vCISO Explainer Part 5 - SOC, MSS, Compliance — And the Governance Gap Nobody Talks About

If your organisation has a managed security service, you are in reasonable company. The majority of UK SMEs now outsource at least some element of their security operations — and for good reason. Managed services give you round-the-clock monitoring, access to expertise you could not otherwise afford, and a degree of protection against the most common threats.

This article is not arguing against any of that. Managed services do what they are designed to do, and most of them do it well.

What they do not do — and what almost nobody is explicit about — is own your risk on behalf of your board. That function is missing from most organisations. And most organisations do not know it.

The Problem

A Security Operations Centre — whether in-house or managed — monitors your environment for threats, investigates alerts, and responds to incidents. It is an operational function. It tells you what is happening inside your systems at a technical level.

A managed security service provides ongoing monitoring, management, and in many cases incident response, under a contractual scope. It is excellent at what it covers.

Compliance frameworks — Cyber Essentials, ISO 27001, GDPR — tell you what good looks like and give you a standard to demonstrate that you have achieved it.

None of these things answers the question your board actually needs answered: What is our cyber risk exposure as a business? Is it at a level the board accepts? Who is responsible for ensuring it stays that way?

This is the governance gap. It sits above the operational security layer. It is not about technology. It is about accountability, visibility, and decision-making authority.

The gap is structural. Your SOC is not designed to fill it. Your MSP contract does not include it. Your compliance certification does not require it. And yet it is where your most significant cyber liability lives.

The Consequences

The governance gap has a specific signature. You tend to see it most clearly in organisations where the board receives a technical security report but cannot confidently articulate the organisation's risk exposure, where responsibility for cyber risk escalation is unclear, where security investment decisions are driven by what the MSP recommends rather than a board-level assessment of risk appetite, and where after an incident it emerges that the right conversations were never had.

This is not a criticism of any specific provider or team. It is a structural observation. Operational security teams are not hired to govern risk at board level. They are hired to manage it operationally. The gap exists because those are two different things, and most organisations have only ever built one of them.

What This Is

The governance layer that sits above operational security has several components.

It requires someone who can translate technical risk into business consequence — not in a one-off report, but on an ongoing basis. It requires a reporting structure that gives the board genuine visibility of risk exposure, not just operational activity. It requires risk ownership at a level where decisions can be made: about investment, about acceptable exposure, about what the organisation would do in a worst case.

It also requires independence from the operational layer. The same team that manages your MSP relationship should not be the primary source of your board's understanding of your risk exposure.

Why It Matters

The gap matters most when something goes wrong. In the aftermath of an incident, the questions that arise are not operational — they are governance questions. Who knew what and when? What decisions were made? What was the board told? What oversight was in place?

If the honest answer is that cyber risk sat entirely within the IT function, with no governance structure above it, no board-level reporting, and no named owner accountable for the overall posture — then the gap becomes a liability in itself.

Regulators, insurers, and clients increasingly expect to see evidence of governance. Not just tools. Not just certification. Active, documented, board-level oversight of a material business risk.

How We Can Help

Understanding whether your organisation has a governance gap — and what it would take to close it — is the most direct use of a conversation with our team. Our governance readiness checklist is a practical starting point. It takes less than ten minutes and surfaces the questions your board should be able to answer.

Questions and Answers

Our MSP says they provide risk management as part of their service. Isn't that enough?

Managed risk services from MSPs typically cover operational risk: monitoring, patch management, vulnerability tracking. Board-level risk governance — articulating risk in business terms, owning the posture, advising the board on decisions — is a different function. Ask your MSP: are they contractually accountable for your organisation's risk posture? The answer will be informative.

What does the governance layer actually look like day-to-day?

In practice it means: regular risk reviews that assess exposure against business context, not just technical metrics; board-level reporting in accessible language with clear recommendations; risk ownership that someone is accountable for; and an escalation process that ensures significant risks reach the right people. It is a management function, not a technical one.

We have a CTO. Doesn't that role cover this?

A CTO is typically responsible for technology strategy and delivery. Cyber risk governance requires a different focus: risk ownership, board reporting, regulatory awareness, and accountability for the security posture independent of delivery pressures. In practice, combining these in one role creates conflicts of interest and gaps in coverage.

How big does an organisation need to be before the governance gap matters?

There is no size threshold. The gap matters whenever cyber risk is material to the organisation — and for most businesses with client data, regulated activity, or operational dependence on IT, it is material regardless of headcount.

Does having cyber insurance close the governance gap?

Cyber insurance transfers some financial risk. It does not manage the underlying risk. Increasingly, insurers are requiring evidence of governance as a condition of cover or as a factor in premium calculation. Insurance is complementary to governance, not a substitute for it.

Summary

Your managed security service, your SOC, and your compliance certifications are all valuable. They form the operational layer of your security programme. What most organisations are missing is the governance layer above it. That gap is structural — it will not be filled by improving your tools or renewing your certification.