Blogs & Opinions 21.08.2025

How to Build a Secure Digital Strategy Without a CISO

No CISO? No problem

Top-tier cyber talent is in short supply. With the right approach, that shouldn’t necessarily be a problem, argues Andrew Smith

For many businesses employing a full-time chief information security officer (CISO) might feel out of reach. But this comes with risks. If anything, the absence of dedicated cybersecurity leadership makes a company more vulnerable.

Cyber threats don’t wait for the right headcount. Whether a business has 200 employees or two, its digital assets remain just as exposed. That’s why it’s essential to think differently about how to approach cybersecurity, particularly if the organisation doesn’t have a CISO in place. Here are four tips to bear in mind.

1. Brilliant basics

Andrew Smith, Kyocera Cyber

First, thoroughly assess cyber hygiene and take active steps to improve resilience. Is there a strong password policy and multi-factor authentication turned on for all users? Is the team patching everything – operating systems, switches, third party apps – and rebooting endpoints to ensure patches are applied? Are firewalls turned on for all endpoints and is inbound and outbound traffic restricted?

Next, make sure that employees – especially those in sensitive positions – receive up to date cybersecurity training. The vast majority of attacks are the result of human error, so it’s critical that employees understand the tell-tale signs of phishing emails and social engineering scams.

These simple building blocks will deliver a strong foundation on which to build a comprehensive cybersecurity strategy.

2. Revisit existing frameworks and governance

The absence of a CISO shouldn’t mean the absence of structure. Begin by examining what frameworks, governance policies and controls are already in place. The UK’s NCSC’s Cyber Assessment Framework and the NIST Cybersecurity Framework 2.0 can be the foundation of an effective cybersecurity strategy, offering continuity and direction.

Embedding proven models and frameworks into the business like this helps ensure that security isn’t dependent on individuals. If the organisation has undergone a period of change like downsizing, rapid scaling, or outsourcing, now’s the time to check those frameworks are still fit for purpose.

3. Align digital strategy with wider business goals

It sounds obvious, but too often digital and cybersecurity strategy is treated as a separate entity, owned by IT or delegated to a third party. In reality, it should be a natural extension of overall business strategy.

Start by understanding how digital plans align with core business objectives. What dependencies are there? Where are the pressure points from a security perspective? Who is ultimately responsible for decisions if there’s no CISO to sign them off?

“Who is ultimately responsible for decisions if there’s no CISO to sign them off?”

Mapping out these interdependencies is key. It helps create visibility across the leadership team, encourages shared accountability and ensures that risks are considered in the larger context rather than in isolation.

It’s also worth building a clear database of market data and insights underpinning strategy. In the absence of a security lead, there’s real importance in ensuring decisions are guided by relevant, reliable intelligence, not gut feel or outdated assumptions.

4. Identify who’s responsible and what’s possible

Without a CISO, someone still has to execute the plan. That could be a capable member of middle management, an outsourced partner, or another member of the C-suite. But whoever it is, they need clarity on what’s expected, a strong awareness of security issues, and the authority to follow through.

This is where things can get complicated. In an outsourcing partnership, don’t assume the external supplier will automatically handle governance or risk ownership. There must be clear structures in place to make sure their work aligns with your expectations, internal controls and long-term strategy.

It’s worth asking: does the supplier provide enough transparency to allow for proper oversight? Is there a framework for ongoing review and accountability? Are we treating them as a strategic partner, or simply a box-ticking exercise? If the answer to any of these questions is unclear, take time to revisit your approach.

“In an outsourcing partnership, don’t assume the supplier will handle governance or risk ownership”

Final thoughts

The process for hiring top-tier cyber talent is becoming more complex, especially for businesses operating on tighter budgets. But that doesn’t mean compromising on security.

With the right partnerships, clear governance and a strategic mindset, businesses can still protect their data and build resilience, even without a CISO in command. Mitigating threats may be challenging, but that doesn’t mean your business has to face it unprepared.

Andrew Smith is CISO at Kyocera Document Solutions UK, and founder of Kyocera Cyber, an MSSP. With 20 years of experience in strategic IT/cybersecurity leadership, Andrew’s track record is testament to his visionary leadership style and commercial acumen. Kyocera Group UK has transformed from a product to a service-driven model under Andrew’s stewardship, with its ICT division specialising in hybrid infrastructure, managed services, and cybersecurity.

Latest articles

Be an insider. Sign up now!