. Boards also tend to think that cyber should be part of a CIO’s job. This is especially the case in smaller organisations that wouldn’t normally budget for a CSIO as well. But even when they do, how clear is it who’s responsible for what and reporting to whom? Should CISOs operate as independent threat detectors or operate within IT? Join our host, CIO associate editor David Binning as he speaks with Anna Leibel, former CIO with UniSuper and author of the recently published book ‘The Secure Board’, and Simon Piff, vice president trust and security research at IDC APAC.