2022 The State of Risk Oversight Image
News

Analysis of Emerging IT Risks and Governance Challenges

Oct 22, 2025 · 6 min read

Author: Sanjay Chadha, CPA, CA, CITP, CISM, CISA, CIA, CFE Partner, SAV Associates PC

In 25 years of working in IT risk and governance, I’ve never witnessed threats change so quickly or carry so much uncertainty.

Cybersecurity risks are constantly evolving, and managing them requires an ongoing effort, regardless of whether an organization is just beginning to address cyber risk or already has a mature security program. Boards can no longer treat cyber risk as an isolated IT issue: it’s a core business risk that can materially impact the entire organization. Yet many governance structures still struggle to keep pace. Just as a small leak can sink a great ship, minor cyber oversight gaps can quietly escalate into major incidents before leadership even realizes there’s a problem. To adapt, boards must recognize emerging IT risks, address governance blind spots, and align their oversight practices with modern frameworks and enterprise risk management (ERM) processes.

Emerging Threats Reshaping the IT Risk Landscape

The top emerging IT risks today are a blend of brand-new threats and familiar ones that have adapted in unexpected ways. For example:

Generative AI Misuse: The rise of artificial intelligence has a dual-edged effect. On one hand, AI promises to bolster defenses; on the other, threat actors are abusing it to supercharge attacks. Over half of cyber leaders believe emerging technologies like AI will give an advantage to attackers¹, with less than 9 percent thinking it benefits defenders. New AI-driven threats such as deep-fake disinformation, automated malware generation, data poisoning, and AI-driven phishing campaigns are among executives’ top concerns¹. We’ve seen AI-generated phishing emails bypass human scrutiny with alarming ease, thanks to how convincingly they mimic real communication. Boards must understand that AI is not just a buzzword; it poses real risk when misused.

Cloud Sprawl and Shadow IT: The exponential growth in cloud computing and SaaS tools has dramatically broadened the digital ecosystem². Businesses now have data and critical operations scattered across multi-cloud environments and third-party platforms. This sprawl creates a visibility challenge, making it difficult for organizations to maintain a clear understanding of their digital environment." Unmanaged cloud instances or “shadow IT” services can become phantom entry points for attackers. A single misconfigured storage bucket or forgotten server can expose millions of records. Without tighter governance, organizations risk flying blind in this ever-expanding cloud landscape.

Ransomware’s Evolution: Ransomware remains the top cyber risk concern for many executives, and it continues to evolve in sophistication. Nearly half of global executives in a recent survey said a ransomware attack is the threat that worries them most. Attackers have industrialized this threat via ransomware-as-a-service gangs and double- extortion tactics (encrypting data and threatening to leak it). We’ve observed hospitals crippled, pipelines halted, and entire supply chains disrupted by ransomware incidents. It’s the digital equivalent of a hostage crisis, and paying the ransom is no guarantee of safety. Boards must treat ransomware as a persistent and evolving business risk, and shift their mindset from 'if we get hit' to 'when we do, how do we minimize the damage?'

Supply Chain Fragility: Highly interconnected supply chains and third-party vendors now underpin every organization’s operation - and attackers know it. Technology-driven global supply chains are vulnerable to cyber-attacks, and breaches of one supplier can cascade into systemic crises. In fact, the Global Cybersecurity Outlook 2024 (World Economic Forum) report found that most incidents in 2023 were attributed tothird-party vendor compromises, underscoring how fragile our digital supply lines have become. This is reminiscent of weak links in a chain; a security lapse at a small software provider or IT services partner can become the “open door” into a Fortune 500 enterprise. Yet traditionally, boards have paid less attention to vendor cybersecurity than to internal controls. That must change; due diligence and continuous monitoring of supply chain security are now board-level concerns.

Regulatory Convergence and Compliance Risks: The governance environment is evolving quickly, challenging traditional oversight models. Governments and regulators worldwide are imposing new cybersecurity mandates, from data privacy laws to critical infrastructure security requirements. For example, the Securities and Exchange Commission (SEC) in the U.S. now requires disclosure of the cyber expertise of board members and timely reporting of incidents, while the EU’s digital regulations (like NIS2 and DORA) demand stringent risk controls. This regulatory convergence means boards face a complex compliance landscape. Falling short isn’t just a reputational issue - it can invite legal penalties. Boardrooms must treat compliance as a floor, not a ceiling, and anticipate that today’s cyber governance best practices will become tomorrow’s table stakes.

Governance Gaps and Lessons from Recent Failures

Despite growing awareness, there are still glaring governance blind spots when it comes to IT risk oversight. One common gap is the disconnect between technical risk reporting and enterprise risk appetites. Too often, cybersecurity metrics (vulnerabilities, patch counts, etc.) are reported in isolation, leaving directors without context of how a given IT risk maps to business impact. It’s like identifying early warning signs without being able to predict which ones will turn into major disruptions.

