Dear Executives – Your Cybersecurity Teams Are Lacking Direction

The backbone of any good cybersecurity strategy is to conduct a broad risk assessment on behalf of the entire business and organization. This is the responsibility of the executive team. If you leave the strategic task solely to IT people, who typically have a narrower and short-term focus, it can lead to the wrong focus, overprotection of less important business-critical areas, and poor investments.

Bo Drejer

Take Ownership of the Security Strategy

The backbone of any good cybersecurity strategy is to conduct a broad risk assessment. Which of your business services are the most important? And which parts of your IT support them? What can you afford to lose, and what must you absolutely not lose control over if your core business is to continue functioning under any cyberattack? And what about your customers and partners? Where do they need you to prioritize security more highly?

This is classic risk management, which naturally belongs in the executive boardroom. Keep in mind that most IT professionals are technology-driven. They think and act primarily in relation to technology. They are less interested in abstract risk assessments that they are not directly responsible for. Their focus is typically on concrete priorities—what should be built, when, and how.

If you, as management, stick your head in the sand and leave the strategic task to them, they will naturally try to solve it as well as they can. But this can easily lead to overprotection and unnecessary extra costs—especially because they are not familiar enough with what risks are actually acceptable, so they choose to build with extra layers of security throughout.

Overprotection might sound safe. But it’s not, because no one has unlimited resources.

Bo Drejer

A Well-Balanced Risk Profile Creates Maximum Return

Overprotection might sound safe. But it’s not, because no one has unlimited resources, and everyone is short of IT specialists. Therefore, it is better—and often cheaper—to create a cohesive cybersecurity defense that closely reflects your actual security needs, ensuring that the armor is thickest where the vulnerability is greatest. That’s the path to maximum return on your security investments.

In this context, it is important that you, as management, are aware of your role in risk analysis. This is, of course, also part of the explanation as to why more and more legislation is shifting responsibility your way. This doesn’t mean that you need to understand how your digital assets should be protected technically, but rather that you use your risk-analysis skills to identify what must be protected at all costs—and also where you can accept some level of risk. The better you are at communicating the right security needs, the better your IT department or security partners can make optimal tactical decisions.

As management, you should therefore take a more proactive role, assessing and challenging your security needs in a more business-relevant context. Over time, you will be able to navigate more freely in the intersection between your risk profile and the operational security work. Everything suggests that companies where the management is actively involved in shaping the right risk profile make more appropriate investments in cybersecurity.

With the implementation of the EU’s NIS2 directive next year and other upcoming regulations related to cybersecurity, which assign ultimate security responsibility to management, we are entering a new era of compliance requirements that move out of the IT department and into the executive and boardroom.

Frans Skovholm

Don’t Undervalue Your Own Knowledge

Bottom line: From a management perspective, IT is not the mysterious and complicated operational area that makes many executives wary. If you feel this way, it’s tempting to order expensive analysis reports, which are often hard to translate into concrete security measures once the consultants have left.

It may seem challenging to take more control over an area that has never been on the agenda in the boardroom. But no one knows the business better than you, and that knowledge is invaluable when it comes to your cybersecurity. Forget that you don’t know how to configure a firewall or which technology gives your employees secure access from both airports and home offices. You have people or partners to take care of those things.

Do what you do best: Assess strategic risks with sharp precision, then use short, effective communication channels to set the direction for tactical efforts. Or in other words: Take control and play the game wisely—your cybersecurity teams need you.

If you need advice on how your company should handle the NIS2 Directive or the DORA Regulation, contact one of our experts or fill out the form below.