In many organisations, no one sets out to become responsible for cyber security. The responsibility simply appears.
One day, it just lands on the desk of a CTO already managing infrastructure and digital delivery. Or it falls to a Head of IT trying to keep systems running. In some cases, the responsibility even reaches the CFO when governance and regulatory pressure begin to build.
Cyber security becomes another responsibility layered onto an already full role. For mid-sized organisations in particular, this scenario is becoming increasingly common. These companies rely heavily on digital systems, cloud platforms and complex supply chains.
Yet many do not have dedicated security leadership in place. Instead, cyber risk is absorbed into existing leadership roles. Someone becomes responsible because someone has to be.
Amy Lemberger, former FTSE-250 Chief Information Security Officer and founder of The CISO Hub, says this “accidental CISO” dynamic is now widespread across the mid-market. “In many organisations, someone senior suddenly realises cyber security sits with them,” she says. “But they were never hired to run security, and they often don’t have the time or specialist experience to manage it properly.”
The situation reflects a broader shift in how businesses operate. As organisations have digitised their operations, cyber security has moved quietly from being a purely technical issue to a fundamental business risk. Data, systems and digital services now underpin everything from supply chains to customer relationships.
Despite this shift, organisational structures have not always caught up. Security responsibilities frequently remain embedded within IT teams, where the primary focus is enabling the business to move quickly and keep systems running.
The objectives of IT delivery and cyber risk management, however, are not always aligned.
“IT leaders are focused on making sure the business can operate and deliver services,” Lemberger explains. “Security leadership must step back and ask different questions. Where are the biggest risks? What decisions are being made about those risks? How are they governed?”
Without dedicated leadership, those questions can be difficult to answer.
Many organisations invest heavily in security technology. They deploy monitoring tools, identity platforms and compliance frameworks. But technology alone does not create a coherent security strategy. Someone still needs to interpret the risks, prioritise investment and explain the implications to the wider leadership team. That role traditionally sits with a Chief Information Security Officer.
Yet hiring a full-time CISO is not always realistic for mid-sized organisations. Senior security leaders command significant salaries, and many companies simply do not have the scale to justify a permanent executive role focused solely on cyber risk. The result is a growing leadership gap.
Businesses recognise that cyber security matters. They often have capable IT teams and a range of technical controls in place. What they lack is the strategic oversight required to translate those controls into a clear approach to risk management.
This gap is one of the reasons fractional or virtual CISO roles are becoming more common. Instead of building a full-time leadership function, organisations bring in experienced CISOs on a part-time basis to guide strategy, governance and risk management.
These leaders help organisations understand what good security looks like, prioritise improvements and ensure senior executives have the information they need to make informed decisions.
Lemberger founded The CISO Hub to help organisations access that kind of leadership more easily. The platform connects businesses and service providers with experienced CISOs who operate fractionally across multiple organisations. The aim is not to replace internal teams, but to support them.
“Most IT leaders are doing their best in a situation where cyber security has grown into something far bigger than it used to be,” Lemberger says. “The role of a CISO is to help the organisation understand the risk landscape and make sensible decisions about how to manage it.”
The need for that leadership is growing as regulatory expectations expand across Europe and the UK. New legislation such as NIS2 and the Cyber Resilience Act are increasing expectations around governance, reporting and accountability for cyber risk. At the same time, supply chains and customers are asking more questions about how organisations manage security internally. For companies without clear leadership in place, responding to these pressures can become increasingly difficult.
“Security is no longer just a technical issue,” Lemberger says. “It affects how organisations operate, how they grow, and how they demonstrate trust to partners and customers.” For many IT leaders, that reality has arrived gradually.
Responsibilities that once focused purely on infrastructure and systems now include security governance, regulatory awareness and risk communication with senior executives.
It is a significant expansion of scope for roles that were never originally designed to carry that level of accountability.
The rise of the “accidental CISO” reflects a simple truth about modern organisations. Cyber security has become too important to sit purely within technical teams. Yet many companies are still figuring out how to integrate security leadership into their broader decision-making structures.
For businesses navigating that transition, the question is no longer whether cyber security needs leadership. It is whether the organisation has access to the right expertise to guide those decisions. As digital infrastructure becomes increasingly central to how organisations operate, the ability to access experienced security leadership may become one of the defining factors separating companies that manage cyber risk confidently from those that struggle to keep pace.
