Cybersecurity Isn't IT's Problem Anymore

There's a conversation that plays out with striking consistency: the CISO presents a technical briefing, the board nods, and the meeting moves on to revenue and strategy. Cybersecurity gets treated as infrastructure — managed a few floors below the people who make enterprise-level decisions.

That gap has become a governance liability.

Among senior executives, the fear that surfaces most consistently isn't a competitor stealing market share. It's a silent intrusion moving through their systems undetected while the board focuses elsewhere. The SHRM 2026 CEO Priorities and Perspectives Report, drawing on a survey of 116 CEOs, found that 88% expect AI-enabled attacks to intensify cybersecurity threats this year. That number isn't a vendor warning. It's the collective judgment of the executives who carry the accountability.

In most mid-market organizations, the person responsible for cybersecurity still reports to the CIO, who reports to the COO, who reports to the CEO — when the CEO gets involved at all.

That chain of command made sense in 2005. It does not make sense now.

Why Cybersecurity Belongs at the Top

The average cost of a data breach in the United States reached $10.22 million in 2025 — an all-time high, according to the IBM Cost of a Data Breach Report 2025, which analyzed 600 breached organizations across 17 industries worldwide. Globally, the figure settled at $4.44 million per incident. When the breach involves ransomware with extortion or a multi-environment cloud architecture — both increasingly common attack patterns — that global average climbs past $5 million.

Those numbers don't live in the IT department. They show up in the CFO's projections, the general counsel's exposure analysis, and the board's risk register.

The Securities and Exchange Commission made this structural reality explicit in July 2023. Public companies must now disclose material cybersecurity incidents within four business days and describe, in annual Form 10-K filings, both the board's oversight of cybersecurity risks and management's role in assessing them. The SEC didn't write those rules to the CISO. It wrote them to the board — and when regulators define cybersecurity as a governance matter, treating it as a technical function is no longer defensible. It becomes a personal liability for the directors who let it persist.

What Mid-Market Organizations Keep Getting Wrong

The most common structural failure I observe isn't a shortage of security tools. It's a shortage of strategic alignment between cyber risk and business decision-making. Boards often assume that investing in capable technical leaders means the risk is under control. That assumption is incomplete. Cybersecurity is not just about defense — it is about governance.

A pattern that appears across organizations of varying size and sector: compliance audits pass, controls are documented, policies are current — and yet when incident response readiness is examined at the leadership level, gaps emerge quickly. Decision rights are unclear. Communication protocols have never been tested under pressure. The Chair has never participated in a breach simulation. Compliance creates confidence. It does not create preparedness.

As Nassim Nicholas Taleb wrote in The Black Swan: The Impact of the Highly Improbable, "We tend to learn the precise lesson that we should not learn." A clean audit confirms that yesterday's threats were addressed. Tomorrow's are still forming.

The 2026 Benchmark Report: How Boards Are Partnering with CISOs, published by IANS, Artico Search, and The CAP Group in March 2026, found that 95% of CISOs deliver regular updates to their boards — but only 47% of directors said their CISO communicated effectively about the business impact of evolving threats. A board that knows which regulations have been met is different from one that understands what a breach would cost in disrupted operations, customer attrition, and litigation exposure. The first is checking a box. The second is governing.

When cyber risk lives below the C-suite, it competes for budget in a queue with other operational priorities. The IBM report offers a concrete counterargument: organizations that deployed AI extensively in security operations saved an average of $1.9 million per breach and shortened breach timelines by 68 days — a capital allocation decision with a measurable return.

The AI-Enabled Threat Changes the Calculus

Boards and executives were already behind on cybersecurity governance before AI entered the picture. The gap is now widening faster than most leadership teams realize.

The IBM report found AI was involved in 1 in 6 breaches studied — primarily through phishing (37%) and deepfake impersonation (35%). Darktrace's State of AI Cybersecurity 2026 found 87% of security professionals are already observing a rise in AI-driven threats. CrowdStrike reported an 89% increase in attacks by AI-enabled adversaries.

The World Economic Forum's Global Cybersecurity Outlook 2026, drawing on insights from over 800 business leaders across 90 countries, found that CEOs now rate cyber-enabled fraud as their top concern — a shift from the ransomware focus that dominated prior years.

Kevin Mandia, then-CEO of FireEye/Mandiant, said it plainly in a May 2021 Wall Street Journal interview on ransomware: "Every slap shot is coming at us, and the puck is going to get through." The question is no longer whether attackers get in — it's how fast you detect them and what they achieve before you do. Investing in detection and response capability — war-gaming, incident response rehearsals, breach simulations — is a strategic allocation, not an IT line item.

