When overambition sinks IT projects: How to avoid boiling the ocean
October 17, 2025When cybersecurity fails, “we didn’t know” isn’t a defence. So, who is actually accountable, and if the board doesn’t fully understand cyber risk and their security posture in relation to that risk, who within the organisation does?
Cyber and information security sit with the board
Cyber and information security are too important to be left to chance or quietly delegated without oversight. Boards are ultimately responsible for steering an organisation’s direction and safeguarding the information it processes. That responsibility does not disappear simply because the subject is complex or technical.
The key question every board should be asking is simple: Who is accountable for our cyber and information security posture, and how do we know it’s working? When an incident happens (not if), accountability matters. Regulators, insurers, customers, and shareholders will all look to the board for answers.
Complexity is not an excuse: It’s a reason to bring in expertise
Understanding regulatory obligations, threat landscapes, and risk exposure can feel overwhelming, particularly for non-technical board members. That’s entirely reasonable. Cyber risk is complex. But complexity doesn’t remove accountability; it increases the need for informed oversight.
If board members do not have the depth of knowledge required to govern cyber and information security effectively, the solution is not to ignore it or assume it’s covered. The solution is to employ someone who understands it and can translate that complexity into business-relevant risk, decisions, and actions.
IT staff and MSPs manage IT - they don’t own your cyber risk!
Many organisations assume their internal IT teams fills this role. In practice, most do not, and they are neither resourced, trained, nor mandated to.
Internal IT staff are often focused on operational delivery, keeping systems running, supporting users, implementation/refresh projects and managing infrastructure. They are rarely responsible for:
- Information security policy and governance.
- Risk management frameworks.
- Compliance mapping and evidence.
- Audit readiness and assurance.
These are core information security functions. When they are missing, organisations are exposed, often without realising it.
The same misconception applies to MSPs. Many businesses believe their MSP “has their back” when it comes to security. In reality, MSPs provide “managed services”, not accountability. Unless specifically contracted, MSPs typically do not provide SOC (Security Operations Centre) type services by default. When a serious incident occurs, contractual boundaries may become very clear, with responsibility sitting firmly with the organisation, not the MSP.
Why smart boards hire cyber leadership fractionally
Hiring a full-time CISO will give your business an independent view of your cybersecurity and information security posture, helping you mitigate threats, working strategically to ensure that your systems and processes grow with business strategy, and ensuring your information defence budget is spent wisely and effectively. But, for many organisations, a six-figure salary is difficult to justify. And for most organisations, a full-time position for this role is simply not necessary either.
You can avoid the six-figure salary and unlock expert IT and cybersecurity leadership with fractional support while saving your business thousands*. Economit will provide an experienced leadership team to undertake this critical role. A team, not a single individual, which means multiple skill sets, broader experience across industries, internationally recognised best practice standards and proven, demonstrable, real-world experience.
With fractional services, you are charged for the time and expertise your business requires, and you can scale as your needs dictate, offering flexibility as your business evolves.
What fractional leadership actually delivers
With the right fractional support, organisations gain:
- Clear ownership of cyber and information security.
- Independent assessment of risk and posture.
- Practical, compliant policies and controls. Ongoing risk management and audit readiness.
- Smarter, more effective security investment.
This removes responsibility from overstretched management teams while giving boards much needed visibility, confidence, and assurance.
Blind risk acceptance is still risk acceptance
Organisations without this level of oversight are not “managing” cyber risk; they are accepting it blindly. And in today’s threat landscape, that is a board-level decision, whether intended or not. Some threats are genuinely difficult to comprehend without technical expertise, which makes governance harder, not optional.
Accountability is the differentiator
Cybersecurity failures are rarely just technical. They are governance failures.
Working with experienced fractional leaders gives boards clarity, accountability, and control, ensuring security grows in line with business strategy, compliance expectations, and real-world threats.
For organisations seeking high-level IT and cybersecurity leadership without the overhead of full-time roles, our fractional model offers a smarter way forward.
* https://www.economit.co.uk/how-fractional-cios-and-cisos-save-smes-thousands/