Framework bridges gap between cybersecurity, boardroom decision-making

Mayokun Adegbite

Organisations that run essential services have learned to measure their security posture. What most have never solved is the harder problem: turning that posture into a governance decision the boardroom can actually act on. Mayokun Adegbite has spent years building the framework that finally makes that journey possible.

Behind every lit hospital ward, every functioning water treatment plant, and every uninterrupted supply of electricity lies a fragile digital backbone that criminals and hostile state actors work around the clock to break. The engineers capable of defending that backbone are among the scarcest professionals in the world.

They must command industrial control systems built before networked computing existed, navigate the compliance architecture of regulated industries, and keep physical processes running while quietly fortifying the systems that govern them. Most cybersecurity professionals can do one of those things. A small number can do two. The ones who can do all three, and then explain what they have found to a room full of executives, are in a category of their own.

Mayokun Adegbite is one of them. Over a career spanning more than a decade, beginning in Nigeria and extending through roles in critical infrastructure on two continents, he has built a profile that sits at the precise intersection of three disciplines most organisations treat as separate departments: the engineering of physical control systems, the architecture of information technology networks, and the governance of cybersecurity risk in regulated environments. What has brought him to the attention of the research community is his recognition that none of those disciplines fully delivers on its promise until it reaches the boardroom in a form the boardroom can use.

Security posture, in other words, is not an end. It is a starting point. And for most organisations running critical infrastructure, the journey from that starting point to a governance decision has never been properly mapped.
“Security teams and company boards have been speaking different languages for years. My aim was simply to give them a shared one.”

THE POSTURE PROBLEM

Ask the security team at any major regulated utility how well their organisation is defended and they can usually tell you, in considerable technical detail. They can describe their network segmentation, their patch cadence, their intrusion detection coverage, and the outstanding vulnerabilities on their remediation list. What they frequently cannot tell you, in terms that translate directly into a governance decision, is how all of that adds up: how exposed the organisation truly is, relative to its threat environment, and what the risk looks like in the language that boards and executives are equipped to reason about.

This is the posture problem. Security information exists in abundance. Security intelligence, meaning a synthesised, weighted, governance-ready picture of where an organisation stands and what it should do next, is far harder to produce and harder still to present in a form that crosses the divide between technical and executive audiences without losing its meaning in translation.
The consequences of that divide are not academic. Boards that cannot read a security posture accurately cannot allocate security budgets intelligently.

They cannot ask the right questions of the engineers below them, and they cannot exercise the kind of informed oversight that regulated industries are increasingly required to demonstrate. The result is a governance structure that is nominally in place but practically ineffective, where the people with accountability lack the information to discharge it and the people with the information lack the standing to force better decisions.

Adegbite’s published research, “A Cyber Risk Quantification and Governance Architecture for Critical Infrastructure: From Posture Measurement to Executive Reporting,” published by the International Institute of Academic Research and Development, takes that problem seriously and works through it systematically.

The paper does not offer a simplified dashboard or a set of traffic-light indicators. It offers a structured architecture, from the measurement of posture through to the governance outputs that leadership can act upon, designed around the specific obligations and constraints of regulated critical infrastructure.

THE ARCHITECTURE: FROM MEASUREMENT TO DECISION

The framework Adegbite constructs moves through the problem in two deliberate stages, and the distinction between them matters. The first is posture measurement: not a point-in-time audit, but a continuous, structured assessment of how an organisation’s actual defences compare to its actual threat environment. Cyber risk is not static. An organisation’s exposure on a given morning can shift materially by afternoon if a zero-day vulnerability is disclosed, a supplier is compromised, or a configuration change is made during routine maintenance.

Capturing that reality in a form that is both technically accurate and analytically coherent requires a methodology, not just a monitoring tool. The framework specifies how to identify the indicators that matter, how to weight them relative to the operational context of a regulated infrastructure provider, and how to synthesise them into a picture that reflects genuine exposure rather than a list of open tickets.

The second stage is where the framework breaks from most of what the field has produced to date. Executive reporting, as Adegbite designs it, is not a summary of the first stage. It is a translation of it: a deliberate reconstruction of the risk picture in language and formats calibrated for the governance audience rather than the technical one. The framework specifies what a board or executive committee needs to make a sound decision about cybersecurity investment, what detail to include and what to strip away, and how to structure the presentation so that the information drives action rather than generating the kind of vague concern that produces no change.

The architecture that connects these two stages is designed with the regulatory environment of critical infrastructure explicitly in mind. A regulated energy utility does not have the luxury of treating governance as an internal matter. Its oversight obligations are external, documented, and auditable.

The framework produces outputs that serve both functions at once: informing the internal decisions that determine how well the organisation defends itself, and satisfying the external scrutiny that regulators are increasingly bringing to bear on how boards demonstrate cybersecurity accountability.

THE ENGINEER BEHIND THE FRAMEWORK

The credibility of this kind of work depends, in part, on whether the person producing it has actually stood in the environments they are writing about. Adegbite has. His career in network and security engineering spans more than a decade, beginning with roles supporting large-scale telecommunications infrastructure in Nigeria, where the demands of securing backbone networks serving tens of millions of subscribers gave him an early and unusually rigorous education in what it means to protect systems at scale.

That foundation extended into the highly specialised world of critical infrastructure protection, where he has since worked across regulated industries in multiple jurisdictions. In practice, that work has included leading the full deployment of network access control systems across live operational environments, delivering a measurable 20 percent improvement in security compliance and creating real-time visibility into assets that previously had none.

