Many organisations believe they have cyber risk “covered”.
In practice, that confidence is often based on assumption rather than evidence.
Here are the five most common myths we see even in well-run, well-resourced businesses.
Myth 1: “Our IT provider handles cyber risk”
Reality:
IT teams are essential but cyber risk does not sit solely in IT.
IT focuses on delivering and maintaining systems. Cyber risk spans governance, accountability, people behaviour, suppliers, and readiness when something goes wrong.
Without independent assurance, boards are often relying on internal reporting to confirm that controls are working which means teams are effectively marking their own homework.
Myth 2: “We’ve invested heavily in security tools, so we’re protected”
Reality:
Most serious cyber incidents don’t occur because tools were missing.
They happen because controls drift over time:
- access isn’t reviewed regularly
- MFA isn’t enforced everywhere
- suppliers have broader access than intended
- patching is assumed, not verified
Assurance isn’t about buying more technology. It’s about verifying that what’s already been approved is actually enforced in practice.
Myth 3: “We’re certified, so risk is under control”
Reality:
Certifications and standards are valuable — but they are point-in-time.
They confirm that certain controls existed on a specific date. They do not provide ongoing visibility into:
- how consistently controls are applied
- whether execution has drifted
- whether leadership would be ready under pressure
Independent assurance complements certification by checking whether controls still hold up day to day, not just at audit time.
Myth 4: “If something went wrong, we’d know what to do”
Reality:
In many organisations, incident response plans exist — but they’ve never been tested with leadership involved.
When a real incident occurs, the challenge is rarely technical alone. Boards are forced to make rapid decisions about:
- trading disruption
- customer and regulator communications
- legal and insurance obligations
Assurance tests not just controls, but decision-making, roles, and readiness under pressure.
Myth 5: “Assurance is about compliance”
Reality:
Good assurance goes far beyond compliance.
It provides:
- written, board-level clarity on risk and vulnerabilities
- evidence that controls are proportionate and defensible
- confidence when challenged by regulators, insurers, customers, or investors
The outcome isn’t a tick-box. It’s confidence that cyber risk is genuinely being managed, not just assumed.
What Good Assurance Looks Like
Effective assurance should:
- be independent of IT and technology providers
- be written and intelligible to board members
- assess people, governance, suppliers, processes, and technology
- identify gaps and provide a practical roadmap to close them
- be revisited as the business and threat landscape evolve
The Board Question That Matters Most
Are we relying on confidence or evidence that our cyber controls actually work?
If you’d like an independent perspective on how assurance works in practice, we’re happy to have an initial conversation.
Speak to us to request an independent cyber risk sense-check.
