The greatest cyber threat wears a suit

Two out of three Chief Information Security Officers (CISOs) believe that executive leadership underestimates the cyber threat. And they’re right. That’s a serious problem—because the NIS2 directive places direct responsibility for cybersecurity on the leadership.

We’ve become used to blaming staff in HR and front desk roles: “They can’t create secure passwords and click on anything.”

But the biggest cyber threat is wearing a suit and sitting in the executive suite.

CISOs say leadership often has an overly rosy view of the cyber threat. In fact, 68% of them report that their C-level colleagues underestimate the risks, according to a study. 

And from what we’ve seen, they have a point.

{{factbox-light}}

A lack of knowledge at the top

Over the past few years, we’ve spoken to countless cybersecurity professionals across Europe. Most say the same thing:

• It’s difficult to get management buy-in
  
• Leadership fails to set direction
  
• It’s hard to align goals and resources
  

At the root of this is a lack of understanding at the leadership level. Cybersecurity isn’t embedded into the overall business strategy—and that’s why it remains a low priority in many organisations.

But that gap is a threat. To businesses and to society.

Cybersecurity is a leadership responsibility

Boards and executive teams are slowly starting to take more ownership of cybersecurity. That’s largely due to the severity of the threat landscape—so visible today that even the most IT-averse director can see it’s serious.

And the responsibility is no longer theoretical. With NIS2, it’s a legal obligation. Cybersecurity isn’t just for specialists anymore—it’s a leadership duty.

Many leadership teams want to take that responsibility seriously. But they’re not prepared to do so. It takes two key things: knowledge and strategic involvement.

{{factbox-dark}}

Educate your leadership – or risk losing

The first step is education. Cyber threats evolve rapidly, which means the gap between infosec teams and executive worldviews grows just as fast. That gap stands in the way of good collaboration—and makes it easier for leadership to underestimate the risks.

We’ve seen the need for training firsthand. Many of the people now legally responsible—board members and executive directors—work in entirely different domains. They need to understand the threats, the vulnerabilities, and the mitigation strategies.

Cybersecurity requires strategic direction

In too many organisations, information security is still treated as an afterthought:

• No dedicated budget
  
• Seen as a cost centre under IT
  
• No ongoing dialogue with leadership
  

That approach no longer works. Cybersecurity is about protecting the business. That’s why the cyber strategy must be aligned with the business strategy—and only leadership can ensure the right balance between risk, resources and requirements.

Effective cybersecurity starts with governance: setting clear goals, aligning them with corporate objectives, and measuring progress. That’s the leadership’s job.

From there, specialists can focus on actual security—using proper risk management to deal with threats that are truly relevant to the business.

Decisions about cyber risks can’t rest on the judgement of a lone IT technician. That doesn’t serve anyone well.

Only leadership can lead this work.

How to take responsibility at the top

Here’s our approach to helping leadership teams step up:

• Build knowledge – Understanding the threat landscape is the first step to taking responsibility. That starts with training.
  
  
• Build strategy – We must define what we want to protect—and why. That means starting with the organisation’s goals.
  
  
• Build dialogue – Leadership and infosec must talk regularly. That requires clear expectations about the reporting leadership wants.
  
  

Ask yourself as a leader: Do I know enough to take responsibility for cybersecurity—or am I putting the entire organisation at risk?

Jacob Høedt Larsen and Marie Bjerre Simonsen train executive teams and boards to take the lead on cybersecurity.

Explore the NIS2 leadership course.