Organisations have long understood the challenge of translating cyber into business risk. The CISO-boardroom communication breakdown is real and well documented. But are there deeper problems? For various reasons, cyber-risk management has grown in size and scope over the years. Today it might span everything from traditional security disciplines to privacy, supply chain risk, legal, AI governance and operational resilience. That inevitably creates data silos, coverage gaps and resilience challenges.
If joined-up governance is the destination, what should the journey look like?
When Visibility and Ownership Splinter
There are various reasons why cyber-risk management has grown so unwieldy over the years. There was a time when security was much easier. Computing resources lived on-premises and organisations guarded the perimeter to keep out the bad stuff. This castle-and-moat approach evaporated with the arrival of cloud computing, remote working and SaaS applications. As the attack surface expanded it has taken in operational technology (OT), internet of things (IoT) systems, mobile devices, edge computing servers and more. More IT assets, more complexity, more fragmented oversight.
AI infrastructure and services represent the latest expansion. Large language models (LLMs), agents, vector databases, machine learning pipelines, APIs, plugins, and cloud servers represent a new high-risk target for attack. As AI finds its way into more business-critical services, the potential for compromise, data theft and manipulation grows. Shadow AI is a particular concern. Two-thirds (65%) of organisations have suffered AI agent-related security incidents in the past year and even more (82%) suspect having unmanaged agents running in their environments.
Supply chains are also to blame. The average enterprise now uses an estimated 61 security tools. And that’s just cyber. In almost all sectors, organisations have amassed a complex ecosystem of partners handling everything from logistics to professional services. Then there are digital suppliers. Open source components are a growing source of risk.
The final factor is the regulatory environment. As new laws have emerged to encourage operational resilience and protect personal data, AI technology, smart devices and other tech, the burden on compliance teams has grown. In some cases (like NIS2), senior management is now held personally liable for non-compliance. That has shifted the accountability focus more squarely away from security teams and onto business leadership.
What this Means
According to research and advisory firm Info-Tech Research Group, there are three key barriers to integrated risk management:
- Lack of mature processes, shared language, risk culture, and modern tooling to support integrated risk management
- Rapidly evolving regulations, emerging technologies, and shifting geopolitical realities that make it difficult to maintain proactive risk practices
- Risk management that is treated as a compliance exercise rather than a strategic capability, leading to blind spots and missed opportunities to strengthen resilience
In some cases, CISOs are expected to handle the growing burden. Cambridge University research shows this can lead to reactive risk management, tick-box compliance and often burnout. Separate IANS research reveals 52% of CISOs feel their scope is no longer fully manageable. The pressure is particularly acute in smaller organisations and can delay important strategic initiatives, the report warns.
Ultimately, siloed risk management hurts the organisation by increasing opacity and breach risk, argues Black Duck CISO, Dom Glavach.
“When siloes create disconnected oversight, especially as AI accelerates the pace, risks emerge across software supply chains, workflows, and business operations. Distributed ownership is necessary to keep pace as cyber risk spans security, product, privacy, compliance, and suppliers,” he tells IO (formerly ISMS.online). “When the silos disrupt oversight, organisations end up with blind spots, duplicate work, slower response, and difficulty proving that the controls were working across the organisation.”
Time to Integrate
So where do organisations go from here? Info-Tech has a four-point plan for integrated cyber-risk management:
- Establish goals and governance
- Develop mechanisms to identity and assess risks
- Develop risk response options
- Create a tooling, monitoring and reporting plan
For Muhammad Yahya Patel, vCISO EMEA at Huntress, two key areas of focus should come first.
“First, a common control framework that all functions map to so that when the CISO reports on security controls, the data protection officer (DPO) reports on privacy controls, and the AI governance lead reports on model risk, they’re all speaking to the same underlying risk taxonomy, and the board can see the aggregate picture,” he tells IO.
“Next, the supplier dimension needs attention because it’s where the governance breakdown is most acute right now. Most organisations have third-party risk management processes that are point-in-time: an assessment at onboarding, a questionnaire at renewal. What they don’t have is continuous visibility of whether the controls they relied on at assessment time are still in place. Continuous monitoring of supplier security posture, integrated with your internal risk picture, is a must have.”
Where Frameworks Help
Ronald Lewis, head of cybersecurity governance at Black Duck, likens the process to fine-tuning an old-fashioned clock, where every function is a cog.
“Each cog has a specific role, but none operate independently. If one cog is misaligned, spinning too fast, too slow, or in the wrong direction, the whole system drifts. That’s exactly how cyber risk behaves in siloed environments. Controls don’t fail because they’re poorly designed; they fail because they’re not synchronised with decisions happening elsewhere,” he says.
“That level of synchronisation doesn’t happen organically. It requires a framework. Whether it’s ISO 27001, NIST, or a well-constructed internal model, the point is to establish a common language, consistent taxonomy, and clear lines of traceability between risks, controls, and ownership.”
Lewis explains that a strong framework forces integration across domains.
“It creates the connective tissue between privacy, security, third-party risk, AI governance, and operational resilience. It enables you to see not just individual risks, but how they interact and scale,” he concludes. “Without that structure, you can’t get to joined-up oversight. With it, you can align the cogs, turning independently, but in the same direction, toward a single, measurable goal: a coherent, enterprise-wide understanding and management of cyber risk.”
Expand Your Knowledge
Podcast: Phishing for Trouble S2 E2: You’re Compliant. Are You Resilient?
Blog: Why Cyber Resilience Remains a Long Way Off for Many UK Businesses