If boards cannot interpret the significance of a critical cloud misconfiguration or an AI model vulnerability, they may underestimate the threat until it’s too late.

We’ve also seen failures in internal audit and risk assurance related to emerging tech. In some cases, audit programs focus on checklist compliance (e.g. password policies, firewall rules) but miss strategic dangers like unchecked cloud expansion or third-party software risks. For example, a global firm passed all compliance audits prior to a massive data breach. The auditors didn’t examine the company’s sprawling API connections with suppliers, which is exactly where attackers struck. The lesson is clear: focusing on an audit too narrowly is like checking all the doors while forgetting the windows - important risks can still slip through.

Another governance pitfall is cultural and knowledge gaps at the board level. Not all directors are fluent in technology, and many boards lack a dedicated cyber expert. This can lead to blind trust in IT departments or a “tell us when it’s fixed” mentality, rather than proactive risk dialog. It reminds me of early in my career, during the late 1990s, when boards treated Y2K as an IT project to delegate and forget. Today’s equivalent might be boards deferring all AI ethics and security decisions to management without sufficient oversight. In 2025, that hands-off approach is dangerously outdated.

To highlight how blind spots can have real costs, consider the detection challenge: sophisticated threats often lurk undetected for months. Without robust monitoring and incident response preparation, companies discover breaches only after damage is done. A poignant metaphor is the “boiling frog” syndrome: if small security anomalies aren’t escalated to leadership, an organization can get slowly compromised bit by bit, all under the radar of a complacent board. Effective governance means having the sensors (internal reports, audits, whistleblowers) to catch those early signals of risk escalation and the curiosity to investigate them.

Aligning ERM, Internal Audit, and IT Governance for Resilience

Cybersecurity is an integral part of enterprise risk management (ERM) because a digital attack can harm cash flow, operations, and brand value like a supply-chain failure or a currency swing. Boards should ask for a risk register, a structured list of threats-along with simple heat maps that show how a cloud outage or ransomware event could disrupt revenue or customer service. Frameworks such as NIST IR 8286 guide teams in converting technical signals (for example, unpatched servers or exposed application-programming interfaces) into business-level impact so directors can judge whether current safeguards match the organization's appetite for loss.

Once that view exists, the board needs clear lines of accountability and reliable assurance. A director with cyber literacy should sponsor regular reviews where management reports on posture, planned improvements, and measurable tolerance thresholds. For instance, the maximum hours of downtime or gigabytes of data loss the company is willing to accept. Internal audit then tests whether controls hold up under realistic conditions by running scenario analyses such as a simulated vendor breach or misconfigured cloud storage. Findings come back with plain-language impact statements, named owners, and deadlines, giving the board evidence that risks are treated with the same discipline applied to finance or safety.

Good IT governance keeps everyone moving in the same direction. Aligning policies and procedures to reference models like NIST Cybersecurity Framework 2.0, ISO 27001, or COBIT creates a common vocabulary for identity management, incident response, and supply-chain oversight. These frameworks prompt questions a busy board might miss. Is multi-factor authentication universal? Are critical suppliers assessed every year? These support tracking of outcome-oriented metrics such as mean time to recover, closure rates for high-risk findings, and completion of security awareness training. When ERM insight, audit evidence, and governance standards reinforce one another, an organization moves from reactive defense to a measurable, resilient cyber posture.

In today’s volatile threat landscape, cybersecurity oversight can no longer be reactive or siloed. Boards must evolve from passive observers to active stewards of digital risk, armed with the right frameworks, fluency, and foresight. Resilience isn’t just a technical goal - it’s a governance imperative. Because when the threats are modern, but the boards are outdated, the gap becomes the greatest vulnerability of all.

¹World Economic Forum. (2024). Global Cybersecurity Outlook 2024: Building Cyber Resilience in a Complex World. https://www.weforum.org/publications/global-cybersecurity-outlook-2024/

²Architecture & Governance Magazine. (2024, February 26). Gartner identifies the top cybersecurity trends for 2024. https://www.architectureandgovernance.com/security/gartner-identifies-the-top-cybersecurity-trends-for-2024/

About

The Technology Strategic Advisory Group exists to promote the professional development and career growth of CITP credential holders and other stakeholders by creating and curating resources that address emerging needs in technology and business. Committed to fostering continuous learning, innovation, and adaptability, the group provides insights and support to help professionals navigate challenges, expand their expertise, and lead with confidence. Through collaboration and strategic initiatives, the group ensures that the CITP community and related professionals remain connected, informed, and prepared for the future.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Manage preferences

This site is brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants.

About|Terms & Conditions|Accessibility|Privacy Policy|Contact|Help|Site Map

CA Do Not Sell or Share My Personal Information

}