Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

A model for the owner's role

Decide. Delegate. Escalate.

If you run an established SME with an IT manager or MSP, you don't need to know how a firewall is configured or which patch was rolled out last Tuesday. You need to know which decisions belong to you, which belong to whoever runs the technology, and which ones need to land in front of the board. This page sets that out, topic by topic.

You decide

Risk appetite & spend

Anything that involves trading off cost against risk — what you'll tolerate, what you'll insure, what you'll spend. These are commercial decisions, not technical ones.

You delegate

Execution & configuration

Anything where the right answer follows from policy: patching, backups, MFA, AV, joiner/leaver, monitoring. Your job is to verify it's happening, not to do it.

You escalate

Anything material to the business

Breaches, near-misses, supplier changes that touch customer data, capex over a threshold, anything that would make the news. Board needs visibility, not detail.

By topic: who does what

A practical mapping. If your IT manager or MSP is doing the “Delegate” column on autopilot and you can see evidence, that's a healthy setup.

Topic You decide You delegate You escalate to the board
Backups How long an outage you'll tolerate; how much data you can afford to lose Backup frequency, retention, offsite copy, encryption, monthly restore test A failed restore test, or a breach that hits backups
Identity & MFA Whether MFA is mandatory for everyone (recommendation: yes) Rollout, exceptions log, admin-account hardening, conditional access Material exceptions; any admin account compromise
Patching SLAs for critical patches (e.g. 14 days) — this is a business risk choice Rollout, exceptions, vulnerability scan output, end-of-life device removal A material vulnerability you couldn't patch in time
Suppliers & SaaS Which suppliers count as critical; what diligence you require before signing Tools register, supplier security reviews, contract clauses, leaver offboarding Adding a critical supplier; a supplier breach affecting you
Data & GDPR Lawful basis for processing; appointing a DPO if needed Data map / ROPA, privacy notices, SAR process, retention schedules Any notifiable breach, ICO contact, large SAR or complaint
Incidents Who calls who; PR / legal contacts; spending authority during a live incident Detection, triage, containment, recovery; tabletop tests at least annually Every material incident; tabletop results once a year
AI use by staff What's allowed in what tools; whether you pay for sanctioned versions Tool review, training, monitoring, deactivating unsanctioned use Material data leak; new high-risk use case (e.g. AI in customer-facing decisions)
Website Whether the site handles customer data or money; pen test cadence Hosting, certificates, code reviews, security headers, dependency updates Defacement, customer-data breach, payment-flow incident
Insurance Whether to buy cyber cover; cover limits; deductibles Renewal questionnaire evidence pack; control attestations Cover refused or premium changes materially
Certifications Whether to pursue Cyber Essentials, Cyber Essentials Plus, ISO 27001, SOC2 Evidence collection, remediation, the audit itself Certification gained, lost, or materially failed
Joiners / leavers Manager sign-off on access; tone for “deprovision on day of exit” Account creation, MFA enrolment, equipment, day-of-exit deprovision A leaver retains access materially after they've gone
Training & awareness Whether to run it; cadence (annually, plus on-joining is the floor) Delivery, phishing simulation, completion tracking Click-rate trends if materially worse; a successful phishing attack

Useful owner questions, by quarter

If you ask these once a quarter and get straight answers, you're in the comfortable middle. If the answers are vague, that's the signal something needs attention.

Backup & recovery

  • When did we last successfully restore from backup?
  • How long would the business be down if our main system went away tonight?

Identity & access

  • How many admin accounts do we have? Who has them?
  • Show me the leavers list for the last 90 days — were they all deprovisioned on the day?

Suppliers

  • Show me the tools register. Anything new this quarter?
  • If our MSP disappeared tomorrow, what would break first?

Incidents

  • Any incidents or near-misses I should know about?
  • When did we last run a tabletop?

People

  • How did the last phishing simulation go — better or worse than last time?
  • Anyone newly joined or about to leave that I should sign off on?

Money

  • Are we tracking against the cyber budget? Any surprises coming?
  • Anything in the next 12 months that'll need a capex decision?

A useful test

If you're being asked to make the technical decision, the model has slipped

“Which firewall vendor?” is not an owner question. “Are we comfortable spending £X a year so the business can recover in a day rather than a week?” is. If your IT manager or MSP keeps escalating brand/tool choices, ask them to recommend with reasons — and reserve your time for the trade-offs only you can make.

See the quarterly board report template for the format that keeps escalation healthy, or Someone's asking for the situations that change what gets escalated.