Ask five people in your organisation who owns cyber risk, and you’ll likely get five different answers. The CISO will say it’s theirs. The CIO will say it sits with IT. The operations director will say it’s a technology problem. The CFO will say they fund it but don’t own it. And the CEO will say the board takes it seriously, without quite being able to explain what that means in practice.
This ambiguity isn’t a minor governance issue. It’s one of the most common reasons organisations fail to respond effectively when a cyber incident hits. Not because they lack tools or budgets, but because nobody was entirely clear who was responsible for what, until it was too late to figure it out calmly.