Nation-state cyber threats can feel like a distant risk until they disrupt operations, trigger disclosure obligations, and expose leadership to governance scrutiny.. That assumption is increasingly at odds with how modern cyber operations unfold. Attacks tied to state-sponsored actors now intersect directly with corporate governance, regulatory exposure, and operational continuity.
Laura I. Harder, Vice President of ISSA International and an offensive cyber officer in the U.S. Air Force Reserves, approaches the issue from a perspective shaped by both military doctrine and corporate reality. Across 25 years of military service and more than two decades in cybersecurity roles, she has focused her career on how to translate adversary behavior into decisions senior leaders can actually make.
The cyber domain mirrors military doctrine. Threat actors plan, probe, and exploit with intent. Organizations that fail to recognize that intent often discover the consequences only after damage has already spread.
Translating Adversary Tactics for the Boardroom
Harder’s early work centered on nuclear, biological, and chemical warfare, disciplines grounded in understanding how adversaries think, prepare, and exploit weaknesses. That mindset carried forward as her work shifted into IT and later cyber operations.
In private sector roles, including time with Equinix’s Cyber Threat Intelligence team, Harder worked closely with what the military refers to as tactics, techniques, and procedures, or Tactics, Techniques and Procedures (TTPs). “It’s what threat actions use in networks to gain access, maintain persistence, and to move laterally,” she says. In cyber terms, a payload is not a weapon in the physical sense, but malware or ransomware deployed to achieve leverage.
Today, Harder leads vulnerability management efforts that sit at the intersection of threat intelligence and enterprise risk. Her teams analyze publicly disclosed vulnerabilities to determine whether they exist in the environment, and escalate issues that materially affect the business. That information flows to CISOs and executive leadership, where it becomes part of broader risk discussions rather than isolated security alerts.
The Persistent Framing of Cyber Risk as Cost of Doing Business
Board-level blind spots often stem from financial framing. Leaders are trained to weigh risk through profit and loss, and cyber incidents can appear similar to other forms of acceptable loss. The growth of cyber insurance has reinforced that perception.
“Cyber insurance transfers your risk,” Harder says. In a ransomware event, paying a ransom through insurance can seem preferable to prolonged downtime. For some large enterprises, an hour of lost operations may exceed the cost of the ransomware payment.
That logic breaks down with the rise of double extortion. In these attacks, adversaries quietly exfiltrate data before encrypting systems. “They exfiltrate your data, then they will launch the payload,” Harder says. Even after systems are restored, organizations face additional demands to prevent sensitive data from being released or sold.
The downstream effects extend well beyond IT. Data exposure can trigger violations of state privacy laws across the U.S., as well as international regulations such as GDPR. Reputational harm can persist long after technical recovery. In some cases, access is resold to other groups, creating ongoing exposure that boards may not fully anticipate.
Establishing Governance Around What Matters Most
Organizations are best served by following a coherent cybersecurity framework that aligns with business priorities and regulatory expectations, whether that comes from NIST guidance, sector-specific standards, or other established models.
Boards should insist on identifying around what Harder calls the “crown jewels,” the systems and data that are truly mission and business critical. “What is the financial implication if those systems go down?” she says. Equally important are the second- and third-order effects, including customer impact, supply chain disruption, and regulatory scrutiny.
A thorough business impact analysis provides a shared reference point for leadership and helps shift conversations away from abstract threats toward concrete consequences.
Rehearsing the Decisions That Matter Under Pressure
Another common gap is readiness at the executive and board level. Cyber incidents demand coordination across legal, communications, operations, and security teams, yet many organizations have never practiced those interactions.
“A tabletop exercise is the easiest way to start with, then moving on to simulations,” Harder says. These exercises clarify who needs to be involved, what processes need to be followed, how quickly decisions must be made, and what realistic timelines look like.
Third parties often complicate matters. Third parties often set the ceiling on resilience because their failure becomes your outage.Critical services, like Cloudfare, Amazon Web Services and Microsoft Azure encountered technical faults and caused widespread outages worldwide and affected major popular sites like ChatGPT and Social media website X. Access to foundation level platforms can create significant losses. Despite the fact that contracts may dictate response obligations, those details are frequently overlooked until an incident occurs. For publicly traded companies, disclosure requirements and external communications add further complexity.
Regular exercises help maintain what Harder describes as muscle memory for scenarios that leaders do not encounter in day-to-day operations.
Measuring Resilience Instead of Assuming It
Effective oversight depends on metrics that boards can use. Harder emphasizes reporting that tracks detection speed, containment time, recovery duration, and maximum tolerable downtime. Without that visibility, leaders are left to make decisions based on assumptions rather than evidence.
Threat actors, she says, look for “low hanging fruit,” companies and organizations that with easily exploitable vulnerabilities. To avoid being selected, leaders should implement a defense in depth strategy, combining people, process, and technology to prevent attacks. It is about raising that bar so exploitation becomes more difficult and more costly to achieve.
Looking ahead, Harder sees AI-driven social engineering, deepfakes, and hybrid attacks against critical infrastructure as persistent challenges. Creating convincing executive impersonations now requires only minutes of publicly available audio or video. Critical infrastructure like Energy, water, healthcare, transportation, and government systems remain attractive targets because disruption is immediate and visible.
“The best way to be resilient is to keep people in the loop,” Harder says, underscoring the importance of informed leadership rather than automated decision-making.
Follow Laura I. Harder on LinkedIn for more insights.
