Cyber security strategy must be a board-level issue