vCISO Explainer Part 6 - Why Cyber Risk Without Ownership Always Becomes a Board-Level Problem

Risk does not wait for an owner to be appointed before it starts accumulating. That is perhaps the most important thing to understand about the governance gap.

An organisation can go months, or years, with cyber risk sitting in an informal space between IT operations and senior leadership — and most of the time, nothing immediately terrible happens. The tools keep running. The MSP sends the monthly report. The certification gets renewed. Everything looks fine.

Until it isn't.

The Problem

In November 2023, a mid-sized accountancy firm in the UK experienced a ransomware incident. The attacker had been inside the network for 23 days before detection. The initial access vector was a compromised credential belonging to a junior member of the accounts team — an account that had more system permissions than it needed, because nobody had reviewed access rights in over two years.

The firm had Cyber Essentials. It had an MSP providing 24/7 monitoring. It had recently passed a GDPR compliance review. All of these things were in place and functioning.

What was not in place: any governance process for reviewing access permissions as the business grew, a risk owner at board level, or any mechanism for escalating the kind of creeping risk that 23 days of undetected presence represents.

The incident cost the firm approximately three weeks of operational disruption, notification obligations to around 400 clients, significant professional costs in incident response and legal advice, and the loss of two significant client mandates.

The tools did not fail. The governance did.

The Consequences

ICO enforcement. The Information Commissioner's Office has the power to issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches of UK GDPR. The ICO's investigation will examine what organisational measures were in place. The absence of governance is a significant aggravating factor.

Director liability. The Companies Act requires directors to act with reasonable care, skill and diligence. As cyber risk becomes an established category of material business risk, the question of whether a director exercised reasonable oversight is increasingly live.

Insurance. Cyber insurers are tightening underwriting criteria. An organisation that cannot demonstrate active governance of its cyber risk is one that insurers regard as higher risk — affecting both the availability and cost of cover, and in a worst case, the willingness to pay a claim.

Client and partner trust. For professional services firms and anyone handling client data, a significant cyber incident is a client relationship event. How an organisation responds, and whether it can demonstrate appropriate governance was in place, has a direct bearing on how clients react.

What This Is

The pattern in the accountancy firm example is not unusual. It is the default outcome of a governance gap left unaddressed. Not dramatic failure — steady accumulation of unmanaged risk, followed by an incident that makes the absence of governance visible.

The gap does not cause the incident directly. It ensures that when an incident occurs, its scope and impact are larger than they needed to be, the response is slower and more chaotic than it should be, and the subsequent scrutiny reveals a governance posture that is difficult to defend.

Why It Matters

Here is the harder truth. When an incident occurs in an organisation without cyber risk governance, the accountability does not sit with the IT team. It does not sit with the MSP. It traces back to the board — specifically to whoever should have ensured that a material risk was being actively managed.

The board may not have been aware of the gap. That is, in a sense, the point. An absence of governance means an absence of the mechanism by which the board would have known.

This is why the governance gap is ultimately a board-level problem regardless of whether anyone at board level has identified it as one. The consequences of it materialising will arrive at the board regardless.

How We Can Help

If this article has prompted an uncomfortable recognition, that is a productive place to be. Understanding your current governance posture — where the gap is, what it would take to close it, and what that looks like in practice for an organisation your size — is exactly what a conversation with our team is designed to address.

Questions and Answers

How would we know if we have a governance gap?

Ask these questions of your leadership team. Can anyone name your organisation's three most significant cyber risk exposures? Is there a named individual accountable for the overall risk posture? Does the board receive risk-level reporting that it can interpret and act on? Have you documented what you would do in the first 24 hours of a significant incident? If any of these answers are vague or absent, you have a governance gap.

We haven't had an incident. Doesn't that mean our current approach is working?

The absence of a visible incident tells you very little about your actual risk posture. Most organisations that have experienced significant incidents were equally confident beforehand. The relevant question is not 'have we been attacked?' but 'would we know if we had been, and would we be in a position to respond effectively?'

What's the difference between an incident response plan and governance?

An incident response plan tells you what to do when something goes wrong. Governance is the ongoing function that reduces the likelihood of things going wrong and ensures that when they do, the organisation is in the best possible position to respond. An incident response plan without governance is like a fire procedure without fire prevention.

Can't we just do a risk assessment and address what it finds?

A risk assessment is a valuable input. It is not governance. Governance requires someone to own the outcomes of the assessment, implement the recommendations, track changes as the business evolves, and report regularly to the board. A one-off assessment without ongoing ownership will be out of date within months.

How quickly can a governance gap be closed?

With the right support, a basic governance framework — risk register, board reporting, ownership structure, incident response plan — can be put in place within four to eight weeks. The vCISO model is specifically designed to make this process fast and practically manageable.

Summary

Cyber risk without ownership accumulates silently and reveals itself at the worst possible moment. The consequences — regulatory, commercial, legal, reputational — always trace back to the board, whether the board was aware of the gap or not.