Cybersecurity needs a leader, so let’s stop debating and start deciding
Have you ever heard anyone earnestly ask in a business, “Who owns legal?” or “Who sets the financial strategy?” Probably not – it should be obvious, right? Yet, when it comes to cybersecurity, the question of ownership still seems to spark endless debates.
That might have been understandable back in the 1990s when key security roles like the CISO were still being ironed out. But these days, it should be a serious red flag.
Security has long since ceased to be a niche technical concern – it’s a fundamental business function. That’s why it’s frustrating to still see organizations treating it as a novel idea or an afterthought, wedging it somewhere between IT and compliance with no clear leader or direction.
In the face of increasingly aggressive and organized threat actors, the time for debate is over. Cybersecurity needs a clearly defined leader that has the power to lead. Anything less is doomed to failure.
Who should be in charge?
Put a dozen different business leaders in a room and ask who heads up their security, and you might get just as many answers. The CISO seems like the most obvious answer, but it could just as easily be the CIO, head of IT, or many other variations on a theme.
The actual name doesn’t matter. What matters is that they’re the most qualified person in the business. In most cases that will be the CISO, but many companies – especially smaller organizations – don’t have one.
In that case, security ownership must roll upwards. Someone – the COO, CFO, or even the CEO – must be explicitly accountable. The excuse of “we don’t have a dedicated security leader” doesn’t fly. Many businesses are perfectly capable of establishing a financial strategy with a financial head other than a CFO, so they can undoubtedly establish a security strategy without a CISO.
But the real issue isn’t just finding the right person; it’s ensuring they have the authority, resources, and business-wide support to execute effectively. Even the savviest CISO without backing is just a figurehead, and security by committee is a recipe for disaster.
Unless cyber leaders are granted the same level of authority and accountability as legal or financial strategy, they will continue to leave themselves exposed. Internal indecision is a gift for cybercriminals on the prowl for a vulnerable target.
Why security can’t operate in a silo
We’ve all spent many years arguing that cybersecurity is a business issue rather than an IT problem. Yet, too often, security is still treated as an isolated function, left to operate in a vacuum. That’s a critical mistake. If security leaders don’t have a seat at the table, they can’t meaningfully shape the broader business strategy.
Securing the company is a team effort. Just as the CFO doesn’t “own” financial success in isolation, the CISO (or whoever is leading security) shouldn’t be left to fight the battle alone.
Although there should be a clearly defined security leader, the C-Suite must take joint ownership in ensuring that security is embedded into every aspect of the organization.
Security strategy must be top-down, not bottom-up. If leadership doesn’t drive it, no number of technical controls will save the business. Security policies – whether enforcing MFA or setting data governance rules – shouldn’t be framed as IT mandates. They are business decisions, and they must be treated as such.
Governance is the backbone of a strong security strategy
A big part of establishing cyber as a team effort is backing it up with proper governance. However, cybersecurity is often approached as a vague aspiration rather than as a structured, accountable function. A strategy without governance is little more than a wish list.
Without clear governance, security efforts easily become reactive, disjointed, and prone to being overruled by whoever shouts the loudest in the boardroom.
Governance ensures that cybersecurity is an enforceable business priority rather than a checkbox exercise. This means setting clear policies, defining risk tolerance and, most importantly, ensuring that security decisions are made based on actual business needs, not internal politics.
Further, governance isn’t just about top-down mandates. It’s a two-way street: the board sets the direction, but feedback from security teams and operational staff refines it. A governance framework that exists only on paper without input from the reality of the business is just as dangerous as having none.
Keeping cybersecurity aligned with broader business objectives needs major stakeholders to be in regular communication. How often depends on the company’s size and structure, so each business will need to work out a balance. Major investments and changes should go through a Change Advisory Board (CAB) process to make sure everything is accounted for.
Outsourcing: Solution or shortcut?
It’s worth noting that for many businesses, security isn’t handled internally but is an outsourced function. This is usually the province of smaller firms that lack the resources to recruit and retain a dedicated cyber head, but it can be the case with larger businesses, too.
I’ve been on both sides of the fence at different points in my career, both working as a consultant myself and managing an external supplier.
One important lesson is that it doesn’t work when an enterprise just throws it over the wall to a bunch of consultants and says, “Build us a cybersecurity strategy”. Without proper input and direction, the result probably won’t fit your company.
Many years ago, I was at a company, and we outsourced business continuity planning to a large supplier. They produced a meticulous, beautifully crafted 200-page plan… that didn’t work for our business at all. We rewrote it and eventually got it down to a lean 15 pages that was closely shaped to our needs.
On the other hand, working as a consultant I’ve helped create some excellent frameworks where the company is doing most of the work – I’m just there providing a framework and asking the right questions to get them thinking about it the right way.
I’d also strongly advise that, if you’re not willing to stay engaged, don’t outsource at all. Security is not a one-time deliverable. The continuous oversight and accountability required cannot be fully outsourced.
A little less conversation, a little more action
No business would expect to succeed without clear legal or financial leadership, so why is security any different? The endless debate over cybersecurity ownership needs to end.
Determine who is in charge, give them the authority to lead, and ensure they have full business support to do what they need to for a secure organization.
Stop debating, start deciding, and give cybersecurity the leadership it deserves.