vCISO Explainer Part 4 - Who Actually Owns Cyber Risk in Your Organisation?

Here is a question worth pausing on.

If your organisation suffered a significant cyber incident tomorrow — data exfiltrated, systems encrypted, a supplier compromised — who would you call first? Not the IT helpdesk. Not the person who handles the software licences. Who is accountable for the risk that has just materialised?

Take more than three seconds to answer and you probably have your answer.

The Problem

In most organisations under 500 employees, cyber risk has an informal owner at best. It tends to live somewhere in the IT function — managed day-to-day by whoever runs the infrastructure, outsourced in part to an MSP, and occasionally surfaced to leadership when something notable happens.

This is not negligence. It is the natural result of how security responsibility has evolved: as a technical problem to be solved by technical people. For a long time, that was a reasonable model.

It is not a reasonable model anymore.

Cyber risk is now a business risk. It carries regulatory consequence under GDPR, potential liability under the Companies Act, financial exposure through operational disruption and insurance complexity, and reputational risk that can affect client retention and new business. None of those consequences land on your IT team. They land on the board.

And yet in most organisations, the board has no formally appointed owner for this risk. There is no equivalent of the Finance Director for financial risk or the HR Director for people risk. Cyber risk — one of the most significant operational risks most businesses carry — sits in an informal space between 'IT's problem' and 'everyone's problem,' which in practice means it is nobody's problem.

The Consequences

Unowned risk is unmanaged risk. That is not an abstract principle.

When a risk has no owner, nobody is asking the uncomfortable questions: Has this risk changed as the business has grown? Are the controls we put in place three years ago still fit for purpose? If this risk materialised, what would the impact actually be? What do we need to decide as a board to keep this at an acceptable level?

The consequences of that silence are predictable. Risks grow without being tracked. Gaps in coverage go unnoticed. Incidents that could have been prevented with better oversight go undetected until they have already caused harm.

There is also a regulatory dimension. The ICO, when investigating a data breach, does not just look at what happened technically. It looks at what organisational measures were in place. Who was responsible for data protection? What governance existed? What decisions were made — and by whom — about how personal data was protected? If the answer to 'who owned this?' is a shrug, that becomes part of the finding.

What This Is

Ownership of cyber risk does not mean the board member responsible needs to be a technologist. It means there is a named individual — ideally at director level or equivalent — whose role includes ensuring that the organisation's risk exposure is understood and reported to the board in accessible language, that the security controls in place are proportionate to that exposure and regularly reviewed, that there is a clear escalation path when something goes wrong, that regulatory obligations are being actively managed, and that the board has enough information to make informed decisions about cyber risk.

In larger organisations, this is the Chief Information Security Officer. In most SMEs, a full-time CISO is neither necessary nor affordable. But the function — the risk ownership, the governance, the board-level reporting — is necessary regardless of headcount.

Why It Matters

This is the question that sits behind every other question in this series. The visibility problem in Article 1, the tools gap in Article 2, the limitations of certification in Article 3 — all of these trace back to the same root: nobody owns the risk with the seriousness and accountability that the business consequence demands.

The good news is that this is a solvable problem. Many organisations at SME scale have resolved it not by hiring a full-time CISO, but by appointing a virtual one — a senior security professional who provides the governance function on a fractional basis, embedded into the business with the accountability and board access the role requires.

How We Can Help

The most useful next step if you have read this far is to have an honest conversation about who in your organisation owns cyber risk right now — and whether that arrangement is adequate given your current exposure.

Questions and Answers

Can't our IT Manager own cyber risk?

Your IT Manager can own operational cyber security — the day-to-day management of controls, the relationship with the MSP, the incident response process. What they cannot own structurally is the governance function. They report upward into the business. They do not govern it. Cyber risk ownership at the level this article describes requires someone who sits alongside the leadership team and has the authority to escalate, challenge, and advise the board.

What about the Data Protection Officer — don't they cover this?

A DPO is responsible for ensuring the organisation complies with data protection law. Their remit is narrower than cyber risk governance: it covers personal data handling, subject rights, breach notification, and GDPR compliance. Many DPOs are not security specialists. A DPO and a vCISO are complementary, not interchangeable.

Isn't this the CEO's responsibility by default?

The CEO is ultimately accountable for everything, including cyber risk. But accountability is not the same as ownership. Ownership requires active engagement: understanding the risk, receiving reports, making decisions, and ensuring controls are adequate. A CEO who is also the de facto cyber risk owner — with no dedicated governance function — is a CEO with a significant blind spot.

How do we appoint a cyber risk owner without hiring a full-time CISO?

That is exactly what the virtual CISO model is designed to address. Articles 8 and 9 in this series cover this in detail.

What questions should a board-level cyber risk owner be able to answer?

At minimum: What are our three most significant cyber risk exposures right now? What is the business impact of each if they materialise? What controls are in place and are they adequate? What would we do in the first 24 hours if the worst happened? Have we tested that? If your leadership team cannot answer these questions, the ownership function is not working.

Summary

Cyber risk without a named, accountable owner is cyber risk that is being managed by nobody. In most SMEs, that is the situation — not because of negligence, but because the governance function has not kept pace with the risk environment.