Proxy SROs, real accountability, and why cyber risk keeps slipping through delivery cracks

• by Anthony Orjally
• Advent IM Blog

Cyber risk rarely “appears” at go-live. It gets designed in, quietly, through decisions made under pressure: a deadline nudged forward, a control deferred “temporarily”, a supplier integration accepted with caveats, an exception granted because “the business needs it”.

None of that is inherently evil. It’s just how complex programmes behave when incentives, timelines and accountability don’t line up neatly. And that’s why the unglamorous governance role of the Senior Responsible Owner (SRO) matters more than ever, particularly in government, defence supply chains, and critical national infrastructure (CNI), where delivery failure can become a national resilience problem rather than a bad quarter.

The interesting twist is that many organisations now find themselves with a formal expectation of senior cyber ownership, but without the practical bandwidth or specialist depth to execute it consistently. The gap between “named accountability” and “active oversight” is where projects drift, risks metastasise, and assurance becomes theatre.

The SRO: not a title, a control

In UK government project delivery, the SRO is the accountable owner of the business case and governance. The Infrastructure and Projects Authority (IPA) sets expectations that include having an integrated assurance and approvals plan across the life of the project, and providing regular reporting for major projects. It also explicitly recognises the time commitment required: there is an expectation that SROs commit a substantial proportion of their time (with a “starting presumption” of significant dedication up to key approval points).

That’s important because it frames the SRO role as a delivery control, not an honorary badge. The SRO is meant to be the person who can say, with credibility: “Here’s what we’re building, here’s why, here’s the risk we’re accepting, and here’s the evidence that we’re still in control.”

Now overlay cyber…

The UK Government’s Cyber Governance Code of Practice is blunt about what good looks like at senior level: agree senior ownership of cyber security risks, integrate them into enterprise risk management and internal controls, define risk appetite, and make supply chain assurance routine rather than exceptional.

In other words: cyber governance isn’t a separate universe. It’s meant to be part of how leadership runs the organisation.

Why cyber risk “escapes” when delivery gets busy

Most cyber governance failures in programmes aren’t caused by ignorance of controls. They come from predictable organisational physics:

An SRO may be accountable for outcomes but surrounded by specialist domains (architecture, operational technology, information assurance, procurement, data protection, physical security, service management) that each speak their own dialect. If nobody is translating those dialects into decision-grade risk, the programme defaults to what it can measure easily: scope, schedule, cost.

Cyber risk, meanwhile, has three awkward properties:

• It is cross-cutting. A single decision about identity, logging, hosting, remote access, or supplier connectivity can create second-order impacts across the whole system.

A programme chooses to let a supplier connect via a “temporary” VPN that bypasses the normal identity controls. That one decision now affects access control, monitoring, incident response, and even audit evidence across the whole service, because you’ve created a parallel door nobody can see properly.

• It is asymmetrical. A small weakness can have outsized consequences.

One engineer leaves an admin portal exposed to the internet with a weak password. An attacker gets in, creates a new admin account, and now has the keys to the kingdom. Tiny mistake, huge blast radius.

• It is slow-burn. The cost is often paid later, by someone else, in a different budget line.

To hit go-live, patching is deferred and logging is kept minimal “until phase two”. Nothing bad happens for months. Then a breach occurs and you realise you can’t prove what happened, when, or what data was touched, so the cost lands later as extended downtime, forensics, legal work, and reputational damage—often funded from a different pot than the project budget that made the trade-off.

CNI and defence-adjacent programmes amplify this. Supply chain dependencies become attack surfaces; operational resilience becomes inseparable from cyber resilience; and assurance isn’t just for auditors, it’s for safety and continuity.

Defence delivery has been moving hard in this direction. The Ministry of Defence’s Secure by Design requirements explicitly position SROs as accountable for delivery of cyber secure outcomes across the capability lifecycle. And Secure by Design guidance more broadly is explicit that agreeing roles and responsibilities should involve the SRO alongside delivery and security professionals, because accountability needs to be set at the right altitude.

The pattern is clear: senior ownership is being formalised, because decentralised “everyone’s responsible” models don’t survive contact with reality.

