Amy Lemberger, founder of The CISO Hub, argues that the real corporate cyber security issue is basic: no one senior is clearly owning the decisions that matter.
In many businesses, cyber security still sits under IT, compliance, or procurement. It’s still seen as a ‘nice to have’ and not a ‘must have’. That structural choice shapes how risk is handled. Security becomes operational rather than strategic. Decisions are pushed down the organisation, while accountability remains unclear. When incidents occur, leadership is often caught off guard, despite months or years of warning signs. Lemberger is a former FTSE-250 Chief Information Security Officer (CISO) who has spent over 17 years working in cyber security. She says this misunderstanding is widespread.
“Accountability for cyber risk never leaves the CEO,” she says. “You can delegate responsibility, but you can’t outsource accountability.”
Lemberger argues that hiring a CISO is often misunderstood as a solution in itself. In reality, it changes the quality of information available to leadership, not the level of risk.
“Hiring a CISO doesn’t make risk disappear,” she says. “It makes risk visible. What matters is what the business chooses to do with that visibility.”
Cyber risk, she explains, is not a technical problem that can be solved once and moved on from. It is a continuous series of trade-offs between security, speed, cost, and growth. Those trade-offs sit squarely at leadership level.
When security is buried too far down the organisation, the people closest to the risk often lack the authority to influence outcomes. At the same time, senior leaders may not have a clear or honest picture of the risks they are accepting. The result is a gap that no amount of tooling or policy can close.
Debates about where the CISO should report are common. Should the role sit under the CIO, the CFO, or directly with the CEO. Lemberger believes the reporting line matters less than access and influence.
A security leader who cannot speak directly and plainly to senior decision-makers ends up producing reports that circulate without changing behaviour.
About the CISO Hub
It offers a virtual or fractional CISO – a Chief Information Security Officer who works with an organisation on a part-time or flexible basis; such as for a tech start-up that isn’t yet able to pay for a full-time CISO. Visit https://ciso-hub.co.uk/.
