The chief executive officer stared at his own reflection in the darkened boardroom window while the lawyers shouted over each other on speakerphone. Outside, the city lights blinked innocently. Inside, the company was bleeding. Three floors down, servers hummed with malicious code that had slipped past six different technical defenses, but the real disaster was not happening in the server room. It was happening in this room, among the polished table and the leather chairs, where grown adults could not agree on who had the authority to shut things down. The breach had started as a technical problem. It had quickly become something far more terrifying. It had become a human problem.
When we imagine a cyberattack, we picture a hooded figure in a basement tapping code into a glowing screen. We imagine firewalls crumbling and encryption breaking. We imagine a battle of machines, of ones and zeros clashing in the dark. This is comforting because it suggests the fight belongs to the technicians, the experts in hoodies who speak in code. But the raw truth is that the most damaging breaches rarely succeed because the technology failed. They succeed because the humans in charge made decisions that had nothing to do with technology.
Consider the legal decisions. When the attack began, when the first alarm pinged on the security dashboard, the company's general counsel immediately thought about lawsuits. They thought about shareholders. They thought about disclosure laws in three different countries with conflicting requirements. While the technicians begged for permission to pull the plug, to isolate systems and stop the spread, the lawyers debated liability. Every minute they talked, the attackers moved deeper. The code was doing the damage, yes. But the delay was caused by corporate policy, by the fear of legal consequences outweighing the fear of technical ones.
Then there is the public relations strategy. In the first hour of an incident, there is a vicious fight over the narrative. The communications team wants to say nothing until they have perfect information. The marketing team wants to spin it as a minor glitch. The executives want to protect the brand at all costs. While they argue about wording, while they craft the perfect reassuring statement, the breach escalates. The technical team is told to wait, to hold off on aggressive containment because aggressive containment might look bad. It might alert customers. It might cause panic. So the technicians wait, watching their screens fill with red, because the corporate governance structure prioritizes reputation over response.
At the heart of every major incident is a series of executive risk tradeoffs. These are the quiet conversations that happen long before any attack occurs. The chief financial officer asks if the company really needs to spend two million dollars on upgrading legacy systems. The chief executive officer wonders if the security team is being alarmist. The board approves a budget that prioritizes growth over defense because growth is visible and defense is invisible. These are not technical decisions. They are business decisions made by people who do not understand the technology but hold the power to fund or defund it. When the attack comes, it exploits the gaps those decisions created. The code is just the messenger. The failure was signed off in a meeting room six months earlier.
Regulatory negotiation is another piece the public never sees. After the dust settles, after the systems are restored and the press releases are issued, the company must deal with the government. There are fines to negotiate, settlements to arrange, compliance mandates to satisfy. This is not a technical process. This is diplomacy, legal maneuvering, and corporate lobbying. Skilled negotiators can reduce penalties by framing the breach as an isolated incident rather than systemic negligence. The quality of the response is determined by the quality of the lawyers and executives, not the quality of the firewall.
The hard truth, the one the cybersecurity vendors do not advertise, is that security failure is almost always management failure. Technology can be upgraded. Patches can be applied. Software can be replaced. But you cannot patch a culture that ignores warnings. You cannot encrypt against executive greed. You cannot firewall a boardroom that refuses to listen to its experts. The breach happens in the code, yes. But the conditions that made the breach possible were created by human hands holding pens, signing checks, and making tradeoffs that prioritized convenience over safety.
The chief executive officer in that darkened boardroom eventually gave the order to shut down the systems. It took three hours longer than it should have. By then, the data was gone, copied and exfiltrated to servers in countries with no extradition treaties. The technical team did their job. They detected the intrusion quickly. They had the tools to stop it. But they were overruled by a chain of command that valued legal positioning over technical reality. The machines failed because the people failed first. And that is the story nobody wants to tell, because it is easier to blame the hackers than to look in the mirror and admit the enemy was sitting in the boardroom all along.
When The Boardroom Built The Breach © 2026 by Ododoobari John Okpabi is licensed under CC BY-NC-ND 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/4.0/
When The Boardroom Built The Breach was originally published in DataDrivenInvestor on Medium, where people are continuing the conversation by highlighting and responding to this story.
