Cyber risk isn’t just a security issue—it’s a boardroom issue. At ROCon EMEA, this panel brings together CISOs, board advisors, and senior leaders including Jonathan Trull and Sir Ian Andrews to unpack what boards actually need from cybersecurity leaders—and where the gap still exists. The conversation challenges a common assumption: cybersecurity can’t eliminate risk, only reduce it. That shift in mindset is critical for boards, which must now treat cyber risk as part of a broader enterprise risk portfolio alongside operational, financial, and geopolitical threats. Across the discussion, a few themes stand out. Boards don’t want more metrics—they want clarity. Instead of dashboards filled with vulnerability counts, leaders need to present scenario-based risk, business impact, and clear decision paths. The focus moves from reporting activity to enabling action. The panel also explores how responsibility is changing. Cyber risk can no longer be delegated entirely to the CISO. Boards and executive teams are expected to actively participate, understand trade-offs, and take accountability for risk decisions. AI adds another layer of complexity. Beyond security concerns, organizations must consider privacy, bias, regulatory exposure, and the broader business implications of rapid AI adoption—all at a pace that’s difficult to fully predict. The takeaway is simple but powerful: if you can’t explain cyber risk in business terms, the board can’t act on it. Recorded live at ROCon EMEA. Start building your Risk Operations Center today: https://www.qualys.com/apps/enterprise-trurisk-management Stay up to date on upcoming events: https://www.qualys.com/company/events Watch more sessions from ROCon EMEA: https://www.qualys.com/rocon/2026/emea

 47      2