There is a certain kind of executive who will discuss confidently supply chain exposure, geopolitical uncertainty, or climate volatility, but when cybersecurity appears on the agenda, it is still too often treated as a technical issue for the CISO to handle.
Many executives are comfortable discussing supply chain disruption, climate risk, or geopolitical uncertainty. But when cybersecurity appears on the agenda, it is still too often treated as a technical issue for the CISO to handle.
Suddenly, the matter is “technical.” Suddenly, the CISO is expected to serve as translator or scapegoat. The boardroom, which moments ago was full of strategic confidence, discovers that cybersecurity is somebody else’s expertise.
Jane Frankland MBE thinks this is the most dangerous blind spot in executive leadership.
“I’ve seen this across FTSE 100 boards, founder-led businesses, and governments—the belief that cybersecurity is something that happens to the organisation, rather than something the organisation does.”
Cybersecurity is still too often exiled to IT because that is where it began. There was a time when the subject could be plausibly associated with firewalls, antivirus software, and the “bloke down the corridor with the server room key,” as Frankland says. But the old mental model has survived long after its usefulness expired.
It has also survived because it is convenient. A technical problem can be delegated. A business survivability problem, not so much.
“If it’s technical, you can delegate it. You can write a check. You can hire a CISO and say ‘you sort it.’ If it’s a business survivability issue, you have to own it.”, Frankland says.
That might mean a breach, a fine, or a bad week of headlines. But it also means the lost contract that never appears in the risk register. It is the product launch that becomes a late-stage argument between engineering and security. It is the talent that quietly chooses a company where cybersecurity is not treated as a regrettable tax on ambition.
The hidden costs are often the hardest to count.
Accountability Is Not a Quarterly Slide
Some organisations have become very good at performative seriousness. There is the committee, the framework, the dashboard, the quarterly update. All these things may be useful. None of them is the same as accountability.
Real accountability, in Frankland’s view, begins when the CEO and board can have an honest conversation with the CISO about what could end the company.
“Genuine accountability isn’t a quarterly slide. It’s not a metric on a dashboard. It’s a CEO who can sit in a room with their CISO and have a real conversation about what could end this company and what they’re collectively doing about it.”
This is where many organisations betray themselves. If the CISO only learns about a new business or technology initiative after the decisive conversation has already happened, the business has not included cybersecurity. It has merely invited them to inspect the wreckage.
Frankland is especially sharp on the double standard that still governs many boardrooms.
“Nobody on a board would say ‘well, finance isn’t my area.’ But people happily say ‘cybersecurity isn’t my area.’ Genuine accountability is when that sentence becomes unsayable.”
That unsayable sentence is the cultural threshold. Before it, cyber belongs to a department. After it, cyber belongs to leadership.
Security Is Not the Enemy of Growth
The complaint that cybersecurity is a blocker has become one of the lazier truisms of modern enterprise operations. Like most lazy rituals, it contains a shard of truth. Cybersecurity does become obstructive when it is introduced too late.
When the product is built, the system is live, or the deal is signed, the cybersecurity team can only arrive as a source of bad news. It is not difficult to see why everyone resents the messenger.
Frankland’s answer is not a slogan about enablement. It is a change in timing.
“Cybersecurity becomes an enabler when it’s introduced early, when it’s part of the design conversation, the deal conversation, the strategy conversation. Not as a veto, but as a contributor.”
The more intelligent question is not whether the organisation can proceed. It is how the organisation can proceed safely without forfeiting speed, trust, or common sense.
“In a digital business, trust is the product. And cybersecurity is what trust is made of. Once leaders start to see it that way, the blocker framing falls away.”
It is hard to call cybersecurity a blocker once trust is understood as the thing being sold.
Blind Spots Are Built into Homogenous Leadership
Cybersecurity depends on the ability to anticipate how systems will be attacked. That means thinking like people who do not think like you. A leadership team shaped by the same culture may feel efficient. It may also be vulnerable.
“If you build a leadership team of people who think the same way, went to the same kind of schools, had the same kind of careers, and rose through the same kind of networks, you have built a team that shares the same blind spots. And the attackers will find them.”
Frankland connects this directly to the sector’s skills challenge. The industry cannot complain about the shortage of talent, which she disputes, while recruiting from the same narrow channels and calling the result a market failure.
“The diversity question isn’t a ‘nice to have’ while we wait for the labour market to fix itself. The diversity question is how we fix the labour market.”
Cybersecurity Culture Changes When Someone Tells the Truth
Frankland’s experience turning around a business during the dot-com crash informs her view of failed cybersecurity cultures. A turnaround is not a fresh start. You need to fix the most consequential issues visibly enough that the organization notices what behaviour is now rewarded.
Some people, Frankland adds, will not come with you. Leadership has to ensure they do not get to veto the future.
For CISOs and senior executives who recognise these blind spots, the first step is not another tool purchase. It is a more uncomfortable exercise in diagnosis: identify the conversation that has been avoided, then move toward it.
“Your job as a CISO isn’t to inform. It’s to be heard by the people who can act. And being heard is partly about what you say, partly about the relationship you’ve built, and partly about whether you’re talking to the right person at all.”
That may be the hardest sentence in the interview. It denies the CISO the consolation of having merely been right. In a crisis of leadership, correctness is not enough. The message must land where power lives.
“Most blind spots in cybersecurity leadership don’t get fixed by buying something. They get fixed by someone, somewhere in the organisation, having a conversation that’s been avoided.”
Ultimately, resilience does not come from tools alone, and especially not from treating cybersecurity as a specialist concern. It comes from executive accountability, early engagement with security teams, and a willingness to have honest conversations about risk before a crisis forces the issue.
__
Join your peers at CISO London to explore how leading CISOs are building practical frameworks for secure AI adoption, balancing innovation with resilience, and redefining what effective cybersecurity leadership looks like in the AI era.