Directors, Adhere To Your Own Cybersecurity Policy

Directors, Adhere To Your Own Cybersecurity Policy
Executive Board members and Supervisory Board members bear the ultimate responsibility for managing cyber risks. In view of the new NIS2 directive, which obliges essential sectors to take measures, this should receive more attention - especially since the directive is being transposed into national legislation. Adherence to security policy only happens when the top sets a good example, but Executive Board members often make exceptions for themselves.

Cybersecurity is an ongoing arms race with organizations, trying to secure themselves, and criminals as the opposing forces. And it is never quiet on the front, as evidenced by the many alarming messages about issues like phishing, hacks, and ransomware. The realization that cybercrime is a serious offense, is certainly increasing. Cyber risks are, in any event, at the top of the lists of what companies consider as major risks. This is distinctly different from the situation five to ten years ago.
The urgency to intensify the fight against cybercrime is increasing day by day. Cybercriminals are becoming more cunning - so cunning that the risk of damage keeps escalating. Insurers want to see stricter security measures from companies, request higher premiums, or completely withdraw from the cyber insurance market. Also, the laws and regulations obliging companies to take measures against cybercrime are increasingly tightened. Since the introduction of the General Data Protection Regulation in 2018 (GDPR), a company that failed to set up proper defense against cyber-attacks can face a fine.

National legislation
Since the introduction of the new NIS2 directive earlier this year, additional fines have become relevant. The implementation period during which this second European Network and Information Security directive must be included in national legislation, started in January 2023. From October 2024, compliance with NIS2 legislation is required for companies active in 'essential sectors', namely: the transport sector, healthcare, banking sector, financial markets, digital infrastructure, drinking water supply, sewage, and energy supply. In addition, companies doing business with these companies will fall under the new NIS2 directive. In short, almost all companies will be obliged to take the necessary cybersecurity measures. If they do not, they run the risk of a fine that can amount to 10 million euros or 2 percent of their turnover.

Technical solutions and behavior
This, evidently, will have consequences for many IT departments. Traditionally, they have been tasked with cybersecurity for the last 20 years, when the security of information systems in companies came on the agenda. In future too, IT will certainly continue to play a role in the fight against cybercrime. However, relying too heavily on IT solutions alone is extremely dangerous, and it is no longer possible to delegate responsibility for cybersecurity to the head of the IT department or the CIO or CISO - partly because the latter finds themselves in a very difficult position, as will be explained later. Cybersecurity should be seen as part of the company's overall risk management. Executive Board members and Supervisory Board members are responsible for this, and it is therefore also their responsibility to manage cyber risks. If they want to take this responsibility seriously, they must question the safety of their own organization, focusing on both technical solutions and human behavior as well as organizational measures. They must take control and, with input from the CIO and other experts, determine the state of the company's cybersecurity. This includes creating a good security plan, ensuring it is implemented, and closely monitoring whether the security is still up to standard. And take the position as role model, because successful risk management strongly depends on the culture and individual hygiene within an organization. Leading the change should be their motto.

An elucidating metaphor
The practice looks different. Risk awareness among many directors and supervisory directors leaves much to be desired. They are busy, often too busy to be intensively involved in risk management, even though it is their responsibility. Moreover, people generally avert talking about risks – and directors and supervisory directors are no exception. In fact, they often have a strong entrepreneurial spirit and are more focused on opportunities than on risks.
The personal behavior of many directors and supervisory directors certainly does not demonstrate high risk awareness. They behave, as it were, like the management of a construction company that does not comply with its own safety regulations. Safety in the workplace is important, management naturally recognizes this. This is the reason for safety measures in the workplace. But a few times a year, when the management team visits the major construction sites for photo opportunities or a networking event, one board member does not wear a helmet, and another might prefer not to wear a safety vest. Not only do they score unsatisfactory on their own safety hygiene, but also undermine the company’s safety culture. Because if the members of the management team do not take their own safety regulations seriously, other employees will not easily do so either.

The CI(S)O’s thankless task
This metaphor hopefully clarifies what the elephant in the room is when it comes to cybersecurity: every director and Supervisory Board member prioritizes cyber risks, but at the same time, every CISO and CIO knows the stories about exceptions to cybersecurity policy. There is little wrong with the security measures. Only, often, eyes are shut when the top of the company does not adhere to its own safety rules. Members of the board of directors and Supervisory Board consider it an abstract topic anyway. Even if this is not the case, they do not always find it very interesting, let alone the fact that they do not believe they need to adhere to all safety rules.
Even if they are willing, the unbalanced relationship with the CISO or CIO hinders good cybersecurity policy. The CISO has the unenviable task of reprimanding his or her superiors - because that is what they are - about digital hygiene and motivating them to make decisions on uncomfortable subjects. This only works if those superiors want to take a leading role in managing cyber risks. The CISO or CIO should not be expected to ultimately enforce it. In this position someone would often rather give a thumbs up when asked if everything is in order, rather than hold his or her superiors accountable when they jeopardize the company's security.

4 things to remember
Finally, four takeaways:

  1. Executive Board members and Supervisory Board members will under NIS2 have to concretely take an active role in cyber risk policy. Hopefully, the introduction of NIS2 can further fuel their interest in cybersecurity. It would be prudent to invite the CIO or CISO and discuss the policy against cybercrime together. Do not forget to create a plan of action for the event that the company falls victim to a cyber-attack.

  2. Take personal responsibility. Walk the talk and show that the cybersecurity policy has no exceptions - also not on board level.

  3. Certain security measures may affect ease-of-use, but this does not necessarily need to conflict with a good user experience. Especially not if you use VIP services that combine security and user-friendliness. Provide feedback on behavior in the organization, including your own behavior. People make the most progress when feedback on actions is given immediately, constructively, and continuously.

  4. Help people become more aware of the dangers of cybersecurity, what secure conduct is and is not, and how to protect themselves against cyber risks. Executive Board members need to realize that it is beneficial not to take a position of exception.

The author of this article is managing director of Cyberwolf.io, a company that focuses on personal cybersecurity of executives and non-executives. The author chooses to remain anonymous; his identity is known to the editor-in-chief of Management Scope. This essay was published in Management Scope 08 2023.
facebook