At most organizations, the finger-pointing starts almost immediately after a data breach. But while blame gets assigned, accountability rarely does. Usually, that's because the person charged with managing cyber risk—often the Chief Information Security Officer—lacks the financial authority to own it. Now, that gap is making companies vulnerable and executives exposed. The consensus today is that the fix starts with a new mindset: treating security as exclusively a technical issue is a significant oversight.

According to cybersecurity advisor Mike Andrewes, it's time to reframe the conversation. As the owner of cybersecurity advisory Yastis, Andrewes guides startups and SMBs through complex compliance environments. He also serves as a Cyberspace Operations Officer in the Ohio Air National Guard and once led classified cybersecurity for the F-35 at Lockheed Martin. From his perspective, treating security as an exclusively technical issue tends to expose significant oversight.

''Cyber risk is business risk. Too many companies treat security as the CTO's problem and bring it to the boardroom only when something breaks or funding is needed. But every business risk discussion—competitive, financial, or operational—should include cybersecurity," Andrewes says. With the global average cost of a data breach now $4.35 million, that point is hard to ignore.

• The blame game begins: The disconnect often starts with hiring, Andrewes explains. ''When a job description asks a CISO to 'own' cyber risk, candidates agree even if the term is undefined. That ambiguity breeds confusion from day one and turns into finger-pointing when something goes wrong.''

• A risk no one can own: In fact, even as most executives are increasing cyber budgets, only a fraction feel confident in their ability to manage data risk. "A court will see a CISO’s salary and a multimillion-dollar liability and conclude they lack the financial capacity for true ownership. A CISO can manage risk, but only the board—those with financial liability—can own it," Andrewes says.

Knowing the odds are stacked against them, some CISO candidates now negotiate golden parachutes, Andrewes explains. But the motivation for change is rarely proactive. "Every single one of these companies either had something happen already, had a close call, or lost a deal because of it. It's always about making money or losing money. No one does this simply because they want to."

For Andrewes, the solution is a shift in identity: turning security leaders into business executives who specialize in technology. That means internalizing the C-suite mindset, not just speaking its language.

• Think like a businessperson: The best CISOs translate technical risk into business terms, Andrewes says. “You’re a businessperson who happens to specialize in technology. Think in dollars and outcomes. Don’t just reframe issues for meetings. Live that mindset daily.”

• Use a simple risk lens: Other business leaders must also move beyond the question “Are we secure?” Here, Andrewes offers a clear framework: “Start with downtime, data exposure, and compliance issues. Those translate to lost business, fines, or lawsuits. Quantify them.”

Eventually, that shift replaces checkbox compliance with a risk-driven strategy. Today, Andrewes applies the same rule in his own work. “I won’t take clients who don’t prioritize risk. When you base your program on actual risks to your environment, you can’t go wrong. Compliance follows naturally.”

• Learn fast or fall behind: Emerging AI threats only heighten the need for this literacy, Andrewes says. “A baseline understanding of AI is essential. Without it, leaders will stay reactive.” For many companies, the “wake-up call” isn’t a breach but a compliance push—pursuing SOC 2 or ISO certification to close a deal.

• Outcome over intent: The initial motivation for pursuing security is less important than the outcome for Andrewes. "We don't go to the gym and say, 'Yeah, that guy is jacked, but he's only doing it to get dates. Do it for whatever reason you want. But just do it."

In closing, Andrewes offers a simple, real-world test to diagnose an organization's cultural maturity in minutes. "You can spot the issues right away. If an executive's eyes glaze over when asked about cybersecurity, you know there are problems. The tell-tale sign is when they immediately delegate responsibility, deferring to their CISO or explaining that the CTO handles it." In contrast, a leader with a more mature perspective will have a refreshingly simple answer: "They simply confirm that cybersecurity is discussed every time business risk is on the table," he says.

For Andrewes, that simple statement suggests a much deeper business acumen: cyber literacy is no longer just a technical skill, but a baseline leadership competency. A CEO who can say that isn't just good at security, he concludes. They are fundamentally better at their job. "When a CEO speaks fluently about cyber risk, I know they’re better at business. Their job is to avoid blind spots—and cybersecurity is one of the biggest.''