Why does recovery speed matter? Cyber incidents don’t punish weak intentions − they punish slow recovery. Most cyber budgets are built to pass audits, not to survive a real attack. When the crisis hits, the only thing that matters is how fast you get back up. So, are you funding resilience − or just putting on a show?
I’m not here to make you feel comfortable. I’m here to make sure you’re ready. Because when the breach comes − and it will − the clock is the only judge that matters. Despite all the money poured into cyber security, most organisations freeze when it counts. Why? Because spending is aimed at passing audits, not surviving the real thing. When the lights go out, time is your only asset.
It’s time to stop scaling up basic hygiene and compliance for the sake of appearances. Shift your funding toward what actually matters: the speed at which you can restore critical revenue services after an incident.
Every cyber investment should be tested and timed, with results rolled into a clear Governance Index (GI) that boards can use to steer decisions. That’s how you focus on measurable recovery − not just keeping up appearances.
Cyber governance starts with the clock. The question is simple: Are you investing in resilience − or just in theatre?
Let’s be blunt: If you’re still funding cyber like it’s a compliance ritual, you’re setting yourself up to lose. I’m talking to you, CEO. Are you ready to change the game − or are you just ticking boxes?
Let’s stop pretending. In cyber, wishful thinking is expensive and dangerous.
Here’s the truth: The status quo rewards theatre − more noise, more tools, more audits, dashboards that glow green. But when an incident hits, all that theatre vanishes, and the clock owns you. If it takes three hours to restore a breached revenue stream, that’s your real KPI. Not “maturity scores”. No jargon. No long presentations. Not vendor coverage. Time.
So, how do we cut the theatre? We keep it simple. Every 90 days, you get one page:
Scorecard: One number − the Governance Index with real timings for your top revenue services.
90-day plan: Three drills, each with a clear owner and outcome, so you know what’s being tested and who’s accountable.
Decision ledger: Every funding decision tied to results, so you see what’s being funded, killed, scaled, or paused − and why.
We govern on proof − every investment must be tested to real outcomes. If you want to know whether you’re funding resilience or just a ritual, look at your one-pager. If it’s even a bit unclear or feels complex, you’re not funding resilience − you’re funding theatre. In cyber, if clarity isn’t instant, you’re just going through the motions.
What tests must every cyber ask now pass?
Run three CEO tests on every ask. They’re simple, brutal and effective.
Tools ≠ Outcomes: Don’t just ask for tools − show me the outcome. Every request must name the specific result on a revenue-critical service, the KPI that will move, and the drill that proves it next quarter. If you can’t do that, it’s just posture. No funding.
Compliance ≠ Confidence: Certifications are hygiene. Confidence comes from tested recovery. I want to see last quarter’s detect/contain/restore timings − and how much you’ve improved this month. If you’re not moving the needle, you’re not moving the budget.
Fear ≠ Strategy; Spend ≠ Safety: Throwing money at cyber doesn’t make you safer. Budget only moves when timings improve. Every proposal needs a test, training and exercises (TT&E) plan − with a clear outcome, owner and timing. If the delta doesn’t land, we stop funding and redeploy.
Every test exposes the gap between intent and impact. This is how we raise the bar − by demanding proof, not promises. The evidence ladder makes that standard explicit.
How do we separate assumptions from proof?
Let’s stop pretending. In cyber, wishful thinking is expensive and dangerous. Every claim gets graded, no exceptions. Here’s the evidence adder:
A. Artefact: Control maps, policy docs, untested configs. Identify and protect are part of hygiene, not assurance.
B. Observed: Logs, alerts, telemetry, trend lines. Detect means you can see it, but what have you proven?
C. Exercised: Tabletop, partial drill with scope, criteria, timestamp. You’ve practised, but not under fire. The game starts at exercising your response.
D. Tested and timed: Full TT&E on the revenue-critical path, with detect/contain/recover measured and signed off. This is where confidence lives.
Only C/D-grade evidence lifts the Governance Index above amber. You can upgrade A/B to C/D any time − but nothing gets scaled until it lands inside risk appetite and time thresholds. If you want to move the needle, bring proof, not promises.
One number that moves money: The Governance Index
The Governance Index gives the board a single, King V-traceable score − driven by evidence, not dashboards − showing the overall health of the governance, including whether cyber is protecting value or just burning cash.
Resilience counts double, because when the clock runs, earnings bleed. Each quarter, only tested, timed drills on critical revenue services can lift us above amber − funding follows what moves the clock, not what looks good on paper.
How it breaks down:
G1 (15) − governance structure and cadence: How effective is your committee? Are actions closed, or do decisions drift?
G2 (15) − policies, compliance and ethics: Control coverage, audit close-rate/ageing, enforcement.
G3 (30) − risk and resilience: This is where cyber lives. Cyber Risk Index = prevent (controls coverage), empower (people readiness), prove (including independent validation), recover (timed detect/contain/recover/manual-mode).
G4 (20) − stakeholder trust and engagement: Are incidents reported? Are regulators engaged and closed out on time? What’s the confidence trend?
G5 (20) − performance and sustainability: Appetite adherence, KRIs in band, capital allocation links.
The Governance Index score alone isn’t enough − what matters is how it drives action. It highlights which initiatives are ready to scale and which should stay limited, ensuring every decision is anchored in tested outcomes and real business value.
What’s good enough to scale?
Not every win deserves scale. Improvements on non-critical systems – hygiene − don’t automatically earn investment. Only results that protect value and meet business appetite for continuity and trust get scaled. If the timing target fits what the business can tolerate, we scale; if not, we stop.
Manual-mode fallback is rare, but part of the logic. Don’t chase green on low-value assets − that’s just posture theatre.
Scaling only what protects value is the discipline that separates true governance from theatre. When investment is grounded in tested outcomes and aligned with business appetite, every decision protects value and remains cost-justified.
Conclusion: Make cyber governance count
Resilience isn’t measured by optimism or compliance − it’s measured by how much time you can buy when it matters most. The Governance Index distils overall cyber health into a single value, revealing whether investments are protecting value or just maintaining appearance.
Don’t wait for the next incident − or the next misleadingly green report. Call your IT manager or CISO and ask for the one-pager cadence: a quarterly snapshot with the scorecard, 90-day plan and decision ledger. If it’s not clear, timed and tied to outcomes, you’re not governing − you’re funding theatre.
As CEO or the board, ask:
Where’s the proof? Can we name three revenue-critical services where detect, contain and restore timings improved − last quarter, in hours?
Which risks are out of appetite right now? By how many hours − and who owns fixing them before the next quarter’s clock starts?
What’s next?Which three improvements are locked into the 90-day plan − with owner, outcome, date and evidence ID − and what funding or work will stop if those results don’t land?
If you can’t answer those with confidence, then cyber remains a risk we narrate, not govern. If you can, you have what every board needs: the authority to act − on spend, on risk, on trust.
Choose to lead with evidence. Make every rand count. Invest only where it buys speed, readiness and real business protection. That’s how cyber becomes governable, cost becomes visible and value stays ahead of the clock.
Share