All resources
Guide · Governance

ASX governance: the 4% directors problem

Only 4% of ASX 100 directors have IT backgrounds. With an average global data breach cost of $4.44 million, that gap is no longer tolerable.

12 min readPublished 15 Sept 2025Updated 17 Oct 2025

The governance gap

Only 4% of ASX 100 directors have IT backgrounds[3], yet boards carry ultimate accountability for technology risk. With the average data breach now costing $4.44 million globally[4], that gap is no longer tolerable.

APRA CPS 234 requires boards to maintain information security capability commensurate with risk profile[1]. The AICD provides similar guidance[2]. Yet most boards lack the technical depth to verify either is being met.

What every board should ask quarterly

  • Service performance: are we meeting our SLAs, and where are the systematic misses?
  • Security posture: which CPS 234 controls exist in evidence (not slide deck), and which are aspirational?
  • Vendor concentration: what percentage of operational risk sits with a single provider?
  • Cost trajectory: is technology spend tracking forecast within the 76% accuracy benchmark[5]?
  • Cyber incident readiness: when was the last live tabletop, and what did it reveal?
  • Governance trail: do board minutes reflect substantive technology decisions or rubber-stamping?

How to read the answers

A management team that cannot crisply answer these questions in plain English is not necessarily incompetent, but they almost certainly need independent oversight. The role of independent technology advisory is to give the board a translation layer between operational technology reality and director-grade decision-making.

Research sources

Evidence-based, transparently sourced.

All statistics and research findings on this page are supported by authoritative sources. Behind The SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    APRA. CPS 234 Information Security Standard
    Board must maintain information security capability commensurate with risk profile
  2. [2]
    Australian Institute of Company Directors. Director Tools and Governance Guidelines
    Best practice guidance for board technology oversight
  3. [3]
    UNSW Institute for Cyber. ASX 100 Technology Governance Study
    Only 4% of ASX 100 directors have IT backgrounds
  4. [4]
    IBM Security. (2024). Cost of a Data Breach Report
    Average global data breach cost: $4.44 million (US: $10.22 million)
  5. [5]
    KPMG. (2024). Australian Director Survey
    73% of boards identify cybersecurity as a top risk; 76% of tech executives say cost forecasts are accurate

Methodology Note: Behind The SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience.

Want this applied to your organisation?

An independent advisory conversation costs nothing, and clarifies whether what you have read here is relevant to where you actually are.

Schedule a conversation