Why organisations with active security programmes remain exposed — and what the research says about why this happens
The pattern that keeps appearing
The gap assessment had not been requested because anything had gone wrong. The organisation was running an active security programme. Controls were in place. A multi-year roadmap existed. The CISO presented quarterly to leadership. Reporting was regular and detailed.
The assessment revealed that the areas of greatest exposure — the ones that would cause the most damage if something went wrong — were largely absent from the roadmap. Not because anyone had decided to accept that risk. Because no one had mapped the exposure in the first place.
The roadmap had been built on what was visible. Findings from previous audits. Known vulnerabilities. Areas the team already had context on. The programme was active and well-intentioned. It was not anchored to a picture of actual risk.
This is not an unusual finding. It is, in practice, one of the most consistent patterns in security governance. Organisations invest in security. They build programmes, hire teams, implement frameworks. And they remain exposed in ways the programme was never designed to see — because the programme was built without first asking what the organisation is actually carrying.
This is the alignment gap. And understanding why it forms is the first step toward closing it.
This article builds on the argument made in Cybersecurity Is Not an IT Problem — that cyber risk is a governance problem, not a technology problem. The alignment gap is one of its most consequential expressions.
What the research actually shows
The alignment gap is not a theoretical construct. It is a documented pattern, examined from multiple directions in the research literature.
Romanosky and Petrun Sayers, writing in Management Research Review (2024), conducted thematic analysis based on semi-structured interviews with risk practitioners across industries. Their finding was consistent: in most organisations, cyber risk is managed separately from the enterprise risk management process. It is collected differently, characterised differently, and reported differently — often by a different function, using different language, to a different audience. The result is a structural disconnect between cyber risk and the governance processes that are supposed to incorporate it.
Oh, Hoang, Sturdy and Guo, in Cybersecurity Governance (Springer, 2025), approach the same problem from a governance architecture perspective. Their central argument is that effective cybersecurity governance cannot be optimised as a standalone function. It requires integration across the interdependent functions of the organisation — technology, finance, operations, human factors — within a coherent framework embedded in enterprise risk management. A cybersecurity function optimised in isolation will, as they put it, consistently underperform against the actual risk profile of the organisation. The whole, in other words, is greater than the sum of its parts. But only when the parts are actually connected.
NIST recognised this problem explicitly enough to publish a dedicated document series addressing it. NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management, and its companion documents, exist because the gap between cybersecurity risk management and enterprise risk management was wide enough — and consequential enough — to require a formal framework for closing it. The series maps cybersecurity risk directly onto enterprise risk categories: financial risk, reputational risk, operational risk, legal and regulatory risk. It describes, in practical terms, how to prioritise cybersecurity investment in light of enterprise objectives rather than in isolation from them.
The gap is still wide.
How the alignment gap forms
Understanding the mechanism matters, because the alignment gap does not form through negligence. It forms through a logic that feels reasonable at the time.
When a security team builds a roadmap without a prior risk assessment, prioritisation defaults to what is already known. Previous audit findings. Recent incidents. Visible vulnerabilities. Areas where the team has context and the organisation has already asked questions. This is not irrational. It is a predictable response to the absence of a more rigorous input.
Wilkin and Chenhall, writing in the Journal of Information Systems (2020), identify a structural mechanism that helps explain why this pattern persists: when ownership of a risk domain is unclear above the functional level, the function that owns it operationally tends to define the problem in terms of what it can see and measure — not in terms of enterprise impact. In the absence of an explicit governance structure that connects cybersecurity risk to business decisions, the security function manages what is visible to it. The exposure that sits outside its line of sight goes unaddressed.
Corallo, Lazoi and Lezzi, in Computers in Industry (2020), provide empirical evidence of the consequence. Organisations that do not map cybersecurity risks to business impacts consistently misallocate protective effort — concentrating investment on assets of lower value while leaving critical assets exposed. The misalignment is not random. It follows directly from the absence of an exposure map that connects security decisions to what the organisation is actually trying to protect.
The alignment gap, in other words, is structural. It is the predictable outcome of building a programme before building the foundation the programme requires.
What it looks like in practice
Three patterns appear consistently in organisations where the alignment gap has not been closed.
The first is a roadmap that addresses yesterday’s incidents rather than today’s exposure. The programme responds to what has already happened — vulnerabilities flagged in the last assessment, findings from the last audit, controls that were missing when something went wrong. It produces real activity and genuine improvement. But it does so without reference to where the actual risk is concentrated now, and it cannot see the exposure that has not yet surfaced as an incident.
The second is a board that believes it is informed when it is receiving evidence of activity. Patch rates. Incident counts. Compliance coverage. These metrics answer one question: what is the security function doing? They do not answer what the board actually needs to answer: what risk is the organisation currently carrying, and who has accepted it? The distinction matters because a board that cannot answer the second question cannot evaluate whether the security programme is calibrated to the organisation’s actual exposure — or to something else entirely.
The third pattern is perhaps the most instructive, because it shows the alignment gap operating at the moment a consequential decision is made.
A CISO had identified a rising trend in device-level fraud in the organisation’s electronic banking environment. The attack surface had shifted. The risk was visible to someone paying attention. The budget request for a fraud management system went to the COO.
