When no one owns cybersecurity, problems slip through the cracks. A Delhi-based e-commerce startup lost customer payment data in 2022 because their founder thought the IT contractor was handling backups, the contractor thought the owner would buy security tools, and neither did anything. The company faced a ₹50 lakh regulatory fine, lost customer trust, and took 6 months to recover. Without a clear owner, cyber incidents are discovered late, response is chaotic, compliance audits fail, and your customers or banks may stop trusting you.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You ask three people about cybersecurity and get three different answers about who is responsible. Nobody has it written down, and when something goes wrong, there is finger-pointing instead of a response.
Initial
Someone—usually your IT person or office manager—has been told they are responsible for cybersecurity, but it is not in their job description and they get no time or budget for it. They handle it when they remember, often while doing ten other things.
Developing
You have appointed a clear owner (could be your IT lead or an external consultant) with a written job description that includes cybersecurity duties and a budget. They attend management meetings to report on security status, but they work alone and report only when there is a problem.
Defined
Your cybersecurity owner has a defined role, regular reporting to senior leadership, a small team or budget, and documented responsibilities for security decisions. They publish a quarterly or half-yearly security status to the board and have authority to enforce security rules across the business.
Managed
You have a formal cybersecurity governance structure with a designated Chief Information Security Officer (or equivalent) who reports directly to the board or MD, owns the security strategy, manages a small team, and tracks key security metrics monthly. Security is discussed at every board meeting.
Optimised
Your cybersecurity owner sits on the executive committee, has dedicated staff and budget, reports monthly to the board with metrics and incidents, drives security culture across the entire organization, and periodically reviews and updates the role and responsibilities to match business and threat changes.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write a one-page document naming one person as the cybersecurity owner, list their main duties (e.g., manage passwords, check for viruses, handle incident reports, backup data), and email it to all staff with their contact details. | Business owner or MD | 1 day |
| 1 → 2 | Add cybersecurity responsibilities to the owner's job description; set aside 2–4 hours per week just for security work; allocate a small annual budget (₹50,000–₹2,00,000) for tools, training, or external help. | HR or business owner | 1 week |
| 2 → 3 | Set up a monthly 30-minute security review meeting with the owner and one other senior person (finance, ops, or MD); ask them to report on incidents, risks, and compliance status; document outcomes in minutes. | Cybersecurity owner and MD | 2–4 weeks |
| 3 → 4 | Create a formal cybersecurity policy document signed by the MD; define roles and responsibilities; appoint a deputy owner; set up a security committee (owner, IT, ops, finance, one board member); meet quarterly and report to board with KPIs (incident count, patch status, audit findings). | Cybersecurity owner with MD and board support | 1–2 months |
| 4 → 5 | Embed the cybersecurity owner in executive decision-making; integrate security KPIs into business scorecards; conduct annual board-level security risk assessment; review and evolve the role as threats and business needs change; share security wins and lessons learned across the organization monthly. | MD, board, and cybersecurity owner | Ongoing |
Documents and records that prove your maturity level.
- A signed job description or role charter naming the cybersecurity owner and their specific duties
- Board or management minutes showing cybersecurity as a standing agenda item, with attendance by the owner
- A cybersecurity policy document (1–2 pages minimum) approved by the MD or board that outlines governance and the owner's responsibilities
- Monthly or quarterly incident and risk reports prepared by the cybersecurity owner and reviewed by senior management
- Email or memo from the MD or owner confirming the security owner's appointment and distributing their contact details to all staff
Prepare for these questions from customers or third-party reviewers.
- "Who is responsible for cybersecurity in this organization? Can you show me their job description?"
- "What decisions does the cybersecurity owner make, and who do they report to?"
- "How often does your security owner report to management or the board? Show me the last three reports."
- "What budget and resources does your cybersecurity owner have? How is it tracked?"
- "If there is a security incident, who leads the response and who do they report to?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Document and publish your cybersecurity governance, policies, and roles | Google Docs or Microsoft Word (free tier); LibreOffice Writer | Confluence (₹2,000–5,000/year) or SharePoint (included in Microsoft 365) |
| Track and manage security incidents, tasks, and owner assignments | Trello (free tier with limited cards); Google Sheets for incident log | Jira (₹10,000–30,000/year); Monday.com (₹8,000–15,000/year) |
| Create and maintain an organization chart showing the security owner and reporting lines | Lucidchart (limited free tier); Google Drawing | Lucidchart (₹5,000–12,000/year); Microsoft Visio (₹4,000–8,000/year) |
- Appointing the IT technician or contractor as cybersecurity owner without formal authority, budget, or reporting line to leadership—they then lack credibility and resources to enforce security across the business.
- Naming a senior manager (e.g., Finance Head or Operations Lead) as owner without giving them time or training in security; they treat it as a tick-box task and delegate everything back to the junior IT person, recreating Level 0.
- Writing a fancy security policy but never communicating who owns it or how employees should report problems; the policy sits in a drawer while staff remain confused about accountability.
- Hiring an external cybersecurity consultant and forgetting to assign an internal owner; when the consultant's contract ends, security responsibility vanishes and the business reverts to Level 0.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) requires an organization to have a Data Protection Officer (DPO) or equivalent responsible for data protection and compliance |
| CERT-In 2022 | Guidelines recommend appointing a responsible person or team for incident management and reporting |
| ISO 27001:2022 | Clause 5.1 (Leadership and commitment) and Clause 6.1 (Actions to address risks) require management to define roles and ensure accountability for information security |
| NIST CSF 2.0 | Govern (GV) function, specifically GV.RO-01 (Roles, Responsibilities, and Authorities); GV.PO-01 (Organizational Cybersecurity Policy) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →