Skip to main content
Cybersecurity Isn't an IT Problem. It's a Leadership Failure.
  1. Posts/

Cybersecurity Isn't an IT Problem. It's a Leadership Failure.

·800 words·4 mins·
Strategy & Leadership Risk Management IT Governance Business Continuity Opinion Professional Services Team Management
Aiden Arnkels-Webb
Author
Aiden Arnkels-Webb
I’m a cybersecurity lead and fractional CISO/CTO helping professional services firms build secure, scalable infrastructure. I share practical solutions and strategic insights on this site—all free, no gatekeeping. For done-with-you or done-for-you implementation, I work with firms through Rootwire.
Table of Contents

Most breaches don’t start with a genius hacker in a dark room. They start with a leadership team that decided cybersecurity wasn’t their problem.

I’ve seen it dozens of times. A 40-person accountancy firm gets hit with ransomware. Client data gets encrypted. Three days of chaos and months of fallout. When the dust settles, the partners want to know what went wrong.

The IT provider gets called in and fingers get pointed. But here’s what actually happened: No-one had allocated budget for security improvements. No-one had made a decision about what level of risk was acceptable.

The technology didn’t fail. Leadership did.

The Delegation Trap
#

Here’s the pattern I see constantly in professional service firms.

The partners know cybersecurity matters. They’ve read the headlines. They’ve probably had the insurance company ask awkward questions. So they do what feels sensible: they hand it to whoever handles the computers.

“We’ve got an IT person. They’ve got it covered.”

This…feels reasonable. You delegate finance to your accountant. You delegate legal to your solicitor. Why not delegate cyber to IT?…

Because cybersecurity isn’t a technical function. IT’s a risk management function.

Your IT team can install firewalls and configure email filtering. What they can’t do, without your input, is decide how much risk is acceptable. They can’t decide what data matters most. They can’t allocate budget they don’t control. They can’t create a culture where people report suspicious emails instead of ignoring them.

Those are leadership decisions. And when no-one makes them, you get insecurity by accident.

This Isn’t About Technology
#

Think about how you handle financial risk.

You don’t personally calculate the VAT returns. But you make decisions about cash reserves. You review management accounts. You ask questions when the numbers look wrong. You’ve probably got a qualified accountant or Financial Director giving you advice, but you own the decisions.

Now think of how you handle cyber risk.

If your answer is “I trust my IT person”, you’ve just described a gap in your governance.

The decisions that actually prevent breaches aren’t technical. They’re strategic:

  • What data do we hold, and what would happen if it leaked?
  • What’s our tolerance for downtime? A day? A week?
  • Where are we going to invest, and where are we going to accept risk?
  • Who’s accountable when something goes wrong?

These aren’t questions your IT team can answer for you. They’re questions only leadership can answer.

What Leadership Failure Actually Looks Like
#

It’s rarely dramatic. It’s usually quiet.

No budget line for security improvements, so nothng gets improved. No policy on acceptable use, so staff make their own judgements. No regular review of risks, so problems accumulate unseen. No questions asked, so the IT provider assumes everything is fine.

And then something breaks.

Here’s what I tell business owners: Your IT person probably agrees with me.

Most competent IT professionals know what should be done. They’ve probably even suggested it. But without leadership backing, without budget, without authority, without someone at the top saying “this matters”, suggestions stay suggestions.

The breach doesn’t happen because IT didn’t know better. It happens because no-one with authority made a decision.

What Good Looks Like
#

You don’t need to become a technical expert. You really don’t.

You need to treat cyber risk the way you treat other business risks: with informed advisors, clear accountability, and decisions made at the right level.

Here’s the test. Can you answer these three questions?

  1. What are the top three cyber risks facing your firm right now?
  2. What would happen to your business if client data was leaked or encrypted tomorrow?
  3. Who’s accountable for managing cyber risk, and when did you last review it with them?

If you can’t answer confidently, you’ve identified your gap. That’s not a criticism. That’s information you can act on.

The goal isn’t perfection, it’s appropriate oversight. The same oversight you’d apply to your finances, your legal compliance, your professional indemnity.

Cybersecurity becomes manageable when you stop treating it as a technical mystery and start treating it as a business risk that needs leadership attention.

The Real Question
#

Most business owners ask: “Is our IT secure?”

That’s the wrong question.

It assumes security is binary, something you either have or don’t. It puts the focus on technology, and it creates the illusion that someone else can answer it for you.

The better question is “Am I managing this risk appropriately?”

That question puts responsibility where it belongs. It acknowledges that risk can be managed but never eliminated. And it opens up a conversation about priorities, trade-offs, and what “good enough” actually looks like for your firm.

If you’re not sure how to answer that question, you’re not alone. Most business owners aren’t, because no-one’s ever framed it for them this way.

That’s the conversation worth having.

Related