Lessons from Harvard Kennedy School Executive Education on Why Cyber Risk Is a Governance Issue

As part of my Harvard Kennedy School Executive Education, I recently completed another virtual executive course this week titled Cybersecurity: The Intersection of Policy and Technology. This course builds on a cybersecurity and technology-focused program I completed last August, and together, they have significantly deepened — and sharpened — my perspective.

What stood out most this time was not just the technical content, but how the insights compounded. Concepts that felt theoretical last year now landed with greater urgency, clarity, and real-world relevance. With more exposure, more case material, and more leadership context, the message became unmistakable:

Cybersecurity failures are often leadership failures long before they are technical ones.

Cybersecurity Lives at the Intersection of Leadership and Governance

Across both courses, one consistent lesson emerged: cyber risk does not sit neatly inside an IT org chart. It lives at the seams — between policy and technology, public and private sectors, innovation and resilience.

We examined real-world incidents involving governments, critical infrastructure, and major institutions where breaches didn’t occur because leaders ignored cybersecurity altogether, but because:

• Accountability was unclear

• Cyber risk was treated as a compliance task instead of a strategic concern

• Decisions prioritized speed, convenience, or cost over resilience

In many cases, the technology worked exactly as designed — but the governance failed.

The Quality of Instruction Matters

What made both experiences especially impactful was the caliber of faculty and lecturers, including Jim Waldo and other experts operating at the intersection of computer science, public policy, and national security.

Rather than abstract theory, the instruction was grounded in real incidents, real constraints, and real leadership trade-offs. Jim Waldo, in particular, has a rare ability to translate deeply technical concepts into leadership-level insights without oversimplifying them. His teaching consistently elevated the conversation — showing how organizational decisions, incentives, and blind spots introduce cyber risk long before an attack ever happens.

A recurring theme across lectures was this:

Cybersecurity incidents are rarely surprises — they are often the result of known risks that were deferred, misunderstood, or deprioritized at the leadership level.

That candor was both refreshing and sobering.

Cybersecurity Is About Public Trust

At its core, cybersecurity is about trust.

When systems fail, it’s not just data that’s compromised — it’s confidence. Confidence in institutions. Confidence in leadership. Confidence that the systems people rely on every day will work when it matters most.

In a world where cities, hospitals, utilities, schools, and financial systems are digitally interconnected, a cyber incident can quickly become a community crisis. Yet too often, cybersecurity is still discussed only after something breaks.

Both courses reinforced for me that cyber preparedness must be treated with the same seriousness as physical safety, fiscal responsibility, and ethical governance.

A Call for Cyber-Literate Leadership

Leaders do not need to be cybersecurity experts — but they must be cyber-literate.

That means:

• Understanding cyber risk as an enterprise and governance issue

• Asking the right questions at the board, executive, and policy levels

• Ensuring cybersecurity is embedded into strategy, not bolted on afterward

As AI, data, and digital transformation accelerate, the cost of ignoring cybersecurity grows exponentially.

Final Reflection

Completing multiple cybersecurity courses through Harvard has strengthened my conviction that the future belongs to leaders who can bridge policy, technology, and responsibility. Cybersecurity sits squarely at that intersection.

We don’t get to treat it as someone else’s problem anymore.

And we certainly don’t get to wait until after a breach to take it seriously.