Everyone in Your Organization Thinks Someone Else Is Handling Cyber Risk

Summary

The board is talking about cyber risk. Leadership is prioritizing it. Someone just approved a bigger security budget.

And yet, only 6% of organizations have all key data risk controls in place. That is from PwC’s 2026 Global Digital Trust Insights, across nearly 3,900 executives in 72 countries. Sixty percent call it a top priority. Six percent are actually ready.

The gap is not a funding problem. It is an ownership problem. Until someone names it, nothing closes.

The Meeting Went Well. You Are Still Exposed.

Picture the last board meeting where cyber risk came up.

Someone presented a slide deck. Leadership asked good questions. The CISO gave confident answers. The budget was approved.

Everyone left feeling like something had been done. Nothing had been done.

That meeting is the problem. Boards are engaging on cyber risk more than ever. Six in ten executives now rank it among their top three business priorities. Organizational readiness has not kept pace. The conversation got serious before the controls did.

Most organizations assume that because leadership is paying attention, exposure is being managed. That assumption is wrong. The next incident will make it visible.

What Board-Level Cyber Risk Actually Means

It is not a topic on an agenda. It is a governance responsibility.

Directors and executives carry accountability for the organization’s security posture, investment decisions, and breach response. Cyber risk sits alongside financial, operational, and regulatory risk in how the organization is led. Not just how it is managed.

When that accountability is real, there are named owners, measurable outcomes, and honest reporting. When it is performative, there are slide decks and approvals.

Caring Is Not the Same as Governing

A competitor gets breached. Board engagement spikes. A regulator publishes new rules. It spikes again. Geopolitical tension makes the news. It spikes again.

That is reactive attention. It feels like governance. It is not.

Real governance asks different questions:

• Not “are we taking this seriously?” but “who is accountable when something goes wrong?”
• Not “did we increase the budget?” but “what risk does that budget actually reduce, and how do we know?”
• Not “do we have a CISO?” but “does our CISO have the authority to tell us things we do not want to hear?”

Most boards cannot answer those questions cleanly. That is the governance gap.

The 6% That Should Keep You Up at Night

The 60% number is the one that gets cited as progress. It is the wrong number to focus on.

The number that matters is 6%. That is the share of organizations that have implemented all key data risk controls. Ninety-four percent have not.

In practice, that means:

• Security tools that do not talk to each other. Alerts no one is actioning. Visibility gaps between cloud, on-prem, and third-party systems.
• Accountability structures that look clear on paper and dissolve the moment an incident happens. Who gets the call at 2am? Who notifies regulators? Who owns the decision to take systems offline?
• Board reporting that describes the security program in terms leadership wants to hear. Not in terms that reflect the actual control environment.

None of that is solved by a budget increase. It is solved by governance.

What 20+ Years of Operating Zero Trust Shows About Board Governance

ON2IT was founded in 2005 to operate Zero Trust at enterprise scale. We have run Zero Trust governance for organizations in regulated sectors, in real environments, for longer than any other MSSP. We have seen what survives an incident, and what does not.

In the organizations where board attention and operational readiness actually align, four conditions show up:

1. Accountability that survives an incident.

A named individual owns cyber risk outcomes. With real authority. With direct board access. With an honest mandate. Not a reporting line that passes through three layers before reaching leadership.

2. Risk reporting in business terms.

The board receives information framed around impact. What is our exposure? What would a material incident cost? Which controls are not yet in place, and what does that leave open? Indicators are for the operations team. Impact is for the board.

3. Investment tied to specific risk reduction.

Security spend maps to a defined risk register. Leadership can trace the line from budget, to control, to reduced exposure. Not from budget to vendor to renewal.

4. Zero Trust as the architectural foundation.

Mature organizations apply Zero Trust across every actor and every access request. Human, machine, and AI agent. It gives the board a single coherent model to govern against. Not a patchwork of point solutions that no one can explain to a non-technical director.

These four conditions are not theoretical. They are what we operate, every day, for the organizations that have closed their version of the 60/6 gap. They are also not built by a budget cycle. They are built by deciding, at the top, that governance is the deliverable.

Your Threat Model Now Includes Geopolitics

One finding from PwC’s research deserves attention. Geopolitical instability has become a direct driver of cybersecurity strategy. Not a background concern. An active input to how organizations prioritize and allocate.

This changes who is responsible. Geopolitical risk is not a technical call. It requires understanding which vendors carry elevated exposure. Which supply chain partners operate in jurisdictions that create regulatory or intelligence risk. What the security implications are of the cloud providers you depend on.

Your security team can surface those questions. They cannot answer them alone. Those decisions require executive ownership. And a board that understands enough about the threat environment to ask the right questions when the briefing happens.

Most boards are not there yet. Getting them there is part of the CISO’s job now. Whether it was in the original description or not.

The CISO’s Job Has Changed. Most Job Descriptions Have Not.

The CISOs who close the gap between board attention and organizational readiness are not the ones who give the best technical briefings.

They operate as business risk executives. Present in strategy conversations. Fluent in the language of loss and liability. Willing to tell leadership what they do not want to hear.

That requires something from the board too. It requires them to create the conditions where honest reporting is rewarded, not managed. Where the CISO is not optimizing for what the board wants to hear. But for what the board needs to know.

Where that relationship does not exist, the 6% stays at 6%. Leadership believes the organization is more protected than it is. The CISO manages expectations instead of managing risk. The gap persists. Right up until the incident that makes it visible.

Key Takeaways

• 60% of executives rank cyber investment as a top priority. Only 6% have the controls to match. The gap is a governance problem, not a funding one.
• Board attention is not progress. Real governance needs named accountability, honest reporting, and investment tied to specific risk reduction.
• Geopolitical instability has made cybersecurity a strategic decision. It requires executive ownership, not technical management.
• Zero Trust gives boards one coherent model to govern against. Across every actor and every access request. Not a patchwork of point solutions.
• The CISO’s job is now business risk leadership. The board has to create the conditions that make honest reporting possible.

Conclusion

The boardroom is not the problem. Most boards ask the right questions. The problem is the distance between those questions and an honest answer.

A 54-point gap between stated priority and actual control implementation is not closed by another budget cycle. It is closed by three things. Naming who owns the risk. Measuring it honestly. Building governance structures that keep leadership and operational reality in the same conversation.

The board is engaged. That is the opportunity. Use it before the incident that tests whether the engagement was real.

Call to Action

If your board is prioritizing cyber risk but your control environment does not reflect it, ON2IT can help. Our Zero Trust governance assessment maps where you stand against the four conditions that distinguish the 6% from the 94%. It produces an honest picture for leadership. Contact us to start the conversation.