Grounded in a socio-technical systems governance framework, we explore the perceptions and strategies of SME managers and cybersecurity providers within the cybersecurity landscape. Addressing the gap in understanding of how cybersecurity governance takes place in the Canadian SME landscape, Interviews were conducted with 35 SME representatives and 11 cybersecurity providers and analyzed using discourse analysis. The results highlight four critical themes in this socio-technical transition: initial conditions, SME business model discourse, cybersecurity provider business model discourse, and transition outcomes. The transition underpins a mode of governance, blending elements of oligopoly and self-regulation, characterized by the dominance of key cybersecurity firms and a more facilitative role of state actors. A novel conceptual model emerges from the study, explicating the transition in SME institutional logics from a traditional ‘legacy logic’ towards an integrated cybersecurity approach. This transition is shaped by the principal-agent disconnect and moderated by SME and cybersecurity provider business model discourses.