Expanding tech stacks create an unmanaged middle where attack surfaces grow faster than accountability, leaving risk to fall between tools, teams, and executive ownership.
Mike Andrewes, a cybersecurity advisor and owner of Yastis, frames cyber failure as a leadership and structural problem, not a lack of tools or spend.
He calls for a risk-first model that defines ownership, limits complexity to what teams can actually manage, and treats cybersecurity as a core business decision discussed at the board level.
At most organizations, the finger-pointing starts almost immediately after a data breach. But while blame gets assigned, accountability rarely does. Usually, that's because the person charged with managing cyber risk—often the CISO—lacks the financial authority to own it. Now, that gap is making companies vulnerable and executives exposed. The fix starts with a new mindset: treating security as exclusively a technical issue is a significant oversight.
According to cybersecurity advisor Mike Andrewes, it's time to reframe the conversation. As the owner of cybersecurity advisory Yastis, Andrewes guides startups and SMBs through complex compliance environments. He also serves as a Cyberspace Operations Officer in the Ohio Air National Guard and once led classified cybersecurity for the F-35 at Lockheed Martin. From his perspective, treating security as an exclusively technical issue tends to expose significant oversight.
''Cyber risk is business risk. Too many companies treat security as the CTO's problem and bring it to the boardroom only when something breaks or funding is needed. But every business risk discussion—competitive, financial, or operational—should include cybersecurity," Andrewes says. With the global average cost of a data breach now $4.4 million, that point is hard to ignore.
The blame game begins: The disconnect often starts with hiring, Andrewes explains. ''When a job description asks a CISO to 'own' cyber risk, candidates agree even if the term is undefined. That ambiguity breeds confusion from day one and turns into finger-pointing when something goes wrong.''
A risk no one can own: In fact, even as most executives are increasing cyber budgets, only a fraction feel confident in their ability to manage data risk. "A court will see a CISO’s salary and a multimillion-dollar liability and conclude they lack the financial capacity for true ownership. A CISO can manage risk, but only the board—those with financial liability—can own it," Andrewes says.
Knowing the odds are stacked against them, some CISO candidates now negotiate golden parachutes, Andrewes explains. But the motivation for change is rarely proactive. "Every single one of these companies either had something happen already, had a close call, or lost a deal because of it. It's always about making money or losing money," he says. "No one does this simply because they want to."
For Andrewes, the solution is a shift in identity: turning security leaders into business executives who specialize in technology. That means internalizing the C-suite mindset, not just speaking its language.
Get down to business: The best CISOs translate technical risk into business terms, Andrewes says. "You’re a businessperson who happens to specialize in technology. Think in dollars and outcomes. Don’t just reframe issues for meetings. Live that mindset daily." Eventually, that shift replaces checkbox compliance with a risk-driven strategy. Today, Andrewes applies the same rule in his own work. "I won’t take clients who don’t prioritize risk. When you base your program on actual risks to your environment, you can’t go wrong. Compliance follows naturally."
Learn fast or fall behind: Emerging AI threats only heighten the need for this literacy, Andrewes notes. "A baseline understanding of AI is essential. Without it, leaders will stay reactive." For many companies, the wake-up call isn’t a breach but a compliance push—pursuing SOC 2 or ISO certification to close a deal. But for Andrewes, the initial motivation for pursuing security is less important than the outcome. "We don't go to the gym and say, 'Yeah, that guy is jacked, but he's only doing it to get dates. Do it for whatever reason you want. But just do it."
Andrewes closes with a blunt test for organizational maturity. "You can spot the issues right away," he says. "If an executive’s eyes glaze over when you ask about cybersecurity, you know there are problems." The clearest warning sign is deflection. "They immediately delegate responsibility, deferring to the CISO or saying the CTO handles it."
More capable leaders answer differently. "They simply confirm that cybersecurity is discussed every time business risk is on the table," Andrewes says. That response reflects more than good security hygiene. It signals stronger leadership. "When a CEO speaks fluently about cyber risk, I know they’re better at business," he concludes. "Their job is to avoid blind spots, and cybersecurity is one of the biggest."
