Cyber is a Boardroom issue now: Alumna Maya Bundt on Governing Risk in an uncertain World
BCG Alumna Maya Bundt (BCG Consultant, 2000 – 2003) has spent much of her career looking at risks before they became obvious to everyone else.
After BCG and Swiss Re, she now works across boards and cyber governance—a field where technical detail meets commercial reality. In this interview, she explains why cyber can no longer sit in the IT corner, what boards need to ask when information is incomplete, and why the ability to bring structure to ambiguity remains one of the most valuable lessons from her years at BCG.

Your career has taken you from BCG to Swiss Re and now to several board and cyber governance roles. Looking back, which professional decision shaped your path the most?
There was no single decision. Looking back, I can identify three that shaped my path most. The first was joining BCG after getting a doctorate in natural sciences. That move was my entry into the economic world, and it gave me a way of structuring problems that I still rely on today. The second was committing early to cyber insurance and staying with the cyber topic even when it was not yet on anyone’s agenda. That was not always easy, but persistence made the difference. The third decision was the deliberate shift from an operational career to a portfolio of board, advisory, and governance roles. Each of those decisions felt right at the time, and looking back, I would make them all again.
Cyber risk is often still treated as a technology topic. From your board perspective, what should senior leaders pay more attention to?
My starting point is simple: Without cybersecurity, there is no business. Cyber risk affects operations, yes, but it also determines whether you can even execute your strategy. The trust of customers, partners, and investors is not a soft concept, but a commercial necessity, and depends directly on how well an organization manages its cyber exposure. That’s why treating cyber as an IT topic is simply wrong. It’s a strategic topic. It’s an enterprise risk topic. It belongs in the same conversation as capital allocation, M&A, and long-term competitiveness. Too often, cyber ends up siloed in technology teams with insufficient oversight at board level. That’s not governance. That’s delegation without oversight.
You work across boards, business, and national cyber strategy. What does good governance look like when risks are moving fast and there’s no perfect information?
When risk is moving fast, good governance becomes more important, not less. The absence of perfect information is not a reason to defer. These are exactly the conditions in which clear structures matter most. For boards specifically, the starting questions are quite straightforward: Where is cyber risk discussed—in the full board or in a committee? How often, and for how long? Who presents, and with what mandate? These decisions shape everything that follows. The most critical question, however, is what information the board actually needs from management and security leadership to do its job. Boards need to define the data points that allow them to assess whether risks are being managed within appetite and the cyber risk strategy is aligned with the business strategy. Getting that information architecture right is the foundation of effective board-level cyber governance.
What from your BCG years still shapes the way you approach strategy, risk, and leadership today?
What has stayed with me most is how to approach complex strategic questions. In many organizations, people freeze in front of the full scope of a problem. With a mountain of information, competing priorities, and an unclear starting point, it’s easy to get paralyzed before doing anything at all. What BCG taught me is that you have to start somewhere. You structure what you know, you identify what you don’t, and you work your way through it methodically, adjusting as you go. That discipline has served me in every role I’ve held since—from leading large teams in reinsurance to sitting on boards where the problems are equally complex, but the time available to analyze them is far shorter. The instinct to impose structure on ambiguity, rather than wait for clarity that may never come, is probably the most transferable skill I took from those years at BCG.
What advice would you give current BCGers or alumni who are interested in moving into senior leadership or board roles?
Moving into board roles was a long-term goal, and I prepared for it carefully, taking deliberate steps over time rather than one big leap. I was also fortunate to be able to test in practice whether that kind of work would suit me. That matters more than people realize. I’ve seen friends and colleagues pursue board roles, only to return to operational positions because they still needed the energy and satisfaction of being directly responsible for outcomes. Board work is fundamentally different, and not everyone thrives in that environment. I do. I find the work engaging, and I value the independence that comes with it. My advice to anyone considering this path is to approach it the way you would any serious career move: Understand what you are getting into, prepare yourself well, close the gaps in what you need to know, and then go for it.
© 2026 Boston Consulting Group | Terms Of Use | Privacy Policy | Legal Disclosure | Imprint