The COO had a simple answer. Twenty years of electronic banking. Zero successful attacks. Budget denied.
Six months later, the attack happened.
The COO was not reckless. He was applying a decision framework that feels sound in almost every other business context: look at the historical record and make a judgement based on what has happened. What that framework cannot do is assess forward-looking exposure. It can tell you what has occurred. It cannot tell you what is accumulating.
The gap was not between the CISO and the COO. It was between the decision framework available to leadership and the kind of risk signal the CISO was trying to communicate. That gap is a governance architecture problem. The organisation had not built the structure that would have made that signal legible at the level where the decision was being made.
For a broader examination of how growth decisions create similar governance gaps, see Growth Without Governance Is Risk.
The measurement problem
The alignment gap is partly self-concealing, which is why it persists.
An organisation without a baseline cannot know whether its security posture is improving or deteriorating. It can measure activity — what the team has done, what controls have been implemented, how many vulnerabilities have been patched. What it cannot measure is whether those activities are addressing the right things.
PwC’s research puts a number on this. Only 27% of business leaders strongly agree that their cybersecurity strategy is well aligned with their overall business strategy — despite 74% naming cybersecurity as a top priority. That is not a paradox. It is a direct consequence of the alignment gap. Organisations have elevated the priority of cybersecurity without building the governance structures that would allow them to connect security decisions to business objectives. The investment is real. The alignment is not.
The absence of a risk assessment does not produce an obviously broken programme. It produces a programme that looks functional, reports regularly, and genuinely improves certain things — while remaining blind to the exposure that matters most. The organisation does not know what it does not know. And without a baseline, it has no way to find out.
What closing the gap actually requires
The alignment gap is not closed by adding layers to an existing programme. It is closed by changing where the programme starts.
The prerequisite is a risk assessment that produces a documented exposure map — a clear picture of where the organisation carries risk, in business terms, connected to what the organisation is actually trying to protect. This is precisely what NIST CSF 2.0’s GOVERN function is designed to serve: establishing risk tolerance, mapping exposure, and creating the foundation against which everything that follows — Identify, Protect, Detect, Respond, Recover — can be prioritised. Without GOVERN as the starting point, the other functions operate without a reference.
From that foundation, three things become possible that were not possible before.
Prioritisation becomes defensible. When the roadmap is anchored to an exposure map, the organisation can explain why it is working on what it is working on — and why other things are lower priority. That explanation holds up under regulatory scrutiny, under board questioning, and under the pressure of an incident. Without the exposure map, it does not.
The board can ask the right question. The shift from “what is the security function doing” to “what risk are we carrying and who has accepted it” requires a governance structure that makes exposure visible at leadership level. That structure does not emerge from better reporting. It is designed into the governance architecture.
Ownership above the functional level becomes explicit. When cyber risk is mapped to enterprise risk categories and expressed in business terms, accountability can sit where it belongs — with the leadership that is responsible for the organisation’s overall risk posture, not exclusively with the security function that manages the technical dimension of it.
Conclusion
The alignment gap is not a failure of the security function. In most organisations where it exists, the security team is doing real work and making genuine improvements. The gap is structural: the programme was built before the foundation was laid, and the foundation is what the programme needs to know what it is actually trying to do.
Closing it requires going back to the beginning — not to redo what has been built, but to anchor it. A risk assessment does not invalidate an existing programme. It gives the programme a reference point it has been operating without.
The organisations that close the alignment gap do not necessarily spend more on security. They spend it differently — on the things that carry the most risk, in the order that matters, with a documented rationale that holds up when it is tested.
That is what the difference between a programme and a strategy looks like in practice.
Senad Džananović is a senior Cyber and AI Governance advisor with 20+ years of experience across Central and Eastern Europe. He works with boards, CISOs and risk managers to translate governance and regulatory requirements into systems that hold under audit, regulatory scrutiny and real incidents.
References
- Academic sources
- Corallo, A., Lazoi, M., & Lezzi, M. (2020). Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Computers in Industry, 114, 103165. https://doi.org/10.1016/j.compind.2019.103165
- Oh, K. B., Hoang, G., Sturdy, J., & Guo, S. S. (2025). Cybersecurity Governance: An Enterprise Risk Management Strategy for Cyber Risk Control. Springer Nature Singapore. https://doi.org/10.1007/978-981-95-3865-2
- Romanosky, S., & Petrun Sayers, E. L. (2024). Enterprise risk management: How do firms integrate cyber risk? Management Research Review, 47(1), 1–17. https://doi.org/10.1108/MRR-10-2021-0774
- Wilkin, C. L., & Chenhall, R. H. (2020). Information technology governance: Reflections on the past and future directions. Journal of Information Systems, 34(2), 257–292. https://publications.aaahq.org/jis/article-abstract/34/2/257/1179/
- Institutional and regulatory sources
- National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). https://doi.org/10.6028/NIST.CSWP.29
- National Institute of Standards and Technology. (2025). Integrating Cybersecurity and Enterprise Risk Management (ERM) (NIST IR 8286, Rev. 1). https://csrc.nist.gov/pubs/ir/8286/r1/final
- Industry research
- PwC. (2024). Global Digital Trust Insights 2024. https://www.pwc.com/gx/en/issues/cybersecurity/digital-trust-insights.html