In the past, cybersecurity was often viewed as a technical hurdle relegated to the server room — a series of firewalls and network configurations managed deep within the IT department. But as the digital landscape shifts, cybersecurity has moved firmly into the boardroom.
In a recent episode of The Company Director Podcast, Mathew Graham, Okta’s Chief Security Officer for APAC, sat down with host Bennett Mason to discuss why the traditional security wall is dead and in its place, identity has emerged as the most critical strategic imperative for modern boards.
The death of the perimeter
For decades, organizations relied on a castle-and-moat strategy: build a strong enough firewall, and your data is safe. However, the rise of cloud computing, remote work, and hyper-connected supply chains has dissolved those boundaries.
“There is no wall like that anymore,” Graham explains. “The new perimeter is identity. Proving who the individual is — or, increasingly, what the AI agent is — has become the core of business security.”
Attackers have pivoted accordingly. Identity-related attacks, such as credential theft, are now the top cause of corporate compromise — up to 80% of cyberattacks are now driven by identity, according to Rubrik research. For directors, a breach can spell a revenue-impacting, reputation-eroding business catastrophe.
Governance vs. management: asking the "what" and "why"
One common challenge for boards is knowing where their oversight ends and management’s execution begins. Graham defines the board’s role as setting the "what" and the "why": What is our risk appetite? Why is a culture of security a strategic priority?
Management, conversely, owns the "how" — the implementation of controls and day-to-day risk mitigation. But Graham notes that governance shouldn't be passive. Just as directors oversee financial health by asking probing questions, they must apply the same rigor to cyber health.
“It’s not about picking the brand of firewall,” Graham says. “It’s about asking: ‘How confident are we that we know who has access to our most critical data?’”
The AI double-edged sword
The conversation naturally turned to AI, which Graham describes as a massive accelerant for threat actors. AI is being used to craft flawless phishing emails, automate the search for vulnerabilities, and even generate deepfakes to bypass traditional social engineering defenses.
However, the risk isn't just external. Organizations are rapidly adopting AI agents to handle business functions, from fraud analysis to ledger inspections. These bots represent a new class of identity that requires the same level of protection as a human employee.
“Every one of these agents is a potential pathway into your environment,” Graham warns. “If we’re giving bots access to our data, we must secure them with the same governance standards we apply to our human workforce.”
Moving past the "single pane of glass" fallacy
A key takeaway for directors of large enterprises is the danger of vendor concentration. Many boards are tempted by the "single pane of glass" promise — using one provider for every security need. Graham likens this to putting an entire investment portfolio into a single stock.
“Concentrating your risk into one provider is dangerous,” he argues. “If that provider has an outage or a breach, your entire operation goes down. A deliberate security strategy involves a neutral identity platform that secures a best-of-breed ecosystem.”
Building muscle memory: beyond compliance
For small to medium businesses (SMEs) and large enterprises alike, Graham’s message is clear: compliance is not security. Compliance is the bare minimum.
To truly protect an organization, boards must ensure their teams are building muscle memory through frequent simulations and tabletop exercises. Graham recommends that boards participate in these scenarios to understand their own response protocols for market communication and regulatory engagement during a crisis.
“Complacency is deadly,” Graham says. “The idea that ‘we haven’t been breached, so we never will be’ is a killer. It’s not about trust but verify — it’s about inhibiting trust and always verifying.”
Summary for the boardroom
As the session concluded, Graham left directors with three fundamental questions to take back to their management teams:
Visibility: Do we truly know who (and what) has access to our most critical data?
Governance: How are we governing our supply chain and our growing fleet of AI agents?
Alignment: Is our identity strategy keeping pace with our business growth and digital transformation?
In the modern era, cybersecurity is a shared responsibility. Cybersecurity is no longer a technical afterthought but a strategic imperative that requires continuous, informed oversight from the boardroom. Identity is at the heart of this challenge, and directors must empower their organizations to secure every access point, whether human or AI.
Listen to the full conversation:
Hear more from Mathew Graham on the evolving role of the board in cybersecurity. Download the full episode of The Company Director Podcast on Apple Podcasts or Spotify.
