Board directors and some key executives and personnel are still the ultimate owners of this risk. Cyber-security risk ownership can’t be outsourced either. Outsourcing purely raises the risk you own and need to consider in mitigation strategies. Further, your internal IT people are only as good as the knowledge they have in this area and how current it is. If disgruntled or irrational, they are also a serious point of vulnerability (think NSA and Snowden – yes, your trusted techy has that kind of access).
The approach to managing cyber-security risks needs to be strategic, otherwise businesses may be too locked down to function, locked down in the wrong areas, or not satisfactorily protected in the business critical ones. Given our level of interconnectedness, the supply chain of any organisation needs to be part of this strategic decision making. A breach in one organisation can easily spread to other organisations they do business with.