Who Actually Owns Cyber Risk in Your Organisation?

The data paints a stark picture. According to the UK Government’s Cyber Security Breaches Survey 2025/2026, 72% of UK businesses say cyber security is a high priority for senior management. Yet only 31% have a board member who takes explicit responsibility for it. That gap, between saying it matters and someone actually owning it, is where risk quietly accumulates.

And while that 31% figure is an improvement on the previous year’s 27%, it’s worth remembering that in 2021, the figure was 38%. The trend over the last five years has been one of declining board-level ownership, even as cyber threats have intensified. The Corporate Governance Institute found that 30% of boards in the UK and Ireland rank cyber security as a top business risk, a figure that has remained flat for five consecutive years. Cyber risk has been recognised at senior level without being governed any more tightly.

Meanwhile, 43% of UK businesses reported a cyber breach or attack in the past year, rising to 67% of medium-sized and 74% of large businesses. And only 25% have a formal incident response plan. That means the majority of organisations that experienced a breach were forced to improvise their response on the day.

Cyber risk doesn’t sit neatly within a single function. It spans IT infrastructure, operational technology, supply chains, people, processes, and third-party relationships. In most organisations, no single person or team has line of sight across all of these domains. The result is a patchwork of partial ownership.

IT teams typically own the tools, the firewalls, the SIEM platform, the endpoint protection. Security teams own the policies and frameworks. Operations teams own the processes and production environments. Finance owns the budget. And the board owns the strategic risk register, in theory.

The problem is that between these functions, gaps emerge. Who owns the risk of a third-party vendor with weak security practices? Who is accountable when a legacy OT system can’t be patched but sits on the same network as the corporate IT environment? Who’s responsible for dealing with an incident at 2am on a Sunday? These are the questions that don’t have clear answers in most organisations, and they’re exactly the questions that surface during a real incident.

In manufacturing and industrial environments, the ownership question is even more complex. Operational technology, the systems that run production lines, manage utilities, and control physical processes, was historically managed entirely separately from IT. Different teams, different priorities, different risk tolerances.

But those boundaries have blurred. IT and OT networks are increasingly connected, often in ways that neither team fully understands or controls. A vulnerability in the corporate IT environment can become a pathway into OT systems, and vice versa. When something goes wrong, the question of who is responsible for the gap between these two worlds often goes unanswered.

“The question isn’t whether your organisation has cyber risk. It’s whether anyone can tell you, right now, exactly who is responsible for managing it.”

This is a challenge our exposure management tools frequently uncover, risks that sit in the no-man’s-land between IT and OT, visible to attackers from the outside but invisible internally because nobody considers it their domain. If this resonates, it’s worth knowing that we’ve built a specific assessment for exactly this situation. Our Industrial Threat Insight Report is a free, OT-focused cyber risk assessment designed for manufacturing and industrial organisations. It combines an external threat intelligence view, showing how your organisation appears to attackers, with a NIST CSF 2.0 aligned review of key IT and OT security controls. The result is a clear, joined-up picture of where exposure exists across both environments and who needs to act on it.

Effective cyber risk ownership doesn’t mean one person carries the burden alone. It means the organisation has clear, documented accountability at every level, from the board down to individual teams, and that those lines of accountability are tested, not just written down.

The UK Government’s Cyber Governance Code of Practice, launched in 2025, sets out a practical framework for exactly this. It calls for boards to treat cyber risk as a strategic governance issue, not a technical one and establishes five core principles: risk management, strategy, people, incident planning, and assurance and oversight. At its heart is the principle that the board must be able to demonstrate that it understands, monitors, and actively governs cyber risk.

Frameworks like NIST CSF 2.0 provide a practical structure for turning that principle into action. But the challenge for many industrial organisations isn’t knowing that frameworks exist, it’s understanding where the real gaps are in their own environment, particularly at the intersection of IT and OT. That’s where assessment matters more than theory. Understanding your governance maturity, your asset visibility, your identity controls, and your detection readiness across both IT and OT environments is the starting point for assigning meaningful ownership, because you can’t own what you can’t see.

Governance structures matter most when they’re under pressure. During a cyber incident, clear ownership determines how quickly decisions are made, how effectively resources are mobilised, and how confidently the organisation communicates, internally and externally. The Breaches Survey found that while 81% of businesses informed directors following a breach, only 40% reported their most disruptive breach externally. And only 25% had a formal incident response plan in place.

Without clear ownership, the response defaults to whoever happens to be available, capable, and willing to step up. That might work once. It won’t work reliably. And it certainly won’t satisfy regulators, auditors, or insurers who are increasingly asking not just whether you responded, but whether your response was planned, documented, and governed. Our guide to what operational resilience really means explores this in more depth, including how to move beyond reactive plans to a genuinely resilient operating model.

1. Who is accountable for cyber risk at board level, and what does that accountability include? Not just a named individual, but a clear scope: do they oversee strategy, budget allocation, incident response decisions, and regulatory reporting? Or do they receive a quarterly update and nod?

2. Where are the gaps in ownership between functions? The most dangerous risks live in the spaces between IT, OT, operations, and third parties. Mapping these intersections is where real security gaps get identified and where ownership needs to be explicitly assigned.

3. If a significant incident happened tonight, who would make the critical decisions, and are they prepared? Incident response isn’t just a technical function. It involves legal, communications, regulatory, commercial, and executive decision-making. If those roles aren’t assigned and rehearsed, the response will be slower, messier, and more damaging than it needs to be.

Cyber risk ownership isn’t a question that can be deferred until something goes wrong. The organisations that recover fastest and suffer least are the ones that settled the ownership question long before the incident arrived. They know who decides, who acts, who communicates, and who reports, because they planned it, documented it, and tested it.

At Celerity, we help organisations build this clarity. From cyber security assessments that identify gaps in governance and controls, to managed detection and response services that ensure threats are identified and acted on around the clock, we work across the full spectrum of cyber resilience, so that when the question of ownership is tested, your organisation is ready.

Not sure where your governance gaps are?

Our Expert Cyber Security Consultancy service helps organisations assess their security posture, clarify accountability, and build a prioritised roadmap to close the gaps that matter most aligned to NIST CSF 2.0 and the UK Cyber Governance Code of Practice.