More Boards Are Interested in Cybersecurity, but Is Security Still an IT Department Job?

Cybersecurity is increasingly landing on the boardroom agenda. According to the latest Cyber Governance Health Check, 33% of boards have now clearly defined their appetite for cyber-risk — an 18% increase since 2014. However, this cybersecurity board interest doesn’t always translate into consistent oversight. On average, only 54% of boards discuss cybersecurity twice a year, or only after a breach occurs. This raises a pressing question: is security still just a job for IT?

The Growing Gap Between Board Interest and Action

While large enterprises dominate headlines after major data breaches, small and medium-sized enterprises (SMEs) are far from safe. The latest Government Security Breaches Survey reveals that 74% of SMEs experienced a security breach in the past year. Cyber-criminals are specifically targeting smaller businesses, viewing them as easier prey.

Encouragingly, more directors and senior leaders are registering for workshops focused on SME vulnerabilities and cybersecurity strategy development. Yet, many still view security as an IT department responsibility, not a business-critical priority requiring top-down leadership.

This mindset is dangerous. A successful cybersecurity strategy demands board buy-in to enforce policies across the organisation and foster a culture of awareness. IT departments can implement firewalls and anti-virus software, but employees remain the biggest threat. Without board sponsorship, technical solutions alone are insufficient.

Why Cybersecurity Belongs in the Boardroom

IT teams — whether internal or outsourced — need a seat at the boardroom table. They require an understanding of how security integrates with business operations and strategy. Failing to address security at this level can be costly. Beyond the immediate expenses of rectifying a cyber-attack, organisations face regulatory fines (especially in regulated industries), client loss, and stiffer penalties under new EU data protection laws coming into effect in 2018.

Large enterprises might absorb these costs, but can SMEs? The financial and reputational damage can be devastating.

How to Secure Boardroom Buy-In for Cybersecurity

Educate on the Real Impact of Cyber-Attacks

The first step toward a robust cybersecurity policy is helping board members understand the true implications of an attack. For regulated industries, non-compliance is severe — both for the organisation and individual senior managers, who can no longer claim ignorance of security risks. Understanding how an attack impacts the business and its leaders often sharpens focus, though sadly this realisation frequently comes only after a breach occurs.

Identify Vulnerabilities and Empower IT Teams

Board members must also recognise where vulnerabilities lie. For SMEs, the most significant cyber-threat is their own staff. Employees inadvertently click on malware links or share passwords inappropriately, granting attackers access to sensitive systems. Fortunately, this risk can be mitigated without constant spending on new technology. Training and awareness exercises for all employees — including board members — ensure vigilance and proactive security behaviour. This only works, however, with board support that leads by example and embeds security into organisational culture.

Regular health checks, risk assessments, formal written cybersecurity policies, and business continuity plans are all essential components that directors should welcome in the boardroom. For more insights, explore our guide on cyber-risk management board strategy and SME cybersecurity best practices.

In conclusion, while cybersecurity board interest is growing, it must translate into consistent action. Security is not just an IT job — it is a boardroom imperative. Without top-level sponsorship, even the best technical defences will fall short.

Learn how to build a boardroom cybersecurity culture that protects your business from the top down.