There is also the shadow AI problem — possibly the least visible exposure of all. The IBM report found that one in five breached organizations had incidents linked to shadow AI — employees using unsanctioned tools without oversight. Those incidents added an average of $670,000 to breach costs, and 63% of breached organizations lacked AI governance policies entirely. Many boards are being asked to oversee AI strategy without simultaneously owning the framework that determines whether that adoption is creating new attack vectors. AI strategy and cybersecurity strategy are the same governance conversation. Boards that have separated them are governing half the picture.

Brian Walker, CEO at The CAP Group, stated in the 2026 Benchmark Report that "AI is now a primary driver of cyber risk — both enabling more sophisticated attacks and introducing new forms of loss as AI models become high-value assets. AI and cybersecurity are inextricably linked, and boards must understand the business risks of both."

What Board-Level Cybersecurity Governance Actually Looks Like

Moving cybersecurity to the board agenda requires structural changes to how cyber risk is owned, reported, and resourced — not just another quarterly briefing.

Direct access. The CISO needs a standing channel to the board, not one mediated entirely through the CIO or COO. The NACD 2025 Board Practices and Oversight Survey found that 37% of public company directors and 40% of private company directors rated improving the board-CISO relationship as "very" or "extremely important." The gap between what boards say they want and what they've built is still wide.

Business-language reporting. Boards govern through business impact — revenue exposure, regulatory liability, operational continuity. The right questions are scenario-based: if our primary customer database is compromised today, how long to restore operations? What does our cyber insurance actually cover under a ransomware-with-extortion event? If the board hasn't defined what it needs to hear, it will keep receiving the CISO's defaults.

Explicit committee ownership. Cybersecurity needs a defined home at the board level, with a named director accountable for it. Diffuse ownership is no ownership. The SEC's 2023 rules require disclosure of any board committee with cybersecurity oversight responsibility for a reason.

Executive participation in simulations. A full cross-functional breach scenario — legal, communications, operations, and the board, under time pressure — clarifies cyber risk faster than any report. I've seen senior leaders recalibrate their understanding within the first twenty minutes.

One dimension mid-market boards consistently underweight: the supply chain. The IBM 2025 data shows supply chain compromise costs an average of $4.91 million per incident and takes 267 days to resolve — the longest of any attack vector. Third-party exposure is part of the governance perimeter now.

Culture Is the Control System Nobody Audits

Technology can reduce risk. Culture determines how it's managed every day at every level. In organizations where cybersecurity is treated as a shared leadership responsibility, behavior changes — employees report suspicious activity faster, leaders ask harder questions during vendor onboarding, and investment decisions reflect actual risk exposure. In organizations where it's someone else's problem, gaps persist invisibly, right up until they don't.

Paul Polman, former CEO of Unilever, made the point precisely in a 2018 Sustainable Brands interview: "The best chance of success is if the individual's values are aligned with the corporate values." In cybersecurity, that alignment shows up in behavior, not in policies. When the CEO treats security as a personal accountability, the organization follows.

What is the one cultural habit in your organization that currently makes you most exposed to an AI-enabled attack? That question is more important than any software update your IT team will run this week.

The Governance Gap Is a Leadership Choice

The reason cybersecurity governance has lagged behind cybersecurity threat is not primarily a technology problem. It's a leadership problem. Boards have been content to receive compliance updates because nobody with standing at the board level made a compelling case that something more was required.

That case now makes itself. When 88% of CEOs expect AI-enabled attacks to intensify, when the average U.S. breach costs more than $10 million, and when the SEC has made board-level cyber oversight a disclosure requirement — the argument for keeping this below the C-suite is gone.

The organizations that make the shift before a crisis forces it will be positioned differently than those that make it after. The cost difference is measured in tens of millions of dollars — and in organizational credibility that, once damaged, takes years to restore.

The question is not whether cybersecurity belongs in the boardroom. The question is why it ever sat anywhere else.

Thanks for reading!

~ Jerry Justice

Living to Serve, Serving to Lead™

Elevating Cyber Risk to the Strategic Agenda

Aspirations Consulting Group works with boards and executive teams to assess cyber risk governance structures, build board-level accountability frameworks, and align cybersecurity strategy with enterprise risk management. If your leadership team is ready to move this conversation from the IT floor to the boardroom, we'd welcome a confidential consultation. Reach us at https://www.aspirations-group.com.

Join the Community That Reads Ahead of the Headlines

ACG Strategic Insights reaches more than 10 million current and aspiring executives globally, published each weekday with strategic analysis you can put to work. If you're not yet subscribed, join at https://www.aspirations-group.com/subscription.