There is a meeting that happens after every serious cyber incident, and it is always the same meeting.

The breach is understood now. The forensics are in. A senior executive walks the board through what happened, and the explanation is good — coherent, technically credible, often genuinely correct. A sophisticated adversary. A vulnerability in a third party. A control that worked everywhere except the one place it mattered. The directors nod. The explanation makes sense.

And then someone asks the only question that matters, usually obliquely, because asking it directly would be impolite: Did we know? Was this visible to anyone, before it became a crisis? And the answer, delivered with great sincerity, is almost always some version of: not really. The signals were ambiguous. The situation evolved faster than anyone expected. In hindsight there were indicators, but at the time they didn’t stand out from the noise.

This answer is accepted, because there is no way to test it. And that is the whole problem, sitting in plain view in the boardroom, unnamed.

Here is the uncomfortable thing I want to put to you. The reason the board is surprised is almost never that the signal wasn’t there. In most serious incidents, somebody in the organisation knew something was wrong, or could have known, weeks or months before it became undeniable. The reason the board is surprised is that the information the board receives about cyber is structurally incapable of surprising it.

Think about what a board actually sees. It sees measures that have been produced, selected, aggregated, and framed specifically for board consumption. By the time a number reaches a board pack, it has passed through the people whose performance it reflects. It has been chosen because it is reportable. It has been smoothed into a quarterly rhythm. It arrives as a finished account of a settled state.

A measure like that can do many things. It can reassure. It can demonstrate diligence. It can satisfy a regulator that oversight occurred. The one thing it cannot do is change a decision, because by the time it arrives the decisions it bears on have already been made. It is an output of the organisation’s cyber activity — a record of what was done — not an input to what should be done next.

This is the distinction I think matters more than anything else in cyber governance, and it is almost entirely absent from how we talk about the subject. We argue endlessly about whether the metrics are good — leading versus lagging, the right KPIs, the better dashboard. We are arguing about the quality of the measures while ignoring their position. And their position is the problem. A measure that arrives after the decision is an output no matter how good it is. A measure that shapes the decision while the decision is still open is an input no matter how crude. We have spent a decade improving the quality of our outputs and almost no effort asking whether anything functions as an input at all.

You can test this in your own organisation, and the test is brutally simple.

Think back over the last two years. Can you name a single instance in which a measure — not an incident, not an audit finding forced on you, not a regulator’s letter, but a number or a signal your own organisation produced — changed a strategic cyber decision before the thing it measured became a problem? An investment redirected, a vendor dropped, a programme paused, a risk appetite revised, because the evidence said so and arrived in time to be acted on?

Most directors, asked this honestly, cannot name one. They can name incidents that forced change. They can name audits that produced remediation. They can name regulatory pressure that moved budgets. All of these are the organisation responding to consequences after they have materialised. None of them is a measure functioning as an input. If the only things that change your cyber strategy are events and external pressure, then your measures — however numerous, however well-presented — are outputs. They describe. They do not decide.

If you can name an instance, genuinely name it, then your governance is doing something most organisations’ governance does not, and you should understand exactly how that happened and protect it, because it is rare and valuable and easily lost.

The natural response is to treat this as a failure of competence or attention — to say we need better people, better tools, more board expertise, a sharper CISO. I want to suggest something more uncomfortable: the condition persists not because anyone is failing, but because it serves almost everyone’s interests, and that is why a decade of better tools has not fixed it.

Consider the incentives honestly. An executive who surfaces a developing cyber concern early, while it is still ambiguous, is taking a career risk for an uncertain benefit. If the concern proves unfounded, they cried wolf. If it proves real but they have already escalated it, they have advertised a problem on their own watch. The safer move — the rational move — is to manage the concern quietly and escalate only when escalation is unavoidable, by which point it is no longer a measure that could have changed a decision but an incident that demands a response. The system rewards confidence and punishes early bad news, and it gets exactly what it rewards.

The board’s rhythm compounds this. Cyber developments unfold over hours and days; boards meet over quarters. A reporting cadence built for financial oversight cannot carry information at the speed cyber moves, so the information that reaches the board is necessarily the slow, settled, after-the-fact kind. The fast information — the kind that could still change something — never makes the journey.

And underneath both sits the ambiguity that protects everyone. When the breach finally comes and the board asks Did we know?, there are two possible answers and no way to choose between them. Either management genuinely didn’t see it — in which case the organisation’s ability to perceive its own risk is inadequate — or management saw enough to be concerned and didn’t say — in which case the board is being managed rather than informed. Both answers are damning. Neither can be proven from the boardroom. So the ambiguity holds, the plausible explanation is accepted, and the same meeting is scheduled, unknowingly, for some date in the future after the next incident.

This is not a broken system. It is a stable one. It is an equilibrium that every participant has a local reason to maintain, which is precisely why it survives every new framework, every new tool, every newly cyber-literate director appointed to fix it. You cannot fix an equilibrium by improving the inputs to it. You have to change the structure that holds it in place.

I am not going to pretend that naming this tells you how to change it. Changing it is hard, precisely because the equilibrium is stable, and anyone who offers you a quick framework for fixing it is selling the same kind of reassurance that is the problem. What I am asking is narrower and, I think, more useful: that you stop evaluating your cyber governance by the quality of what it produces, and start evaluating it by whether anything it produces ever functions as an input to a decision that is still open.

That is a different question from any that conventional cyber governance assessment asks. Your compliance audit will not answer it. Your maturity model will not answer it. Your board cyber-expertise scorecard will not answer it. They all assess the quality and presence of the apparatus. None of them asks whether the apparatus has ever, even once, changed your mind in time.

So ask it. In your next cyber discussion, when the measures are presented, ask the person presenting them a single question: if this number were twice as bad, what decision in front of us would change — today, before anything happens? If there is a clear answer, the measure is an input and your governance is doing real work. If the honest answer is that the number would be noted, and discussed, and the decisions would proceed as planned, then you have just watched an output being mistaken for oversight.

The board that learns to tell the difference is not yet safe. But it has stopped being surprised by its own surprise, which is where everything else has to start.