If you work in information security, this probably won’t come as a surprise. Your perception of the threat landscape is likely very different from that of your executive team. Now EY has put figures to that gap.

Survey: A knowledge gap between CISOs and the C-Suite

CISOs express significantly greater concern than other executives, particularly when it comes to:

• Whether cyber threats outpace the organisation’s defences,
  
• Whether executive leadership truly grasps the severity of the risk, and
  
• The actual scale of the threat.

The survey shows that awareness of cybersecurity issues has generally improved at the top. However, it also indicates that those executives not directly involved in cybersecurity often have an overly optimistic view of the challenges.

{{factbox-dark}}

NIS2 elevates cybersecurity to a leadership responsibility

In recent years, executive teams and boards have begun to take more ownership of cybersecurity. But with the introduction of the NIS2 directive, that responsibility is no longer just theoretical – it’s a legal obligation.

“Leadership wants to take responsibility, but they aren’t equipped to do so,” says Marie Bjerre Simonsen of Wired Relations.

Marie works with companies, municipalities, and organisations to bridge the gap between information security teams and executive leadership.

She believes two elements are essential to involving leadership effectively: Education and strategic engagement.

Education and strategic involvement

The first step is education.

Cyber threats evolve rapidly, creating a disconnect between the day-to-day reality of security teams and leadership’s understanding. As the EY survey suggests, this disconnect can quickly become a barrier to effective collaboration.

The NIS2 directive is explicit on this point:

“the members of the management bodies of essential and important entities are required to follow training...”

Leaders need training – that much is clear. Many of the people sitting on boards or in executive teams come from entirely different backgrounds. They need to understand threats, vulnerabilities, and the methods we use to manage them,” says Simonsen.

Cyber strategy – aligned with business strategy

In many organisations, information security is still treated as an afterthought.

• There is no dedicated budget,
  
• Cybersecurity is viewed as an IT cost centre, and
  
• There is no ongoing dialogue between the team and executive leadership.
  
  

“That approach doesn’t hold up in today’s cyber reality. Cybersecurity is about protecting the business – so the cyber strategy must align with the business strategy. Only leadership can ensure the right balance between risks, resources, and requirements,” Mare Bjerre Simonsen explains.

How to strengthen the connection between infosec and leadership

Here are her recommendations for aligning leadership with the information security function:

• Boost leadership’s knowledge so they understand the threats, vulnerabilities, and their responsibilities.
  
• Align your cybersecurity strategy with the business strategy to target efforts where the risks are greatest.‍
• Establish clear roles and a continuous dialogue to ensure collaboration is ongoing and strategic.