Boardroom misunderstanding: Why billions spent on cybersecurity have yet to pay off

During the launch of the 2025 KPMG Africa CEO Outlook report, Diamond Trust Bank (DTB) Kenya Chief Executive Murali Natarajan gave an insight into how corner office executives approach cybersecurity issues in their business.

He noted that the challenges that CEOs and cybersecurity professionals face are that when the experts make a proposal saying there is a need to upgrade or introduce a new technology but they can never ask what the cost-benefit is. 

The threat is unlimited, he said. "You can only ask, is there an alternative which is better or cheaper?” he said.

Natarajan cited cybersecurity as one of the scariest parts of his role. He noted how the cybersecurity department in his institution has grown from five people a decade ago to 40 employees now.

His insights provide a glimpse of the challenges that occur in the boardrooms when cybersecurity matters are tabled. This has been elaborated in the latest report by Serianu, an African cybersecurity consulting firm, which documents why billions of shillings spent on cybersecurity efforts are not paying off.

The report cites boardroom misunderstandings between company executives and technology experts on how to handle the kind of risks the businesses face.

The Africa Cybersecurity Report 2024/2025 details how cybersecurity discussions have turned into monologues in boardrooms as budgets are being allocated out of fear of attacks amid dropping confidence levels.

The report argues that most companies still operate cybersecurity as a sub-department under IT (information technology) rather than a key pillar of the business. It also notes that when business leaders and technologists do not speak the same language, risk becomes distorted.

As such, budget allocations are driven by fear and not evidence, reports focus on activity and not outcomes, assurance becomes anecdotal and not measurable, and regulatory oversight becomes reactive and not preventive.

The report describes this scenario as ‘cyber risk management through noise’.

“Organisations invest in the loudest tool or the most alarming threat, rather than the control that delivers the greatest measurable impact,” the report says. “The communication gap is not unique to Africa, but its consequences are far more serious here.”

The report speaks of a silent disconnect in boardrooms. It says across industries, those tasked with governing cyber risks, boards, executives and regulators speak the language of strategy, risk appetite, and accountability.

Meanwhile, those charged with managing it, chief information officers (CIOs), chief information security officers (CISOs), auditors and operational teams speak the language of controls, systems and vulnerabilities.

When cybersecurity discussions are held in boardrooms, boards hear about firewalls and patches, but not business exposure. CISOs and CIOs report incident counts, not resilience metrics, and regulators receive compliance reports, not quantifiable confidence levels.

“Both groups are deeply committed to protecting the organisation, yet they operate in parallel universes,” says the report. “The result is a widening communication gap where important decisions are made without shared understanding.”

Serianu says the language divide persists because organisations still treat cybersecurity as a subset of IT rather than a strategic pillar of enterprise risk. “This creates a hierarchical and linguistic divide,” it says in the report.

It further breaks down that while board and executives speak of strategy, risk appetite, capital allocation and governance, they cannot interpret technical controls and in financial terms.

Whereas risk and audit detail frameworks, assurances and compliance, the metrics are not linked to resilience or outcomes, and while ICT and Security teams’ jargon is full of firewalls, patches, logs and vulnerabilities, their details, while technical, lack strategic context.

“Without a translator between these groups, data is lost in translation, not because it's missing but it's miscommunicated,” the report says. “This divide is not just semantic, it’s structural. It’s the reason why billions are spent on cybersecurity while confidence in resilience remains low.”

The report states that boards should demand quantified reporting and not technical slides. This quantified reporting should contain risk-based metrics tied to the business impact.

Cyber resilience should be embedded into the business’s risk management and have it as part of financial governance. Additionally, a culture of measurable assurance where every executive can explain not just what controls exist but how well they perform.

Executives should translate operational data into confidence indicators and not activity reports, link technology investments directly to risk reduction outcomes and foster collaborations between risk, ICT and audit to eliminate siloed reporting.

The report says cyber resilience is no longer a technical function; it’s a language of leadership. “It’s how boards demonstrate accountability, how regulators build trust and how organisations secure their digital future,” it says.

It adds that when leaders and technologists finally speak the same language, resilience becomes measurable. Confidence becomes visible, and cybersecurity becomes governance, not guesswork. “Bridging the language divide is not about learning technical jargon, it’s about aligning expectations,” the report says.

The 2025 KPMG Africa CEO Outlook report cites cybersecurity as one of the areas chief executives are considering investing more in to safeguard their businesses.

“Leaders are becoming more deliberate in where they channel their resources. Cybersecurity and digital resilience topped the list of investment priorities (45 per cent), followed by AI integration across business workflows (41 per cent) and investments in new technologies and solutions for expansion (34 per cent),” reads the report published November 5, 2025.