Most corporate cyber security failures are driven less by inadequate technology than by weak leadership accountability, according to Amy Lemberger, a former FTSE-250 chief information security officer and founder of advisory group The CISO Hub.

Lemberger argues that many organisations already operate extensive security systems and monitoring tools. The deeper problem, she says, is that responsibility for cyber risk is often fragmented across IT, compliance and procurement functions, leaving no senior executive clearly accountable for strategic decisions.

“Accountability for cyber risk never leaves the CEO,” she said. “You can delegate responsibility, but you can’t outsource accountability.”

In many companies, cyber security remains positioned as an operational issue rather than a core business risk. As a result, decisions are pushed down the organisation, while boards and executive teams receive filtered or incomplete information. When incidents occur, leadership is often taken by surprise despite long-standing warning signs.

Lemberger, who has more than 17 years’ experience in the sector, says appointing a chief information security officer is frequently misunderstood as a solution in itself. “Hiring a CISO doesn’t make risk disappear,” she said. “It makes risk visible. What matters is what the business does with that visibility.”

She argues that cyber risk should be treated as a continuous series of trade-offs between security, speed, cost and growth — choices that can only be made effectively at senior management level. When security teams lack authority, they struggle to influence outcomes, while executives may not fully understand the risks they are accepting.

Debate over where CISOs should sit within corporate structures — under the CIO, CFO or chief executive — often misses the point, she added. What matters is access and influence. Security leaders who cannot communicate directly with decision-makers risk producing reports that circulate without prompting action.

The result, she says, is a persistent disconnect. Policies and frameworks are in place, dashboards are produced and compliance boxes are ticked, yet fundamental questions remain unanswered: what is being protected, what could realistically go wrong, and why certain risks are being tolerated.

Boards, Lemberger argues, do not need more technical detail, but clearer insight into business impact and priorities. Treating cyber security as an IT problem creates a false sense of control, while treating it as a leadership responsibility creates accountability.

Organisations that make that shift, she says, often move faster and respond more effectively, because decisions are owned rather than deferred.

“Cyber security does not fail because businesses are careless,” Lemberger said. “It fails because responsibility is blurred and relevance is misunderstood.”