Barefoot Insight: Why Cyber Security is a Leadership Responsibility, Not an IT Task
- Heather Poulos
- May 12
- 2 min read
In many organisations, there is a comfortable, yet dangerous, assumption: that cybersecurity is a "technical" problem. When a leader hears the word "firewall" or "encryption," they often mentally outsource the entire topic to the IT department.
The logic seems sound, IT manages the computers, security lives on the computers, therefore IT owns security. However, this perspective creates a fundamental disconnect between those who manage the technology and those who own the business risk.
It is worth asking a simple question: If a cyber incident halts your operations for a week, is that a failure of a server, or a failure of the business to function?.
1. The Distinction Between Implementation and Governance
The real issue is not that IT teams are incapable; it is that they are being asked to make business-risk decisions without a business-risk mandate. IT is responsible for implementation, the "how" of security. Leadership is responsible for governance, the "how much" and "why".
In mature environments, the board defines the appetite for risk, and the IT team builds the systems to match that appetite. When leadership abdicates this, IT is left to guess what the business values most.
2. Cyber Security Decisions are Resource Decisions
Every security control involves a trade-off between protection, cost, and usability. If you ask an IT team to "make us secure," they are forced to make choices about your company’s productivity and budget in a vacuum.
A healthy approach looks like a partnership where leaders provide the context of what must be protected at all costs, and IT provides the technical roadmap to achieve it.
3. Resilience Over Technical Controls
This is often misunderstood: you cannot buy your way out of a leadership challenge with a new tool. True resilience - the ability to hold up under pressure - is cultural and operational. It involves how you train your people, how you handle data, and how you respond when things go wrong. These are not IT settings; they are organisational habits that must be led from the top down.
Leader Takeaway:
Cybersecurity is a business function, not a technical project. To move away from the "IT problem" mindset, stop asking your technical teams, "Are we secure?" and start asking, "Does our security posture align with our business goals, and do I understand the risks we have chosen to accept?".
Clarity begins when leadership takes ownership of the risk, allowing the IT team to focus on the excellence of the execution.
