Right now, there is a shift regarding who should really be in charge of cybersecurity. With the implementation of the NIS2 directive, responsibility is moving further up the organizational hierarchy, the IT department is assuming a new role, and individuals risk being increasingly affected. This is what the new distribution of responsibilities looks like—and this is how your organization should act to adapt to the new conditions surrounding cybersecurity.
Cybersecurity is no longer just the IT department's responsibility
Today, there is a trend where the responsibility for cybersecurity is increasingly shifting towards management and the board, rather than remaining with the IT department as before. The nature and complexity of cyber threats have changed significantly, necessitating greater involvement from management. New regulations are setting stricter requirements, while organizations are gaining a deeper understanding of what cybersecurity actually means for overall risk management.
Why has responsibility shifted towards management?
The primary reason management and the board are taking on greater responsibility is due to the increased severity and frequency of cyber threats—this in turn shapes the development of stricter regulations. Regulatory authorities now demand more transparent reporting of corporate cybersecurity strategies and the board’s knowledge. This includes requirements to disclose if the board has members with expertise in cybersecurity, and how they handle cyber threats in their overall business strategy. The demands increase the pressure on corporate oversight of cyber risks and the routine management of these risks.
A strong security culture is also crucial for preventing and managing incidents—and here, it becomes clear that engagement from management is crucial to influence the entire organization’s capabilities. At the same time, customers, investors, and other stakeholders have higher expectations for how companies manage and protect sensitive data. The board, therefore, has the responsibility to also ensure that the organization meets these expectations, in order to protect the brand and trust.
3 parts of the NIS2 directive that highlight management's new role
The NIS2 Directive is an update to the EU’s regulations on network and information security aimed at strengthening cybersecurity within the union. Organizations can face large fines for non-compliance, based on the company's global turnover. The NIS2 Directive clearly outlines new requirements for management's engagement and responsibility:
1. Direct responsibility for risk management:
Management must now be directly involved in and responsible for identifying and managing practical aspects of cybersecurity, including risk management and resilience. The management must have a deep understanding of the directive and ensure that the organization has the right conditions to comply with the requirements.
2. Implementation of preventive and mitigating measures:
Organizations need to manage risks through both preventive and mitigating measures. This includes incident management, cybersecurity through the supply chain, network security, access control, and encryption. Management is responsible for ensuring that these measures are sufficient to reduce the risks and consequences of cyber incidents.
3. Reporting and business continuity:
Organizations must have processes in place to correctly report to authorities and ensure that they can continue operations after a major cyberattack. This includes system restoration, emergency procedures, and establishing a crisis organization. It is management's responsibility to ensure that the majority of incidents are reported within 24 hours and that there are procedures for quickly restarting operations. NIS2 must be implemented into national legislation by October 2024, and a Swedish application of the directive, called the Cybersecurity Act, is concurrently being developed.
How individuals can face consequences for cybersecurity failures
Regulatory authorities and legislators are now placing greater responsibility on individual members of management. The goal is to achieve a higher degree of proactivity in handling cyber threats and to ensure that organizations have integrated necessary security measures with their overall risk management processes. However, with personal responsibility also comes personal consequences—where individuals themselves can be prosecuted and convicted for the organization's violations of the rules.
In the proposal for the Swedish application of NIS2, the investigators refer to the Companies Act. Here, the board has an indirect responsibility for the company's organization and management of affairs—but also a designated responsibility for internal control, which includes cybersecurity.
Within DORA, board members in the financial sector have more comprehensive responsibilities, including personal liability for damages. The board as such is responsible for everything from the policies that govern the management of IT risks to the allocation of resources, roles, and responsibilities. Both regulations also require that board members undergo training in cybersecurity.
An example of direct consequences
One example is the case with SolarWinds, where the U.S. Securities and Exchange Commission (SEC) sued the company and their CISO, Timothy Brown, for misleading information regarding the company’s cybersecurity practices. It was revealed that SolarWinds' public statements were significantly different from internal discussions about the company’s handling of its cybersecurity. For instance, Brown had acknowledged in an internal presentation that SolarWinds' procedures put the company's critical assets in a very vulnerable position.
It is also important to ensure that employees in leadership roles are informed and engaged in their responsibility to maintain a high security standard.
This example underscores the importance of organizations not only focusing on meeting the technical requirements for cybersecurity. It is equally important to ensure that employees in leadership roles are informed and engaged in their responsibility to maintain a high security standard. It’s not just about protecting the organization and its stakeholders – ultimately, it’s also about protecting oneself.
The role of the IT department moving forward
The IT department will continue to play a vital role in supporting the organization with technical expertise, particularly in building a stable infrastructure for cybersecurity. At the same time, the IT department and its experts are crucial in bridging the gap between technical and non-technical parts of the organization, aiming to create a common understanding of and approach to managing cyber risks.
Going forward, the IT department will need to work even closer with the management team to ensure that plans and processes for cybersecurity are well integrated with the company’s overall business strategy and risk management. This also means that IT professionals will need to develop their understanding of the business context to provide the necessary support where needed.
In addition to technical expertise, IT experts now increasingly need to demonstrate their communicative skills, a stronger ability to collaborate across functions, and enhanced competence in risk management, including analysis and prioritization.
How to make cybersecurity pervade the entire organization
Create Awareness Across the Leadership
It’s not enough for just the CIO and a single concerned board member to push the issue. Knowledge must increase across the board, and by creating a sense of urgency, awareness grows that cybersecurity is an existential and real threat to the entire organization—not something that “only affects others.”
Develop Concepts and Tools Continuously
Review your critical assets and processes and ensure there is a plan in place for a potential attack. This needs to be driven by people with a business mindset so that cybersecurity efforts are not perceived as overly technical and solely manageable by the IT department.
Strengthen Knowledge
Since cybersecurity affects the entire company, it’s essential that both marketing and sales staff as well as process managers have the knowledge required to explain your work in dialogue with customers and stakeholders. Here, clear internal sources of information that these employees can rely on are important.
Do you want to know more about what a risk management system can do for your organization? Read more about Stratsys' products for GRC management here.