As cyber attacks continue to grow in frequency and complexity, organizations are facing increasing pressure to rethink who should be responsible for protecting their systems, operations, and sensitive data. Security experts say cybersecurity is no longer simply an IT issue. Instead, it has become a business-wide responsibility that requires involvement from leadership teams, employees, and external security partners alike.
The discussion comes at a time when cyber threats are affecting organizations at an alarming scale. According to the UK Government’s Cyber Security Breaches Survey 2025/2026, 43% of businesses and 28% of charities reported experiencing cybersecurity breaches or attacks during the past year. The numbers were considerably higher among medium-sized businesses, where 65% faced incidents, and large enterprises, where the figure rose to 69%. High-income charities were also heavily targeted, with 34% reporting attacks.
Phishing continued to dominate as the most common threat. The survey found that 93% of affected businesses and 95% of impacted charities encountered phishing-related attacks. These scams often involve deceptive emails, fake websites, fraudulent login portals, or impersonation attempts designed to steal credentials and sensitive information. Other cyber threats, including malware infections and digital impersonation schemes, also remain a persistent concern for organizations.
The financial damage linked to cybercrime is equally significant. Research associated with cybersecurity company ESET estimated that cyber attacks cost UK businesses nearly £64 billion annually, highlighting the growing economic impact of digital threats.
With risks continuing to escalate, many organizations are reassessing who should oversee cybersecurity strategy and decision-making. Experts say there is no universal model, as responsibility often depends on a company’s size, structure, industry requirements, and risk exposure.
In smaller businesses, cybersecurity duties are frequently managed by IT managers or internal technology teams. However, industry specialists warn that relying solely on technical departments may create gaps between security planning and broader business objectives. As organizations expand, many experts believe cybersecurity leadership should move closer to executive management.
Durgan Cooper, director at CETSAT, emphasized that cybersecurity accountability should ultimately rest with senior leadership or board-level executives. According to Cooper, effective protection requires coordination between technical teams, company leadership, and third-party partners while ensuring that security priorities align with organizational goals.
Within larger enterprises, cybersecurity responsibilities are commonly led by Chief Information Security Officers, often working alongside Chief Information Officers and other senior executives. Spencer Summons, founder of Opliciti, stated that organizations need cybersecurity leaders capable of understanding evolving threats, communicating risks clearly to boards, and integrating security into long-term business planning. He also noted that sectors such as healthcare and finance face additional regulatory pressure that makes executive oversight even more important.
Cybersecurity professionals increasingly stress that protecting organizations cannot remain the responsibility of a single department. Matthew Riley, European Head of Information Security at Sharp Europe, recommended that businesses establish clear governance frameworks defining who is responsible for different security tasks. Many companies now rely on systems such as RACI matrices, which identify who is responsible, accountable, consulted, and informed during cybersecurity operations and incident response.
Experts caution that assigning cybersecurity entirely to IT departments may leave important
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: