A model for the owner's role
Decide. Delegate. Escalate.
If you run an established SME with an IT manager or MSP, you don't need to know how a firewall is configured or which patch was rolled out last Tuesday. You need to know which decisions belong to you, which belong to whoever runs the technology, and which ones need to land in front of the board. This page sets that out, topic by topic.
You decide
Risk appetite & spend
Anything that involves trading off cost against risk — what you'll tolerate, what you'll insure, what you'll spend. These are commercial decisions, not technical ones.
You delegate
Execution & configuration
Anything where the right answer follows from policy: patching, backups, MFA, AV, joiner/leaver, monitoring. Your job is to verify it's happening, not to do it.
You escalate
Anything material to the business
Breaches, near-misses, supplier changes that touch customer data, capex over a threshold, anything that would make the news. Board needs visibility, not detail.
By topic: who does what
A practical mapping. If your IT manager or MSP is doing the “Delegate” column on autopilot and you can see evidence, that's a healthy setup.
| Topic | You decide | You delegate | You escalate to the board |
|---|---|---|---|
| Backups | How long an outage you'll tolerate; how much data you can afford to lose | Backup frequency, retention, offsite copy, encryption, monthly restore test | A failed restore test, or a breach that hits backups |
| Identity & MFA | Whether MFA is mandatory for everyone (recommendation: yes) | Rollout, exceptions log, admin-account hardening, conditional access | Material exceptions; any admin account compromise |
| Patching | SLAs for critical patches (e.g. 14 days) — this is a business risk choice | Rollout, exceptions, vulnerability scan output, end-of-life device removal | A material vulnerability you couldn't patch in time |
| Suppliers & SaaS | Which suppliers count as critical; what diligence you require before signing | Tools register, supplier security reviews, contract clauses, leaver offboarding | Adding a critical supplier; a supplier breach affecting you |
| Data & GDPR | Lawful basis for processing; appointing a DPO if needed | Data map / ROPA, privacy notices, SAR process, retention schedules | Any notifiable breach, ICO contact, large SAR or complaint |
| Incidents | Who calls who; PR / legal contacts; spending authority during a live incident | Detection, triage, containment, recovery; tabletop tests at least annually | Every material incident; tabletop results once a year |
| AI use by staff | What's allowed in what tools; whether you pay for sanctioned versions | Tool review, training, monitoring, deactivating unsanctioned use | Material data leak; new high-risk use case (e.g. AI in customer-facing decisions) |
| Website | Whether the site handles customer data or money; pen test cadence | Hosting, certificates, code reviews, security headers, dependency updates | Defacement, customer-data breach, payment-flow incident |
| Insurance | Whether to buy cyber cover; cover limits; deductibles | Renewal questionnaire evidence pack; control attestations | Cover refused or premium changes materially |
| Certifications | Whether to pursue Cyber Essentials, Cyber Essentials Plus, ISO 27001, SOC2 | Evidence collection, remediation, the audit itself | Certification gained, lost, or materially failed |
| Joiners / leavers | Manager sign-off on access; tone for “deprovision on day of exit” | Account creation, MFA enrolment, equipment, day-of-exit deprovision | A leaver retains access materially after they've gone |
| Training & awareness | Whether to run it; cadence (annually, plus on-joining is the floor) | Delivery, phishing simulation, completion tracking | Click-rate trends if materially worse; a successful phishing attack |
Useful owner questions, by quarter
If you ask these once a quarter and get straight answers, you're in the comfortable middle. If the answers are vague, that's the signal something needs attention.
Backup & recovery
- When did we last successfully restore from backup?
- How long would the business be down if our main system went away tonight?
Identity & access
- How many admin accounts do we have? Who has them?
- Show me the leavers list for the last 90 days — were they all deprovisioned on the day?
Suppliers
- Show me the tools register. Anything new this quarter?
- If our MSP disappeared tomorrow, what would break first?
Incidents
- Any incidents or near-misses I should know about?
- When did we last run a tabletop?
People
- How did the last phishing simulation go — better or worse than last time?
- Anyone newly joined or about to leave that I should sign off on?
Money
- Are we tracking against the cyber budget? Any surprises coming?
- Anything in the next 12 months that'll need a capex decision?
A useful test
If you're being asked to make the technical decision, the model has slipped
“Which firewall vendor?” is not an owner question. “Are we comfortable spending £X a year so the business can recover in a day rather than a week?” is. If your IT manager or MSP keeps escalating brand/tool choices, ask them to recommend with reasons — and reserve your time for the trade-offs only you can make.
See the quarterly board report template for the format that keeps escalation healthy, or Someone's asking for the situations that change what gets escalated.