Strategic Leadership and Cybersecurity Readiness in Digitally Transforming Organisations
Article Sidebar
Main Article Content
Cybersecurity readiness has become a material organisational capability as digital transformation expands attack surfaces and regulatory scrutiny. Existing research and practice guidance largely frame readiness as a function of technical controls and compliance maturity, offering limited explanation of how executive leadership structures shape sustained resilience. This paper advances a theory building perspective that conceptualises cybersecurity readiness as an outcome of strategic leadership rather than a purely technical condition.
Drawing on strategic leadership theory, enterprise risk management, and cyber risk quantification literature, the study develops a Strategic Cyber Leadership Model that integrates four core elements: distributed C suite accountability as a leadership input, Cyber Risk Quantification as a financial decision-making mechanism, enterprise-wide risk integration as a governance amplifier, and measurable readiness outcomes. The model explicitly incorporates contextual moderators, including regulatory intensity and digital transformation level, to explain variation in readiness across organisations and sectors.
Five research propositions are advanced to articulate the causal relationships within the model, positioning the paper as a foundation for future empirical testing. By shifting the analytical focus from control inventories to leadership driven governance mechanisms, this study contributes to cybersecurity and management scholarship while offering a coherent conceptual framework for boards and senior executives seeking to institutionalise cyber resilience as a strategic capability.
Downloads
References
Aon (2025). Integrating cyber risk into ERM: A guide for leaders. Retrieved on 11 October, 2025, from Aon website: https://www.aon.com/en/insights/articles/integrating-cyber-risk-into-erm-a-guide-for-leaders
Balbix (2025). What is Cyber Risk Quantification?. Retrieved on 25 July, 2025, from Balbix website: https://www.balbix.com/insights/what-is-cyber-risk-quantification/
BitSight Technologies (2023). Cybersecurity readiness: 4 evaluation steps. Retrieved on 13 September, 2025, from BitSight Technologies website: https://www.bitsight.com/blog/cybersecurity-readiness
CISA (n.d.). Cybersecurity best practices. Retrieved on 2 November, 2025, from Cybersecurity and Infrastructure Security Agency website: https://www.cisa.gov/topics/cybersecurity-best-practices
CISA (n.d.). Cybersecurity governance. Retrieved on 28 November, 2025, from Cybersecurity and Infrastructure Security Agency website: https://www.cisa.gov/topics/cybersecurity-best-practices/cybersecurity-governance
CISA (n.d.). Cybersecurity performance goals (CPGs). Retrieved on 11 August, 2025, from Cybersecurity and Infrastructure Security Agency website: https://www.cisa.gov/cybersecurity-performance-goals-cpgs
CISA (n.d.). Executives. Retrieved on 10 September, 2025, from Cybersecurity and Infrastructure Security Agency website: https://www.cisa.gov/audiences/executives
Complyance (2025). Aligning cybersecurity with business objectives: A CISO’s guide. Retrieved on 3 November, 2025, from Complyance website: https://www.complyance.com/resources/aligning-cybersecurity-with-business-objectives-a-cisos-guide
DNV (n.d.). Align cybersecurity strategy with business goals. Retrieved on 11 September, 2025, from DNV website: https://www.dnv.com/cyber/challenges/strategy/
FS-ISAC (2021). If cyber is material, then boards are accountable. Retrieved on 1 August, 2025, from FS-ISAC website: https://www.fsisac.com/insights/if-cyber-is-material-then-boards-are-accountable
Harvard Law School Forum on Corporate Governance (2021). Principles for board governance of cyber risk. Retrieved on 7 July, 2025, from Harvard Law School Forum on Corporate Governance website: https://corpgov.law.harvard.edu/2021/06/10/principles-for-board-governance-of-cyber-risk/
NIST (2024). The NIST cybersecurity framework (CSF) 2.0 (NIST CSWP 29). US Department of Commerce. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
PwC (2026). What’s important to the CISO in 2026. Retrieved on 30 September, 2025, from PwC website: https://www.pwc.com/us/en/executive-leadership-hub/ciso.html
SecurityScorecard (2025a). Cyber risk quantification. Retrieved on 27 October, 2025, from SecurityScorecard website: https://securityscorecard.com/platform/cyber-risk-quantification/
SecurityScorecard (2025b). How to communicate third-party risk to the board. Retrieved on 29 October, 2025, from SecurityScorecard website: https://securityscorecard.com/blog/how-to-communicate-third-party-risk-to-the-board/
SecurityScorecard (2025c). Cyber Risk Quantification for Financial Risk Reduction. Retrieved on 9 October, 2025, from SecurityScorecard website: https://securityscorecard.com/blog/cyber-risk-quantification-for-financial-risk-reduction/
StrongBox IT (2025). Cybersecurity responsibilities across the C suite: A breakdown for every executive. Retrieved on 26 September, 2025, from StrongBox IT website: https://www.strongboxit.com/cybersecurity-responsibilities-across-the-c-suite/
The Institute for Defense and Business (2025). The role of cybersecurity in supply chain management. Retrieved on 14 September, 2025, from The Institute for Defense and Business website: https://www.idb.org/the-role-of-cybersecurity-in-supply-chain-management/
Turgal, J. (2025). The rise of compensation linked consequences following a breach. SC Media. Retrieved on 2 August, 2025, from https://www.scworld.com/perspective/the-rise-of-compensation-linked-consequences-following-a-breach
WTW (2025). Incentive compensation and cybersecurity: What’s the connection?. Retrieved on 20 August, 2025, from WTW website: https://www.wtwco.com/en-us/insights/2025/10/incentive-compensation-and-cybersecurity-whats-the-connection
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.