Cyber Risk Accountability Moves Beyond Technical Teams To Executive Leadership

Cyber risk has outgrown the IT department. What once lived in firewalls and incident response plans now shows up on balance sheets, risk registers, and board agendas. Treating it as a solely technical problem misses the real issue: Cybersecurity has become a question of business tradeoffs, where financial exposure, resilience, and executive accountability are inseparable.

That's the argument from Muhammad Arshi Wasique, a cybersecurity and IT governance leader with over three decades of experience. Currently the GM of MEA Operations at ThreatCure, Wasique serves as a virtual CISO and trusted advisor to clients in the world’s most regulated industries. In his view, for organizations to achieve true resilience, they must fundamentally redefine who is ultimately responsible for cyber risk.

"Risk is no longer just an IT issue. It’s a business risk with financial consequences. That's why the accountability has to be with the CFOs and the board," says Wasique. His solution is to build a "governance bridge" that connects the technical realities of cybersecurity with the financial realities of the business.

• Governing by the books: It’s not just a theory. It's a concrete strategy, backed by internationally recognized frameworks that formalize the shift in responsibility. These standards signal an industry trend: integrating cybersecurity functions with C-suite strategy and oversight. "There are three frameworks that need to be combined: NIST CSF 2.0, which frames cyber as an enterprise risk; ISO 27014, which emphasizes board-level accountability; and the COSO framework, which is widely used for framing risk ownership, including cyber."

• Talk isn't cheap: But frameworks alone are just paper. Their success often depends on the CISO’s role expanding from a technical gatekeeper to a strategic translator. The communication gap between security teams and the board is often where accountability becomes unclear. "A CISO needs to have strong financial acumen and governance experience," Wasique says. "The board doesn’t understand technical terms; you have to translate risk into business resilience and financial exposure. Telling the board they stand to lose a specific amount of money or damage their credibility is a message they will understand."

This approach reframes security decisions as strategic calculations. "The boards and the stakeholders must treat cyber risk as a capital allocation decision," Wasique insists. "Every decision is a tradeoff between cost and resilience." But this expectation introduces a key challenge, as CISOs are sometimes firewalled from the very business context they need to translate risk effectively. It's something Wasique has experienced firsthand.

• Blinded by the books: "When I was working as a virtual CISO, I asked for financial statements to understand the risks," he recalls. "I was told that because I was a fractional CISO, they could not provide me with those documents. Unless I can understand the business and have that financial acumen, I cannot translate technical threats into business impact." Such a disconnect points to a structural misalignment in the traditional security model: CISOs are often held responsible for preventing breaches without having final authority on the budget.

• The accountability gap: When a CISO presents a clear tradeoff—for instance, a $10,000 investment to prevent a potential $20,000 fine—and is denied, that accountability can become decoupled from authority when an incident later occurs. "CISOs are always blamed for a breach, despite the fact that the decision authority lies elsewhere," Wasique notes. "The CISO can warn the governance body, but if the board dismisses the risk, the decision isn't made. In terms of cyber resilience, there is no such thing as 'critical' versus 'non-critical.' When an incident happens, it affects the whole organization, not only the CISO."

• The buck stops there: From Wasique's perspective, if cyber risk is a financial and strategic issue, then ultimate ownership should lie with the executives responsible for financial outcomes. He offered a clear vision for this new model and a practical blueprint for implementing it. "Ownership always belongs to the executives responsible for financial outcomes, not the CISO," he says. "When the board and CFOs take accountability, cybersecurity moves from being a technical issue to a strategic one."

Ultimately, shared ownership changes what cybersecurity leadership looks like. The CISO is no longer a last-line defender waiting to be blamed after the fact, but a strategic partner shaping decisions before risk turns into loss. When exposure is translated into clear tradeoffs and options, accountability sits where it belongs and governance becomes a driver of resilience, not a post-incident autopsy. "The CISO needs to become an enabler," Wasique concludes. "Someone who translates exposure into tradeoffs and options for the governing body."