In recent discussions at OxCyber, we stepped away from technical detail to focus on something more human: accountability.
When a cyber incident becomes public, the first question is rarely technical.
It is usually: who is responsible?
Over time, this question has become more complex. Cybersecurity is no longer viewed purely as an IT issue, and responsibility is increasingly shared across technical, operational, and executive levels.
The End of “It’s Just an IT Issue”
For many years, cybersecurity was treated as a technical function owned by IT teams.
That model is changing.
Regulators, insurers, and courts are increasingly assessing cybersecurity through the lens of organisational responsibility and duty of care.
In practice, this means leadership decisions are now part of the security conversation.
The key question being asked is no longer only “how did the breach happen?”, but also whether reasonable steps were taken to prevent it.
Individual vs Corporate Responsibility
A common question we hear is where the line sits between organisational and personal accountability.
In reality, this depends on context, governance, and evidence of due diligence.
Organisational responsibility
Where recognised security frameworks, appropriate controls, and regular risk management practices are in place, cyber incidents are generally treated as operational risk. Organisations may still face financial and reputational impact, but this is not automatically attributed to individual fault.
Personal accountability
Individual liability becomes more relevant where there is evidence of serious governance failure, such as intentional concealment of incidents, misrepresentation of risk, or failure to implement clearly expected security controls within a role of responsibility.
A Fragmented Global Picture
There is no single global cyber law, but regulatory expectations are becoming more aligned in practice.
The European Union
The EU continues to lead with structured regulatory frameworks such as NIS2 and the Cyber Resilience Act, which introduce clearer expectations around governance, reporting, and accountability.
The United Kingdom
The UK approach continues to focus on operational resilience, with an emphasis on maintaining essential services and improving response capability over time.
The United States
In the US, accountability is often shaped through litigation and sector-specific regulation, with outcomes varying significantly depending on industry and context.
What “Reasonable Security” Actually Means
One of the most important shifts is the move toward assessing what constitutes “reasonable” security for a given organisation.
This is increasingly influenced by what is considered current good practice at the time of an incident.
In other words, security decisions are now being measured against the standards, tools, and expectations that were realistically available when those decisions were made.
Why This Matters for Leadership
Cybersecurity is no longer just about systems and controls. It is also about decision-making, governance, and accountability at leadership level.
This shift is pushing organisations to think more carefully about how risk is owned, documented, and managed across the business.
Security maturity is increasingly defined not just by technical capability, but by how clearly responsibility is understood and acted upon.
Cyber incidents will continue to happen.
The organisations that are best prepared will be those that treat accountability as part of their security strategy, not something considered after an incident occurs.