The uncomfortable truth: you can’t “part-time” senior oversight

Here’s the tension. The IPA expectation of substantial SRO time commitment exists for a reason. But the world is short on senior leaders with the time, domain depth, and governance discipline to maintain tight control of complex cyber-and-digital delivery, especially when the organisation is simultaneously battling business-as-usual, procurement pressures, and the constant background radiation of incidents.

When that happens, two things tend to follow:

• Risk ownership becomes nominal. Risks are logged, but not actively steered. Mitigations exist on paper, but not in delivery reality.
• Assurance becomes episodic. You get bursts of scrutiny around gates, audits, or crises, rather than continuous decision support.

This is precisely the kind of environment where a Proxy SRO model has started to make practical sense.

What a Proxy SRO actually is (and isn’t)

A Proxy SRO arrangement is best understood as senior oversight capacity that works alongside the organisation’s existing risk, security and delivery leadership. The aim is not to replace accountability, but to make accountability executable.

In Advent IM’s description of its Proxy SRO service, the emphasis is on senior-level oversight and guidance to strengthen governance, risk management and project assurance, including independent oversight, risk assessment, Secure-by-Design guidance, and support with governance documentation and audit readiness. It’s positioned as flexible support: additional capacity, specialist insight, or temporary senior oversight, and it can be provided independently on programmes where the proxy is otherwise not involved.

Translated into plain delivery language, a Proxy SRO typically helps with:

• Keeping risk ownership alive. Turning risk registers into decisions, trade-offs, and escalations.
• Making assurance continuous. Not just “are we compliant?”, but “are we still in control, and what evidence proves it?”
• Embedding security early. Ensuring Secure-by-Design isn’t retrofitted at the worst possible moment (usually two weeks before go-live).
• Reducing governance drag. Producing crisp, decision-ready materials rather than sprawling packs that nobody has time to read.

Because this role sits at the intersection of governance, risk, and delivery, it can be particularly effective in the concept and early design stages (where bad assumptions are cheap to fix), and during periods of change or recovery (where drift must be arrested before it becomes permanent).

Why this matters specifically for government, defence and CNI

Government and CNI organisations are increasingly expected to manage cyber as a resilience issue with clear accountability, consistent assurance, and stronger supplier management.

The Government Cyber Action Plan sets a direction of travel that will feel familiar to anyone who has tried to herd cyber risk across a large estate: clearer accountability, stronger central direction, improved assurance, and explicit relationships with strategic suppliers to manage the risk they hold.

That matters because the risk doesn’t stop at organisational boundaries. It bleeds across shared services, integrators, MSPs, SaaS platforms, and niche suppliers. The Cyber Governance Code of Practice explicitly calls for routine supplier risk assessment proportionate to risk, and resilience to supply chain cyber risk.

In defence supply chains, the stakes are higher again: assurance has to stand up not only to commercial scrutiny, but to national security expectations and the reality of capable adversaries. When Secure-by-Design requirements put cyber-secure outcomes on the SRO’s shoulders, it’s a signal that “security is a specialist’s problem” is no longer an acceptable governance posture.

A Proxy SRO model can help here in a very specific way: by creating a consistent senior lens across programme, system, and operational risk—so that delivery decisions don’t accidentally undermine resilience.

A sober way to think about it: Proxy SRO as resilience scaffolding

The easiest way to misread the Proxy SRO idea is as bureaucracy. The better reading is: it’s scaffolding that keeps senior accountability standing while the building work happens.

If you already have a strong SRO with time, domain confidence, and robust assurance machinery, you may not need it. But if you’re facing any of the classic risk multipliers—complex supplier chains, high assurance obligations, uncertain requirements, legacy technology, operational technology exposure, or a programme that must not fail loudly—then bolstering senior oversight is rational risk management.

The point isn’t to add another layer of governance. It’s to prevent the familiar failure mode where governance exists, but nobody has the time or senior support to make it bite.

And in cyber, governance that doesn’t bite is just a bedtime story told to auditors.

Written by Ellie Hurst, Commercial Director.