Cybersecurity at the board level: the internal audit perspective
Cybersecurity is more than a technical challenge – it is a governance issue that is increasingly moving up on the agenda of boards of directors. On 20 May, Katleen Seeuws, Vice President Standards & Guidance at The Institute of Internal Auditors (IIA) Global, will deliver a keynote at Cybersec Europe 2026 on how internal audit functions can translate cyber risks into board-level confidence.
With years of experience in governance, internal control, and risk-focused audit work, Seeuws emphasizes one key point: cybersecurity is not just an IT problem limited to firewalls and technical controls. It is a board-level governance and risk issue.
Her session, “From Cyber Risk to Board Confidence: The Internal Audit Perspective,” will explain how internal audit can strengthen cyber governance and improve reporting to senior management.
Moving beyond fragmented views of cyber risk
Many organizations still struggle with fragmented responsibilities: IT, risk management, compliance, and business leadership often operate in silos. This leads to unclear escalation paths, ambiguous ownership, and reports that are either too technical or too vague for boards and audit committees.
According to the IIA 2026 Risk in Focus, cybersecurity remains the top global audit risk, while digital ecosystems grow increasingly complex, dependencies on third parties increase, and regulations such as NIS2, DORA, and the Data Act place additional pressure on organizations.
Seeuws advocates a standardized, risk-based approach: internal audit can assess whether cyber governance actually works, whether risks are clearly defined, responsibilities assigned, and controls aligned with what truly matters. Only then can senior management make well-informed decisions and boards govern with confidence.
The Three Lines Model as a Guiding Framework
A central part of her presentation is the Three Lines Model, which clarifies roles and responsibilities within governance. This ensures each stakeholder receives the insights they need:
- Boards and audit committees gain confidence that cyber risks are understood, controlled, and transparently reported.
- Senior management receives insight into gaps, inconsistencies, and the organization’s cyber maturity.
- Second-line functions benefit from clearer accountability and better integration within the broader Governance, Risk & Compliance (GRC) framework.
Even those outside internal audit can learn from this: unclear roles make risks harder to manage, and unstructured reporting hinders board-level decision-making.
Cybersecurity as a strategic priority
Seeuws highlights that cybersecurity is increasingly a strategic priority, not just a technical exercise. Organizations must focus on digital resilience, incident preparedness, and cross-department collaboration. In the coming years, success will be measured by how well an organization anticipates risks, adapts controls, recovers quickly, and reports clearly to decision-makers.
In her session, Seeuws will also show how the Cybersecurity Topical Requirement within the IIA framework helps improve cybersecurity maturity. Standardization provides reliable risk reporting, stronger governance, and greater confidence for boards and senior management – demonstrating how internal audit can serve as a bridge between technical security and strategic decision-making.
Catch Katleen Seeuws at Cybersec Europe 2026 on 20 May at 15:35 on the main stage, Brussels Expo.