He has directed penetration testing against production systems in sensitive environments and personally closed every vulnerability those exercises uncovered. At a regulated electricity distribution utility responsible for power delivery to more than 63,000 customers, he designed and implemented zero-trust security architectures that replace the implicit, perimeter-based trust assumptions that have proven inadequate wherever IT and OT systems meet.

His academic formation spans three degrees across two countries. He holds a Bachelor of Science in Computer Science from Adekunle Ajasin University, where he was named Best Student of the Year in 2013 and Best Graduating Student in 2014 by the national body of computer science students, distinctions awarded among peers drawn from universities across the country. From there, he built carrier-grade engineering depth supporting one of Africa’s largest telecommunications operators, helping secure backbone networks serving millions of subscribers before advancing into the highly specialised world of critical infrastructure protection.

He went on to earn a Master of Science in Information Technology from the National Open University of Nigeria, and later a Master of Science in International Business and Management from the University of Bradford, a qualification that sits deliberately at the intersection of technical expertise and institutional decision making, and whose relevance to the governance dimension of his research is not coincidental.

He serves as a peer reviewer and section editor for multiple international journals covering cybersecurity, network engineering, cloud security, and critical infrastructure, spanning North American and Gulf regional research communities. The International Institute of Academic Research and Development has recognised his contribution to the field across multiple years and categories, with Reviewer of the Year and Editor of the Year awards alongside editorial membership in several of its journals.

In a space where the divide between practitioners and researchers is wide and rarely crossed in either direction, that body of recognition reflects a sustained and serious engagement with the literature on both sides. “The distance between knowing your security posture and governing your cyber risk is wider than most organisations realise. That distance is exactly where the most consequential decisions get made badly.”

AHEAD OF THE CURVE

Adegbite’s attentiveness to problems before they become emergencies is something of a pattern. Years before artificial intelligence entered mainstream commercial discourse, he conducted postgraduate research into how people trust and interact with AI systems, exploring the behavioural and psychological dimensions of human-machine relationships in contexts where miscalibrated trust carries real consequences.

The work looked ahead of its time when it was completed. It looks considerably more prescient now, as organisations grapple with the governance implications of deploying AI at scale without fully understanding how the people using those systems relate to them or when they should not.

The same quality of anticipation is visible in his focus on cyber risk governance. The gap between security posture and boardroom decision making has existed as a problem for years, but its cost is rising as critical infrastructure becomes more deeply integrated with digital systems and as regulators move from recommending governance accountability to requiring it.

The organisations that will navigate that shift most successfully are not necessarily the ones with the strongest technical defences. They are the ones whose boards can read a risk posture accurately, ask the right questions of their security teams, and make resource decisions that reflect a genuine understanding of what they are managing.

Adegbite’s framework is addressed to precisely that capability. It does not assume that boards will become technically literate or that security engineers will become governance experts. It builds the bridge between them: structured, auditable, designed around the obligations that regulated infrastructure providers already carry, and focused not on the elegance of the measurement but on the quality of the decision it enables.

WHY GOVERNANCE IS THE HARDER PROBLEM

The organisations most exposed to the gap Adegbite’s work addresses are not always the ones with the weakest technical defences. Some of the most consequential failures in critical infrastructure cybersecurity have occurred at organisations with capable security teams and substantial technology investment.

The breakdown was not in the detection or the engineering. It was upstream: in decisions not made, investments not approved, and risks accepted by leaders who did not have the information to understand what they were accepting.
Regulators across North America and beyond are beginning to close that accountability gap from the outside.

Standards bodies governing critical infrastructure are expanding their requirements beyond technical controls to include demonstrable governance at the board level, with explicit expectations around how risk is reported upward and how leadership demonstrates informed oversight of the organisation’s cybersecurity posture. The trajectory is clear: the question of whether a board can govern cyber risk is becoming a compliance matter, not just a management aspiration.

That regulatory shift makes the contribution Adegbite has built more timely than ever. A framework that begins with posture, moves through quantification, and arrives at governance-ready reporting is not just useful to the engineers who want to communicate better with their leadership.

It is useful to the organisations that need to demonstrate, to external reviewers and regulatory bodies, that the chain of accountability from operational security to board oversight actually functions. The framework does not just describe that chain. It is designed to be the chain.

The journey from security posture to boardroom decision is short in theory and long in practice. It crosses disciplines, cultures, and institutional structures that were not designed to communicate with one another, and it has to complete that crossing under the pressure of a threat environment that does not pause while the translation is worked out.

Adegbite has spent more than a decade earning the standing to build that bridge from both ends. The framework he has produced is the result of that work: rigorous enough to stand up to the scrutiny of the research community, grounded enough to reflect the operational reality of regulated infrastructure, and practical enough to change how the decisions that matter most actually get made.

Adegbite is a network and security engineer with more than a decade of experience across IT infrastructure, OT systems, and cybersecurity in regulated industries. He holds degrees from Adekunle Ajasin University, the National Open University of Nigeria, and the University of Bradford, and serves as a section editor and peer reviewer for multiple international journals covering cybersecurity, network engineering, and critical infrastructure.

He is a multiple recipient of Reviewer of the Year and Editor of the Year awards from the International Institute of Academic Research and Development. His research on cyber risk quantification and governance architecture for critical infrastructure is published by the International Institute of Academic Research and Development.

Join Our Channels

Taboola Recommendation Widget