Cyber security demands accountability beyond IT
SHARE THIS ARTICLE
When a breach occurs, the difference between minor disruption and major fallout often comes down to how well-prepared the whole organisation is, not just the IT team, writes Serene Davis.
When nearly a third of employees blame their IT department for a cyber breach, it’s clear we have a perception problem. A recent QBE survey of working Australians and New Zealanders found that 31 per cent of employees would hold IT solely responsible if a cyber incident occurred, while only 26 per cent would blame hackers or cyber criminals, and just 5 per cent pointing towards third-party providers as the vulnerability.
This signals a significant perception gap, one that risks leaving organisations exposed.
The reality is that cyber security isn’t just an IT issue. It’s a business issue, one that touches every part of the organisation. And when a breach occurs, the difference between minor disruption and major fallout often comes down to how well-prepared the whole organisation is, not just the IT team.
It’s understandable that employees might instinctively look to IT in the aftermath of an incident. But that view doesn’t reflect how complex and far-reaching today’s cyber risks really are. From reputation and revenue to legal exposure and customer trust, the consequences go far beyond systems and servers.
Encouragingly, this also means that every part of the business has a role to play in resilience, and it starts with culture. If people believe cyber security lives only with IT, then we’ve missed the opportunity to build a truly secure organisation. The goal isn’t to assign blame, but to change the narrative and encourage greater awareness, accountability, and collaboration across all levels.
Too often, the strategic elements of cyber risk management, communications, legal decisions, and trust-building aren’t meaningfully addressed until an incident occurs. But in those critical moments, it’s not technical fixes that lead; it’s leadership. And the best time to prepare for that is long before any breach happens.
Business leaders don’t need to be cyber security experts, but they do need to lead with intention. Participating in tabletop exercises and phishing email simulations guided by experts can test the organisation’s response plan, while showing that accountability begins at the pointy end. These exercises, along with other cyber risk assessment activities, are easily accessed through cyber insurance, often at no additional cost.
Even more critically, and in the event of a breach, these cyber specialists become your first port of call, and can provide access to trusted incident response teams, legal counsel, forensics experts, and crisis communications specialists, so you’re not scrambling to find help at a time where every minute counts.
When boards and executives embrace their role in cyber resilience and take full advantage of the tools at their disposal, the entire organisation becomes stronger. The more we embed shared responsibility, practical training, and proactive planning into our operations, the more prepared we are. Not just to respond to a breach, but to prevent it in the first place.
Serene Davis is the global head of cyber at QBE Insurance.