Cybersecurity isn’t a product you buy, a service you outsource, or a compliance box you check. It’s a mindset—and like any meaningful cultural shift, someone has to lead the charge.
At Prescriptive, we’ve seen firsthand what happens when no one owns the risk. When we conduct security assessments, it’s not uncommon for clients to be surprised by what we find: legacy systems still exposed to the internet, admin accounts that belong to long-departed employees, and security tools that were purchased but never properly configured.
In most cases, these technical issues have stemmed from a more fundamental problem: A lack of clarity regarding who is responsible for initiating and driving cybersecurity risk awareness.
There’s a dangerous assumption floating through many organizations: that someone, somewhere—probably in IT—is keeping an eye on the risk landscape. In reality, many IT teams are already overwhelmed with reactive support tasks and firefighting. Risk management happens “when we get to it”, and sometimes that turns into "hardly ever".
Without a clear champion, security becomes fragmented. Policies exist on paper but aren’t enforced. Tools are deployed but not monitored. Users are trained once—but never held accountable for ongoing behavior.
In my view, there has to be someone who is really motivated to take the initiative to increase risk awareness. They’ve got to be driving it. Otherwise, nobody’s doing it.
Even in organizations with an abundance of security-minded personnel, the lack of defined risk ownership creates gaps. We see it all the time in Microsoft 365 environments—one of the most common points of failure in modern IT ecosystems.
Dormant mailboxes. Forwarding rules to external addresses. Global admin accounts used for daily email. These aren’t obscure edge cases. They’re signs that no one is connecting the dots between technical configuration and business risk.
The issue isn’t usually a lack of tools—it’s a lack of clarity. Who’s responsible for ensuring mailbox rules are audited? Who’s checking for abandoned accounts? Who’s confirming that security alerts are actually being reviewed?
If the answer is “we thought IT handled that,” then there’s a problem.
“Everyone assumes someone else is taking care of it.”
Prescriptive’s engineers regularly uncover issues that stem not from malicious actors, but from well-meaning neglect. These fall into three broad categories:
None of these are inherently technical failures. They’re ownership failures—symptoms of a culture where security is everyone’s problem and therefore no one’s priority.
Not every company needs a CISO, but every company needs someone to raise their hand and say, “I’ve got this.”
The risk awareness champion doesn’t have to be the most technical person in the room. In fact, the best ones often are not. They’re communicators. Translators. People who can take what a security tool is telling them and make it make sense to leadership, to HR, to finance.
They ask hard questions like:
More importantly, they empower others to care about these questions too.
At Prescriptive, we don’t just point out what’s wrong—we help you figure out who needs to care.
During a security audit or workshop, we often uncover not just technical debt, but a leadership vacuum around risk management. Our role is to help organizations identify that internal champion and give them the clarity, tools, and confidence to take the lead.
You don’t need a massive security budget or a dedicated team to improve your posture. You need someone who owns it—and a partner who has their back.
Cybersecurity isn’t a department—it’s a culture. And like any culture, it needs someone to nurture it, challenge it, and champion it. The threats are real. The tools exist. But without leadership, nothing changes.
Who owns the risk in your organization?
— John Parker, Senior Cybersecurity Engineer, Prescriptive Data Solutions