Cybersecurity is not a technology problem. It is an institutional risk management problem that technology makes visible.
The Framing Error
The dominant framing of cybersecurity as a technology problem — a challenge to be addressed by security engineers through technical controls and defensive architecture — is accurate about where the solutions are implemented but misleading about where the risk originates. Most successful cyberattacks do not defeat technical controls. They exploit the gap between the technical controls that exist and the human and organisational processes that determine whether those controls are correctly configured, consistently maintained, and reliably applied to every system that requires them.
The credential that was not revoked when an employee departed. The software update that was not applied because the update window conflicted with operational requirements. The third-party vendor whose system access was not audited. The employee who clicked the phishing link because security awareness training had not been refreshed in eighteen months. Each of these is a cybersecurity failure that no technical control architecture can fully prevent, because each is a failure of the organisational processes that technical controls depend on to function effectively.
Cybersecurity as Institutional Risk
Framing cybersecurity as institutional risk rather than technical challenge changes the analytical approach and the governance response. Institutional risk management asks: what is the probability that a significant breach occurs, what would be its impact, and what investments in prevention and resilience would change that probability and impact? This framing requires leadership engagement with cybersecurity as a risk management question rather than a technical operations question — which is the engagement that most organisations lack and whose absence is consistently identified in post-incident analyses as a contributing factor to the impact of the breach.
The institutional risk frame also clarifies the appropriate response to incidents. The technical framing produces an incident response focused on containment and technical remediation. The institutional risk frame produces an incident response that addresses the technical dimension and the organisational, process, and governance failures that allowed the incident to occur — producing the institutional learning that prevents recurrence rather than merely restoring the technical environment to the pre-incident state.
Cybersecurity risk is owned by the institution, not by the security team. The breach that traces back to an unrevoked credential, an unpatched system, or an untrained employee is a governance failure that technical controls could not have prevented — because the governance failure created the gap that the attacker used. The institution that manages cyber as institutional risk will outperform the institution that manages it as technology problem every time the attacker finds the governance gap.
Discussion