Cyber security is no longer just a technical issue that is dealt with "somewhere downstairs" in the IT department. With the introduction of European directives and regulations such as NIS2 and DORA, and with the advent of increasingly sophisticated threats, cyber security is becoming a strategic issue at the highest management level. Although many companies already have a CISO (Chief Information Security Officer), the key to success is dialogue between the board and the CISO, which should build mutual trust, transparency and shared responsibility. The aim of this article is not to create a uniform checklist of clearly defined questions, but rather to provide guidance for an open dialogue that will strengthen the resilience of the entire organisation.
1. Corporate culture: Security starts with people
Important question: "How do we promote a positive security culture?"
Security measures will fail if employees do not believe that their voices are being taken seriously.
Real-life example: At a manufacturing company, an employee reported a suspicious email. However, their manager reacted irritably ("we don't have time to deal with every little thing"). The result? No one reported any further phishing attempts – until ransomware shut down the production line. Conversely, where employees feel safe reporting incidents and where mistakes are seen as learning opportunities, a culture emerges that actively protects the organisation.
2. Knowledge and skills: Are we speaking the same language?
An important question: "As a member of cybersecurity management, do I understand enough?"
Cybersecurity is not purely a technical discipline. Board members need to understand the basic principles, risks and metrics (RTO, RPO, residual risks, etc.) in order to make informed decisions.
Real-life example: A consulting firm introduced mandatory training for all management – not technical details, but attack simulations. Each member of management experienced what it was like to face a crisis situation. The result was not only greater awareness, but also faster response times in the event of a real incident.
3. Responsibility: Who is responsible for what?
An important question: "How do I fulfil my cybersecurity responsibilities under NIS2?"
According to the NIS2 directive, responsibility lies with management, not just the CISO or head of IT. This means that a clear division of roles, sufficient resources and an overview of the fulfilment of plans and objectives are an essential part of the strategy.
Real-world example: A manufacturing company has created a "cyber council" where the board, CISO and operations manager meet. This ensures that decisions on security investments (e.g. backup SCADA systems) are made in an informed manner, based on shared information, rather than just IT requirements.
4. Risks and interests: What needs to be protected the most?
An important question: "Do we have a sufficient overview of the risks and are we protecting the most important things we have?"
The board should be aware not only of the biggest threats, but also of the so-called protected interests – i.e. key assets: customer data, production processes, reputation.
Real-life example: A retail chain discovered that its "crown jewels" were not only customer data, but also its logistics system. When it failed, all sales stopped within two days. Since then, investments in security have been guided not only by legal obligations, but also by real business priorities.
5. Continuous management and compliance: A one-time investment is not enough
Important question: "How is the continuous control process set up in our company and are we in compliance with regulations?"
Cybersecurity is not a project with a completion date. It requires regular monitoring, testing and improvement on an ongoing basis. The board must ask whether the strategy complies with standards (ISO 27001, SOC2, etc.) and whether it meets legislative requirements.
A real-life example: A medium-sized company with an overlap into the construction industry also has its own laboratories. It regularly practises its response to incidents (tabletop exercises). During the last simulation, they discovered that the recovery plan did not take into account the failure of a supplier of certain important equipment that they have no way of replacing. Thanks to this, they were able to adjust the plan before the problem arose in reality.
These questions are not dogma, but inspiration.
However, every organisation should start with a dialogue:
- What is most valuable to us?
- What threats are most likely to affect us?
- What role does company management play in ensuring security, and what role does the CISO play?
A strong strategy is not just about technology, but about trust and cooperation between the board and the CISO. This is what determines whether a company will survive in an era of daily attacks.
If an organisation does not have its own internal CISO or needs an independent outside perspective, CISO as a Service (CISOaaS) may be the solution. This allows you to gain an experienced security leader without the need for full-time employment – they can provide strategic management, regulatory compliance (NIS2, DORA, GDPR), employee training, crisis planning and reporting to regulators. It also brings a very valuable outside perspective and experience.
With CISOaaS, you can address information security immediately – flexibly, effectively and with the confidence that you have an expert at your side who understands current threats and regulatory requirements and can communicate with the board in the language of business.
Start building cyber resilience with us today.
You can find more information about our services HERE.