Disaster Recovery Journal Summer 2026

itself. It tends to surface only under pres sure. How Cyber Drifted Away from Governance Cyber risk entered organizations as a technical concern because, for a time, it largely behaved like one. Early incidents were bounded. Systems went offline, were restored, and operations resumed. Responsibility rested, understandably, with those who ran the technology. As digital systems became inseparable from business operations, the nature of the risk changed. Software came to govern logistics, payments, compliance, identity, and coordination. In many organizations, there is no longer a meaningful distinction between technology and operations. When one falters, the other does too. What did not change as quickly was the way responsibility was distributed. Rather than becoming part of the same executive conversation as financial expo sure or operational continuity, cyber risk remained associated with technical exper tise. Security functions grew more formal. Reporting became more regular. The CISO role gained visibility, and in some cases proximity to boards. This professionalization brought real gains. It reduced disorder. It created common language. It allowed complex issues to be discussed with greater clarity. It also helped preserve the sense cyber risk could largely be managed within a specialist domain. Decision authority remained elsewhere. Ownership, in prac tice, became diffuse. Responsibility Without Control CISOs are often expected to account for outcomes shaped by decisions they did not make. Those decisions are rarely framed as security choices at the time. Platform consolidation, rapid cloud migration, acquisitions integrated under compressed timelines, outsourcing arrangements which reduce internal vis ibility. Each choice can be justified on commercial grounds. Rarely are they con sidered together, as a system. Cyber risk accumulates in that space. It develops quietly, shaped by incentives

We Gave Cyber Risk to the CISO and Walked Away By CHRIS ADAMS I nstitutions tend to believe persis tent problems will, over time, settle into place. A risk emerges. It creates friction. Eventually responsibility is assigned, processes form around it, and the problem becomes manageable, if not resolved. Cyber risk has never quite followed that pattern. What remained less clear was whether responsibility had been meaningfully inte grated into how the business itself was run, or whether it had simply been set aside. The modern chief information security officer (CISO) occupies that ambiguity. The CISO is expected to anticipate threats, prevent incidents, coordinate responses, explain technical realities to senior leader ship, and help navigate disruption when it occurs. At the same time, the role rarely carries authority over the decisions that most shape exposure. How systems are designed. How tightly operations are coupled. How much disruption is consid ered acceptable in pursuit of efficiency or growth. That tension rarely draws attention to Instead of being absorbed into general management, it was professionalized. Organizations hired specialists, built secu rity teams, invested heavily in tools, and elevated a role meant to sit at the center of digital uncertainty. Over time, the presence of this role came to function as reassurance. Someone was responsible. Someone was paying attention.

16 DISASTER RECOVERY JOURNAL | SUMMER 2026