In Progress

Creating Cyber-Risk Savvy Boards

Both the hard and soft levers that boards apply in managing cyber-risk are insufficient in the 21st century world, specifically in regards to the disconnect between value and risk. This is not the only leadership challenge that boards face, but it is certainly a key one. Risk is typically deemed more of a hygiene factor, with value being pursued as the primary goal, so long as the hygiene factor of risk is considered to be acceptable. 

The research questions this report addresses are: 

  • How can we ensure our boards make the best decisions based on the balance of cyber-risk and cyber-value? 
  • What does a ‘good’ cyber-risk savvy board look like? 
  • What action can the CIO take to assist the board on such matters? 

Crating Cyber-Savvy Boards

Mike Bufalino

Research Associate
Leading Edge Forum

Mike Bufalino, based in the UK, is a Research Associate for Leading Edge Forum.  Mike has extensive experience across matters pertaining to CIO and board-level leadership.  Mike’s current work for LEF focuses on the increasingly vital topic of cyber-risk, and how boards and senior leadership must reposition their thinking in order to best understand, support and embrace the realities of doing business in the digital age. 

Mike’s IT career spans 24 years, with over 10 years in CIO roles for global FTSE-sized enterprises.  Mike has experienced CIO positions through a very diverse cultural and organizational lens, having succeeded in global and divisional CIO roles, for Eastern and Western headquartered firms.  Mike has served on several boards, including Oracle and Computing Magazine.  Mike holds an MBA from Henley Business School in the UK, along with a Bachelor of Business from Griffith University in Australia.  

Dave Aron

Global Research Director
Leading Edge Forum

Dave Aron, based in the UK, is Global Research Director for Leading Edge Forum.  In this position, he guides a series of global research initiatives aimed at helping CIOs and other Business/ IT leaders reimagine their organizations and leadership for a tech-driven future. Dave is the author of our 2017 reports, Unleashing Digital Talent for Fun and Profit and Winning in the 21st Century - A User's Guide.

Dave’s key areas of research include digital business, strategy and new business models.  Previously, Dave spent more than 12 years at Gartner, as a Gartner Fellow, focusing on strategy and CIO leadership issues.  Dave has more than 30 years’ experience in the IT business, and has been writing, speaking and teaching on digital business, IT strategy and other topics around the world for more than a decade.

Dave holds a BSc in Computer Science from Queen Mary College, and an MBA from London Business School.

Dave's alter ego is Mu, The 21st Century Anti-Strategist, which comprises Dave's distilled thoughts about what doesn't make sense as 20th century organizations sleepwalk into the 21st century.


  • A research report that provides insight through case studies, tools and action plans. 
  • A workshop that LEF can conduct with clients to drive their thinking on the governance of cyber-risk.  


As a result of taking part in a 60-minute telephone research interview, you will benefit from early access to the findings. We also hope you will find the interview itself challenging and thought provoking. 


We would be delighted to hear from organizations that are interested in contributing ideas and experiences to this research. To participate, please contact Mike or Dave by email at or


Through interviews with leading cyber-risk practitioners and experts across private and public sectors, government security agencies and police forces, company case studies and exploring academic research, we will aim to equip board and committee members, CIOs and CISOs with the tools required to fundamentally improve in this critically important area of leadership. Key questions we will address include: 

  • Is cyber-risk simply treated as a hygiene factor or fully appreciated in decision making? How do tools and methodologies reinforce or assist this? 
  • What cyber knowledge gaps prevent boards from making optimal decisions? What do they want/need to know? 
  • How are 21st century technologies (IoT, cloud, platforms, wearables, and so on) changing risk, and does the board appreciate the increasingly intertwined nature of value and risk in this context? 

See the FULL project scope in the DOWNLOADS section for more detail.