Ask ten UK businesses who owns cyber risk and you’ll hear ten different answers.
IT. Compliance. Operations. “Everyone.” Sometimes: “We’re not sure.”
That uncertainty is itself a risk.
Ownership vs Activity
Most organisations are busy doing cybersecurity:
But activity is not ownership.
Ownership means:
Without that, cyber risk is unmanaged — even if spend is high.
What Insurers and Auditors Are Really Asking
When insurers or auditors ask about cyber controls, they’re not just checking boxes.
They are asking:
-
Who approved this level of risk?
-
Who would explain this after an incident?
-
Who decided this was “good enough”?
If no one can answer confidently, the organisation is exposed - regardless of tooling.
A Simple Test
Ask yourself: “If we had a serious incident tomorrow, who would brief the board and would they be comfortable doing so?”
If that’s unclear, you’ve found your real cyber risk.