Executive leadership underestimates the cyber threat – leaving organisations exposed. That’s one of the key findings from a recent EY survey. According to Marie Bjerre Simonsen of Wired Relations, the answer lies in education and a coherent cybersecurity strategy.
If you work in information security, this probably won’t come as a surprise. Your perception of the threat landscape is likely very different from that of your executive team. Now EY has put figures to that gap.
CISOs express significantly greater concern than other executives, particularly when it comes to:
The survey shows that awareness of cybersecurity issues has generally improved at the top. However, it also indicates that those executives not directly involved in cybersecurity often have an overly optimistic view of the challenges.
{{factbox-dark}}
In recent years, executive teams and boards have begun to take more ownership of cybersecurity. But with the introduction of the NIS2 directive, that responsibility is no longer just theoretical – it’s a legal obligation.
“Leadership wants to take responsibility, but they aren’t equipped to do so,” says Marie Bjerre Simonsen of Wired Relations.
Marie works with companies, municipalities, and organisations to bridge the gap between information security teams and executive leadership.
She believes two elements are essential to involving leadership effectively: Education and strategic engagement.
The first step is education.
Cyber threats evolve rapidly, creating a disconnect between the day-to-day reality of security teams and leadership’s understanding. As the EY survey suggests, this disconnect can quickly become a barrier to effective collaboration.
The NIS2 directive is explicit on this point:
“the members of the management bodies of essential and important entities are required to follow training...”
Leaders need training – that much is clear. Many of the people sitting on boards or in executive teams come from entirely different backgrounds. They need to understand threats, vulnerabilities, and the methods we use to manage them,” says Simonsen.
In many organisations, information security is still treated as an afterthought.
“That approach doesn’t hold up in today’s cyber reality. Cybersecurity is about protecting the business – so the cyber strategy must align with the business strategy. Only leadership can ensure the right balance between risks, resources, and requirements,” Mare Bjerre Simonsen explains.
Here are her recommendations for aligning leadership with the information security function:
You can explore the full findings of the EY survey here: EY Cybersecurity Study – The C-Suite Disconnect
With NIS2 and an evolving threat landscape, it’s essential that your executive team is ready to take ownership of cybersecurity. Our courses and workshops help boards and executive leaders understand risk, take strategic ownership, and strengthen their collaboration with information security teams.