2 March Blog

When Cybersecurity Becomes “Someone Else’s Problem” — A Dangerous Leadership Blind Spot

​In recent discussions with several senior managers, business owners and CEOs, three worrying themes surfaced.
Not technical weaknesses.
Not budget constraints.
But leadership assumptions.
And in 2026, assumptions are the biggest cyber risk of all.
1. “Cybersecurity Isn’t My Remit — That’s for IT”
One CEO told me directly that he didn’t want to discuss cybersecurity because it sat with his tech team.
That mindset might have worked 15 years ago.
It doesn’t work now.
Cybersecurity is no longer a technical control issue. It is:

• A governance issue
• A reputational issue
• A financial risk issue
• A regulatory exposure issue
• A culture issue

Boards don’t delegate financial accountability to the finance team and then disengage.
They don’t outsource health & safety responsibility and refuse to discuss it.
Yet many still treat cyber risk as if it’s a firewall configuration problem.
Frameworks such as National Institute of Standards and Technology’s Cybersecurity Framework and ISO’s ISO/IEC 27001 are explicitly structured around governance and leadership accountability — not just technical controls.
If cyber is not on the CEO agenda, it is not truly embedded in the organisation.
And attackers understand that.
2. “We Don’t Use AI — I Blocked It”
Another leader confidently stated that no one in the organisation used AI-linked tools because IT had blocked them.
The reality?
AI adoption is bottom-up, not top-down.
Staff are already using platforms such as OpenAI’s ChatGPT, Microsoft Copilot, Google Gemini, and dozens of AI-enabled SaaS tools — often through personal devices, browser plugins, or embedded features inside systems you already pay for.
Blocking public AI websites does not remove:

• AI embedded inside productivity platforms
• AI inside CRM systems
• AI features automatically activated in software updates
• Staff experimentation from home

This is what many now call “Shadow AI”.
The more restrictive the policy, the more invisible the behaviour becomes.
And invisible risk is unmanaged risk.
3. “AI Is Safe — Staff Know What’s Expected”
The third view was equally concerning: AI tools were considered safe, and senior oversight was unnecessary because “staff know what’s expected.”
Unfortunately:

• Most employees cannot clearly articulate what data is confidential vs sensitive vs public.
• Many assume AI tools do not retain, learn from, or store prompts.
• Very few understand intellectual property leakage risks.
• Almost none have been trained in structured AI risk decision-making.

Trusting staff without equipping them is not empowerment — it is exposure.
Leadership oversight is not about mistrust.
It is about setting guardrails, defining acceptable use, and aligning innovation with governance.
4. “Cybersecurity Is an Irritation — It’s Overhyped”
Perhaps the most revealing comment came from a business owner who described cybersecurity as an irritation — a non-issue exaggerated by specialists to generate revenue.
It’s understandable.
Cybersecurity messaging has often leaned heavily on fear.
But dismissing risk does not remove it.
In New Zealand and across Australasia, we are seeing:

• Increased ransomware targeting SMEs
• Supply chain compromise
• Business email compromise
• AI-assisted phishing attacks that are almost indistinguishable from legitimate communication

Cyber risk today is less about dramatic movie-style breaches and more about:

• Operational disruption
• Revenue loss
• Regulatory scrutiny
• Reputational erosion

And increasingly — AI-driven acceleration of all of the above.
The Real Issue: A Leadership Gap
Across all four conversations, the pattern was not technical immaturity.
It was governance distance.
Cybersecurity and AI risk now sit at the intersection of:

• Strategy
• Culture
• Technology
• Human behaviour
• Brand trust

When leaders disengage, block blindly, over-trust without oversight, or dismiss the issue entirely, they create exactly the conditions attackers rely on:
Complacency.
A More Mature Leadership Response
A balanced executive stance looks different:

1. Cyber is a board-level discussion.
2. AI use is acknowledged, mapped, and governed — not denied.
3. Staff are trained, not simply trusted.
4. Risk is assessed pragmatically — not exaggerated, but not ignored.
5. Technology decisions are evaluated through a human-centric lens.

Because at its core, cybersecurity is not about firewalls.
It is about people making decisions — every day — often under pressure.
And AI simply accelerates the consequences of those decisions.
The Strategic Question for CEOs
Not:
“Is this IT’s job?”
But:
“Do we have governance visibility, cultural alignment, and practical guardrails around how technology and AI are being used across our organisation?”
If the answer is unclear, the risk already exists.
Cybersecurity is no longer a technical inconvenience.
It is a leadership responsibility.
And the organisations that understand that — will be the ones that remain resilient.