Cyber security is a board issue, not an IT issue

Ask most business owners who is responsible for cyber security in their organisation. They will point to IT. The IT support company, the IT manager, whoever handles the technical side.

That answer is understandable. Cyber security involves technical systems, so naturally it belongs with the technical people. The problem is that cyber security decisions are not purely technical. They are business decisions. And when those decisions sit entirely with IT, the board is not in the conversation.

What ISO 27001 actually says about this

ISO 27001, the most widely used information security standard, is explicit: ownership of cyber risk must sit at leadership level. Not delegated to IT. Not buried in the technical team. Formally owned by people who make business decisions.

The reasoning is straightforward. Cyber security involves trade-offs between risk and cost. It involves decisions about what data to hold, what to protect, what level of risk is acceptable. It involves questions about what you would do if something went wrong , who makes decisions, what you tell clients, what your legal obligations are.

Those are not IT questions. They are leadership questions. They cannot be answered well by people who are not in the room when business strategy is discussed.

Three things that go wrong when IT owns cyber security

When cyber security sits entirely with the IT team, the same patterns tend to appear.

The first is that it becomes invisible to the board. IT brings technical reports with metrics that nobody at the table fully understands. The board approves spending without being able to evaluate whether it is the right spending. Nobody is asking whether the organisation's overall risk exposure is actually acceptable , because nobody at board level understands it well enough to ask.

The second is that cyber risk gets traded off against other IT priorities in a way it should not be. IT teams are managing a helpdesk, keeping systems running, and handling cyber risk simultaneously. The visible urgent problems tend to win. Cyber risk is often invisible until it is not, and by then it is too late.

The third , and most serious , is that the people with authority to respond to an incident are not the people who understand the incident. When something goes wrong, there is a gap between the people who know what is happening and the people who can make decisions about it. That gap is where bad outcomes happen.

What board-level ownership actually looks like

I am not suggesting that board members need to understand how firewalls work. They do not. What I mean by board-level ownership is that there is a named person , someone with direct access to leadership , who is responsible for translating cyber risk into business language.

Someone who can tell the board: here is what the business is currently exposed to, here is what it would cost to address it, here is what we would do if something went wrong, and here is the decision I am asking you to make.

In a large organisation, that is a Chief Information Security Officer. In an SME, it is more likely to be an independent adviser, someone who carries the responsibility for cyber risk at board level without the full-time cost.

A quick test for whether cyber sits in the right place

Can your leadership team confidently answer these?

• What are the top two or three cyber risks facing the business right now?
• If we were breached today, what data would be at risk and who would need to know?
• What does our cyber insurance actually cover?
• Who makes the critical decisions in the first two hours of an incident?
• What are our reporting obligations to the ICO if customer data is involved?

If those questions get answered confidently by someone in the room , not deferred to IT , then cyber is where it belongs. If the room goes quiet, something needs to change.

Size does not change who should own this

Smaller businesses often assume board-level cyber ownership is for enterprises with complex IT environments. The data says otherwise. SMEs are frequently targeted because their defences are assumed to be weaker and their response plans are assumed to be less developed. And the financial consequences of a serious incident are often proportionally far worse for a smaller business than for a large one with the resources to absorb the damage.

The size of your business changes the scale of the risk. It does not change who should own it.

"Cyber security is not an IT problem that happens to affect the business. It is a business risk that happens to involve technology."

If you want to think through what cyber ownership looks like at your board level, I am happy to talk.