Why Cyber Security Conversations So Often Break Down Between IT Managers and the Board

For most IT Managers, cyber security is not a technical problem. It is a communication problem.

They understand the risks, the controls and the limitations. What is far harder is translating those realities into clear, proportionate decisions at board level, especially when senior leaders are influenced by headlines, insurers or external pressure.

This is where cyber security conversations often start to break down.

The pressure IT Managers are under

IT Managers are increasingly expected to “own” cyber risk, even though much of that risk sits outside their direct control.

They are asked to:

• Justify security spend without being alarmist

• Explain risk in business terms, not technical language

• Respond to insurance, audit or compliance demands at short notice

• Reassure directors without over-promising

At the same time, they are navigating a market full of suppliers whose messaging is driven by selling tools, not by helping organisations prioritise sensibly.

That combination puts IT Managers in a difficult position.

Why boards and senior leaders struggle with security decisions

From a board perspective, cyber security is often viewed through extremes.

Either:

• “We must be secure, whatever the cost”, or

• “We have never had an issue, so why change now?”

Neither position is particularly helpful.

Boards are rarely given neutral, structured advice. Instead, they are presented with:

• Vendor-led assessments

• Complex reports full of technical language

• Recommendations that are hard to compare or challenge

This makes it difficult for senior leaders to distinguish between essential controls and optional enhancements.

Where Cyber Essentials fits, and where it does not

Schemes such as Cyber Essentials are often misunderstood.

Used properly, Cyber Essentials provides:

• A baseline level of assurance

• A clear set of minimum controls

• A defensible position for IT Managers

Used badly, it becomes:

• A box-ticking exercise

• A substitute for wider risk thinking

For many organisations, Cyber Essentials is a sensible starting point, not an end goal. It helps establish a common language between IT and the board, particularly when discussing why certain controls are non-negotiable.

This is why we often see it used as part of wider Cyber Essentials guidance, rather than as a standalone “solution”.

The problem with supplier-led security conversations

Most cyber security suppliers are not independent. Their recommendations are shaped by the services or tools they sell.

This creates a familiar pattern for IT Managers:

• Every risk appears urgent

• Every control appears essential

• Every proposal claims to be best practice

The result is noise, not clarity.

IT Managers then become the filter, expected to rationalise supplier advice while maintaining credibility with senior stakeholders.

A more effective approach to cyber security discussions

An independent approach changes the tone of the conversation.

Instead of starting with tools, it starts with:

• Business risk

• Operational impact

• Proportional response

An independent advisor can help:

• Separate baseline controls from enhancements

• Standardise how security options are compared

• Support IT Managers in presenting balanced recommendations

• Reduce supplier pressure and conflicting advice

This mirrors the same principles used in independent IT support guidance, where the goal is clarity rather than volume.

Why this matters professionally for IT Managers

Cyber incidents rarely lead to questions about technology first. They lead to questions about decisions.

Having:

• A clear rationale

• An independent baseline

• Documented reasoning

Protects IT Managers professionally. It shows that decisions were made thoughtfully, proportionately and with the wider business context in mind.

That is far more defensible than reacting to whichever supplier spoke last.

Final thought

Cyber security does not fail because IT Managers are unaware of the risks. It fails when conversations become reactive, supplier-led or disconnected from business reality.

Independent guidance helps restore balance. It gives IT Managers the space to make sensible recommendations and gives boards the confidence that decisions are being made for the right reasons.