FUJIFILM Business Innovation Australia
Home Solutions & Insights Insights Who Owns Cyber Risk When No One Owns Risk?
Who Owns Cyber Risk When No One Owns Risk?

Regulators, insurers, and shareholders increasingly view cyber security as a governance responsibility, not just a technical issue. Yet the reality for most organisations is very different from large enterprises. There may be an IT manager, perhaps a small technology team, and a set of operational leaders who each carry different degrees of cyber risk accountability within their role. What often does not exist is a dedicated Chief Information Security Officer (CISO) or risk function to bring those pieces together. This is a pattern my team and I are seeing more frequently across the mid-market. If that sounds familiar, you are not alone. 

In conversations with leadership teams across Australia, one theme that continues to emerge is the challenge managing cybersecurity at an executive level. The Australian Cyber Security Centre reports that cybercrime is reported roughly every six minutes in Australia, with small and mid-sized organisations representing a significant proportion of victims.1 At the same time, many boards are placing cyber security higher on their enterprise risk agenda. Research from organisations such as McKinsey and Gartner consistently show that boards increasingly view cyber security as one of the top enterprise risks, yet many companies still lack the internal capability to manage it effectively.2&3 

From our work with mid-market organisations, this growing gap between responsibility and capability is where many organisations now find themselves. Cyber risk is recognised at leadership level, but the structure, visibility and dedicated ownership required to manage it effectively is still evolving.

The Mid-Market Cyber Challenge

Working with mid-market organisations, we often see a clear contrast between the way large enterprises manage cyber risk and the reality facing smaller teams. Large enterprises typically have structured risk management frameworks, security operations centres (dedicated or partnered), and dedicated leadership roles such as CISOs which many smaller organisations lack. 

Instead, cyber risk is often distributed across roles such as: 

  • IT managers responsible for infrastructure and operations 

  • CFOs or COOs overseeing governance and compliance 

  • Executive teams responsible for overall organisational risk 
     

Each of these leaders may have visibility into part of the cybersecurity environment, but not always a consolidated view across risk, controls and accountability.  

This creates a number of common challenges: 

  • No single owner of cyber risk: Responsibility is shared but clear accountability is not always defined. 

  • Limited visibility for leadership: Executives may receive technical updates but lack a consolidated view of overall risk exposure.  

  • Reactive rather than proactive investment: Security spending is often triggered by events such as cyber attacks, data breaches, audit findings, vendor and external pressure, or emerging compliance requirements. 

  • Difficulty translating technology into business risk: Technical controls may exist, but the organisation can still struggle to understand what they mean in terms of operational, financial or reputational exposure. This is becoming increasingly important as AI adoption, data governance, and emerging technologies introduce new layers of risk.  

Industry research from Gartner highlights a growing need for organisations to strengthen the connection between security operations and executive risk governance as technology environments become more complex. 3 

Technology teams often focus on tools and protection mechanisms, while executives require a clear understanding of risk, priority and accountability to make informed decisions. As cyber risk becomes more embedded in broader technology and business strategy, this disconnect can make it difficult to align investment with actual exposure.  

Without a structured approach, organisations can find themselves oscillating between underinvestment and overreaction. 

Cyber Security Is Now a Governance Issue

One of the most important shifts in cyber security over the past decade is the move from a purely technical conversation to a governance conversation. 

In discussions with executive teams, we are increasingly seeing cyber risk treated alongside financial, operational and legal risk. Boards are increasingly expected to demonstrate that cyber risk is being actively managed. Insurance providers are raising their expectations around controls and governance. Regulators are strengthening reporting and accountability requirements. 

In practical terms, this means that cyber security needs to be treated in the same way organisations approach financial, operational, or legal risk. It needs structure, visibility, and clear ownership. 

However, building a full internal security function is expensive. Hiring a CISO, establishing governance frameworks, and maintaining security operations can easily run into hundreds of thousands of dollars per year. For many mid-tier organisations, that investment simply does not make sense at their current scale. 

The challenge therefore becomes how to introduce discipline and maturity without building an entire security department.

A Practical Approach to Cyber Maturity

For most mid-market organisations, the starting point is not technology. It is understanding. 

Before organisations invest in tools, platforms, or managed services, they need to answer a few basic questions: 

  • What is our current cyber risk posture? 
  • Where are our most significant vulnerabilities? 
  • What regulatory or governance obligations apply to us? 
  • What level of maturity is appropriate for our size and industry? 

This is where cyber maturity assessments play an important role. A structured assessment provides a clear, fact-based view of an organisation’s security posture across areas such as identity, endpoint protection, data governance, monitoring, and response capability. It also translates technical findings into executive level insight around risk, priority and remediation pathways.  

Rather than reacting to the latest cyber threat headline, organisations undertaking a cyber maturity assessment can make more informed and deliberate decisions about where to focus effort and investment. 

From there, a maturity roadmap can be developed that aligns security improvements with business priorities.

Managed Security as an Operational Layer

Alongside governance and leadership, many organisations may choose to augment their internal security capability by outsourcing certain elements of operational security.  

Managed security services provide ongoing monitoring, protection, and reporting across areas such as endpoint protection, email security, identity controls, and threat detection. 

Importantly, when designed properly, these services are not simply a collection of disconnected tools. They provide an operational layer that ensures controls are monitored, alerts are triaged, and incidents are responded to consistently. 

This helps to create greater visibility for leadership and may reduce reliance on reactive decision making. The combination of effective governance, advisory support, and operational security services helps to create a practical pathway for organisations to improve their cyber maturity without needing to build a full internal cybersecurity function.

The Goal Is Clarity, Not Complexity 

Cyber security often feels complex because the industry tends to lead with tools, acronyms, and technical frameworks. 

For most organisations, the goal should be far simpler. 

Executives should be able to answer three questions with confidence: 

  • What is our current cyber risk posture? 
  • Are we improving over time? 
  • Do we have the right controls and oversight in place for our size and industry? 

Organisations that can answer these questions clearly and positively are already in a stronger position than many of their peers.  

For many mid-market organisations, the cyber risk challenge is rarely awareness. It is establishing structure, ownership and visibility. 

By introducing simple governance, structured assessments, and the appropriate mix of advisory and managed security capability, organisations can gain greater clarity over their cyber risk environment. From reactive responses tomore deliberate and accountable risk management.

And in an environment where cyber risk is now firmly on the agenda of boards and regulators alike, that clarity is becoming not just valuable, but essential. 

References:

  1. Australian Cyber Security Centre. (2024). Annual Cyber Threat Report 2023–2024. 
    Available at: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024 

  2. McKinsey & Company. (2024). Cybersecurity trends: Looking over the horizon. 
    Available at: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity-trends-looking-over-the-horizon 

  3. Gartner. (2025). Top Technology Trends for 2026. 
    Available at: https://www.gartner.com/en/articles/top-technology-trends-2026