Who Owns Cybersecurity? Accountability in Large Organisations
Introduction
In 2026, the traditional view of cybersecurity as a “locked door” managed by a single IT team is obsolete. For complex, global organizations, cybersecurity ownership has shifted toward a Risk-First, Distributed Model. Ownership is no longer about who manages the firewall; it is about who owns the risk associated with a specific business process.
The Three Dominant Ownership Models
Complex organizations typically adopt one of three structures based on their geographical footprint and regulatory requirements.
- Centralized “Command and Control”: The Global CISO holds all accountability, and security standards are pushed from the top down. While this ensures consistency, it can lead to slower response times for regional business units (BUs).
- Decentralized “Autonomous” Model: BUs or regional offices operate their own security stacks and teams. This offers extreme agility but often results in “Security Silos” and inconsistent protection levels across the firm.
- Federated/Hybrid (The 2026 Standard): The center defines the “Security Guardrails” (minimum standards), while BUs have the autonomy to choose how to implement them. The CISO provides the platform, but the BU Head owns the business risk.
The RACI of 2026: Who Actually "Owns" What?
To avoid the common CISO vs. CIO conflict, complex organizations have redefined accountability. The Board of Directors owns the fiduciary risk and is increasingly liable for “security negligence” under 2026 laws. The CISO acts as a high-level Risk Advisor owning the cybersecurity framework, while the CIO owns system availability and the implementation of controls.
Critically, Business Unit Heads now own the data itself; if a marketing database is leaked, the Head of Marketing is responsible for the business impact, ensuring that those who generate profit also share the burden of protecting that value. This shift ensures that cybersecurity is treated as a business enabler rather than a technical hurdle. For firms looking to bolster these internal structures, leveraging threat intelligence can provide the necessary data to make informed risk-ownership decisions.
2026 Challenges: AI and "Agentic" Ownership
The emergence of Agentic AI systems that make autonomous decisions, has introduced a new “ownership gap.”
- Who owns an AI’s mistake? If an autonomous AI agent grants unauthorized access to a database, is that a security failure (CISO) or a system configuration failure (CIO)?
- The Solution: Organizations are establishing AI Governance Boards that include Legal, Ethics, and Security leads to co-own the behavior of autonomous systems and prevent “unowned” machine risks.
In Malaysia, the push for AI adoption must be balanced with the Cybersecurity Act 2024, which emphasizes the protection of National Critical Information Infrastructure (NCII). This legislation makes it clear that the responsibility for digital safety cannot be outsourced or ignored by business leadership.
Why Ownership Fails in Complex Firms
- Reporting Structure Clashes: When the CISO reports to the CIO, security often gets sidelined in favor of “uptime.” In 2026, leading firms have the CISO report to the CEO or Chief Risk Officer (CRO).
- Shadow IT: When SaaS tools or AI agents were bought without telling IT, they create unowned risk that bypasses central cybersecurity protocols.
- Lack of Incentives: If a Business Unit (BU) Head is only rewarded for profit and not for “security hygiene,” they will inevitably cut corners on protection to hit financial targets.
To bridge these gaps, many Malaysian enterprises are turning to partner private cybersecurity solutions to ensure that even decentralized units have access to enterprise-grade protection.
Strengthening the Distributed Model: Best Practices
To successfully implement a federated model, organizations must focus on three core pillars:
Cultural Integration
Ownership is a mindset. Employees at every level must understand that they are the first line of defense. This requires continuous training and a clear communication channel between the AceTeam Networks experts and the operational staff.
Standardized Tooling
While BUs may have autonomy, the underlying infrastructure should be compatible. Using standardized cybersecurity dashboards allows the central CISO to have visibility without micromanaging daily operations.
Continuous Monitoring
In a complex environment, “point-in-time” audits are insufficient. Real-time monitoring ensures that if a BU drifts away from the established “Security Guardrails,” the center can intervene before a breach occurs.
The Local Context: Cybersecurity in Malaysia
Malaysia has become a hub for digital transformation in Southeast Asia, but this growth comes with increased risks. Local organizations must align their ownership models with the directives of the National Cyber Security Agency (NACSA). Whether you are a government-linked company (GLC) or a private multinational, the transition toward a distributed model is no longer optional it is a regulatory necessity.
The complexity of local regulations means that organizations often require specialized help to navigate the technical and legal landscape. Integrating expert cyber threat intelligence is a vital step in staying ahead of regional threats that target specific Malaysian industries like finance and manufacturing.
Summary of Accountability Roles
Role | Key Responsibility | Ownership Type |
Board of Directors | Fiduciary & Legal Liability | Ultimate Risk Owner |
CISO | Security Strategy & Frameworks | Policy & Governance |
CIO | Infrastructure & Tool Deployment | Technical Execution |
BU Head | Data Privacy & Process Integrity | Operational Risk |
Frequently Asked Questions
Under the Cyber Security Act 2024, SMEs especially those in critical sectors must report cybersecurity incidents to the National Cyber Security Agency (NACSA) within a specific mandatory window (typically 72 hours). Failure to comply or evidence of a disorganized response can result in charges of "negligence" and may lead to personal legal liability for company directors.
No. The Retention Principle of the amended PDPA (2025) explicitly forbids businesses from keeping personal data longer than necessary for its original purpose. Storing "zombie data" on unmonitored drives is a major compliance gap. In 2026, the Personal Data Protection Commissioner (JPDP) has increased random audits, and non-compliance can lead to fines of up to RM1 million.
Yes. In the 2026 threat environment, a personal device without a Bring Your Own Device (BYOD) Policy is an unmonitored tunnel into your corporate network. Without a policy requiring Multi-Factor Authentication (MFA) and encrypted containers for work apps, a compromised home router or a lost personal phone can lead to a massive, undefendable data breach.
This is known as the "Paper Policy" Gap. If your policy mentions physical server security but your business actually runs on a decentralized cloud, the policy is unenforceable. During a breach, if management cannot prove they enforced localized, "lived" policies, they may fail client audits or lose insurance claims, making it essential to align documentation with actual technical workflows.
Yes. As announced in Budget 2026, the Malaysian government provides a 50% tax deduction for SMEs specifically for cybersecurity and AI upskilling. This incentive is designed to help businesses appoint and train a Data Protection Officer (DPO)—which is now mandatory for many organizations—and implement more robust security solutions.
Conclusion
In a complex organization, cybersecurity is a lifecycle discipline, not a one-time project. Ownership must be distributed so that the business units generating value are empowered to protect it. The role of the central security team is no longer to be the “department of no,” but to provide the frameworks that enable the business to move fast and securely. By adopting a federated model and clarifying the RACI matrix, organizations can turn cybersecurity from a liability into a competitive advantage.