Happy New Year. It’s good to be back.
As we head into 2026, I’ve been thinking a lot about conversations I’ve had with CEOs over the last several years. Conversations that look different on the surface, but almost always rest on the same assumption.
Most CEOs genuinely believe their IT group has cybersecurity handled.
That belief is not careless. It’s not irresponsible. And it’s rarely wrong in intent.
You hired professionals. You outsourced where it made sense. You brought in an MSP or MSSP because building a full internal IT and security team wasn’t practical or efficient.
From a leadership standpoint, that decision makes sense.
The problem is what happens next.
Once cybersecurity is delegated, most CEOs lose visibility into what is actually being done in their name. Not because anyone is hiding information, but because there is no independent way to validate it.
No clear mechanism to answer basic questions like:
What risks are actively being managed? Which risks are being accepted? Which risks are invisible? And who truly owns the business and financial consequences if something fails?
As long as nothing breaks, that gap stays hidden.
Until it doesn’t.
I’ve written before about a CEO who ran a successful engineering firm. They were hit by a ransomware attack that took more than 30 days to get back online. It took almost a year for the business to feel stable and confident again with customers, employees, and partners.
What stuck with me wasn’t the technology failure.
It was what the CEO said afterward.
“No one told me cybersecurity was this critical to my business.”
That statement wasn’t ignorance. It was the collapse of a reasonable assumption.
The CEO believed responsibility had been delegated appropriately. What they didn’t realize was that delegation without validation creates a blind spot.
And that blind spot is where real damage happens.
This is what I call comfortable ignorance protected by process.
Smart leaders aren’t unaware. They’re insulated.
Processes, checklists, vendors, and reports create a sense of coverage without creating proof of risk ownership.
Cyber insurance exists. The MSP is in place. Security tools are deployed. Compliance boxes are checked.
Each layer adds comfort. None of them guarantees clarity.
Process becomes the substitute for visibility.
And over time, that comfort hardens into belief.
Most CEOs don’t consciously decide to hand cyber risk to an MSP or MSSP.
It happens gradually.
IT responsibility is outsourced. Security is bundled into the service. Availability, patching, backups, and monitoring are handled.
The relationship works well. Until it doesn’t.
Here’s the uncomfortable truth.
MSPs and MSSPs were never designed to own business risk, financial exposure, or valuation impact. They were designed to deliver operational services at scale.
Over time, the market quietly assigned them a responsibility they were never architected to carry.
Today, MSPs represent one of the largest concentrations of third-party access, privileges, and dependencies within most organizations. Threat actors know this. Attack data reflects it. And buyers absolutely factor it into diligence.
This isn’t about bad providers. Many MSPs are highly capable and well-intentioned.
It’s about structural misalignment.
Operational responsibility is not the same as risk ownership.
Cyber risk rarely announces itself as a security issue.
It shows up as:
In M&A and capital events, the impact is even more direct.
Buyers don’t ask whether you feel secure. They ask what you can prove.
When cyber risk is unclear, buyers default to protection.
They discount value. They shift liability. They add escrows and holdbacks. They slow deals or walk away.
Not because they’re hostile. Because uncertainty is risk. And risk gets priced.
At that point, the conversation is no longer technical.
It’s financial.
The reason this pattern repeats isn’t that CEOs are ignoring cyber risk.
It’s because the system rewards comfort until something breaks.
No deal advisor loses sleep over cyber risk that hasn’t surfaced yet. No board meeting gets derailed by a problem no one can see. No MSP is measured on valuation impact.
So the process stays intact.
Until a buyer, insurer, regulator, or attacker applies pressure.
Then the gap becomes visible. And expensive.
Cyber risk can no longer live only inside IT.
It has to live alongside:
This doesn’t mean ripping out MSPs or rebuilding everything in-house.
It means adding something that has been missing all along.
Independent validation.
A way for leadership to see what is actually being done in their name. A way to translate technical exposure into business and financial terms. A way to surface risk before someone else uses it as leverage.
Because once a buyer is the first person to quantify your cyber risk, you’ve already lost control of the narrative.
Cyber risk doesn’t destroy value because systems fail.
It destroys value because assumptions go unchallenged for too long.
Comfortable ignorance feels safe. Process reinforces it. Until the moment it doesn’t.
If you’re a CEO heading into 2026 thinking about growth, insurance, or an exit in the next few years, this is the moment to look beyond delegation and ask a harder question.
How can I independently assess the risks my business is carrying today?
Because the earlier you ask it, the more leverage you keep.
Mike Fitzpatrick, Founder and CEO, NCX Group
PS: If you’re hearing about your cyber risk for the first time during a deal, an insurance renewal, or an incident, you’re already late. The time to validate what’s being done in your name is before someone else decides what it’s worth.
Repost from LinkedIn – https://www.linkedin.com/pulse/comfortable-ignorance-protected-process-mike-fitzpatrick-syy8c/
