Cybersecurity governance – NIS 2 makes executives accountable

The NIS 2 directive places cybersecurity at the heart of corporate governance, requiring management bodies (executive committees, boards of directors) to become actively involved in digital risk management.

Until recently, IT security was often seen as a purely technical matter, delegated to the CISO and the IT department. The NIS 2 Directive changes all this by spelling out governance obligations: from now on, the management bodies of the companies concerned must supervise and validate their organization’s cyber risk management measures(NIS2 Directive: 5 Key takeaways). In plain English, the management committee or board of directors must commit to the cybersecurity strategy: approving security policies, allocating the necessary resources, monitoring risk indicators… and may be held responsible in the event of serious failure.

A new strategic challenge for boards of directors

NIS 2 makes cybersecurity a matter of fiduciary responsibility for executives. This translates into several important requirements:

• Accountability and duty of care: Executives now have a duty to validate cyber risk management measures and oversee their implementation(NIS2 Directive: 5 Key takeaways). Ignoring cybersecurity could be considered a breach of duty of care. In the event of a major incident, the authorities will examine whether management has taken the necessary steps upstream.
• Management training: NIS 2 stipulates that members of management bodies must receiveadequate training in cybersecurity(NIS2 Requirements | 10 Minimum Measures to Address) in order to understand the issues and decisions at stake. This is a major cultural development – a CEO or director is expected to understand concepts such as risk analysis, incident response planning, IT hygiene, etc.
• Reinforced personal liability: The directive provides for sanctions directly targeting executives in the event of proven negligence. For example, a manager could be declared persona non grata temporarily (banned from exercising management functions) if his or her company has seriously failed to meet its NIS 2 obligations(NIS2 Directive: 5 Key takeaways). In addition, as mentioned above, very high fines are at stake for the company (up to 10 M€ or 2% of sales)(NIS2 Directive: 5 Key takeaways), which will have repercussions on governance (shareholders, the public and partners will hold management responsible for these penalties).

For CIOs and CISOs, this means educating and getting top management on board with cybersecurity issues. Management support is not only desirable, it’s required by law. Yet, in practice, a gap still exists: according to a 2023 Zscaler survey, only 32% of IT managers believe that NIS 2 compliance is already a priority for their executives ([Infographic] NIS2: companies between confidence and challenges). And only one in two believe that senior management fully understands the directive’s requirements ([Infographic] NIS2: companies between trust and challenge). This finding illustrates a risk: if decision-makers are not fully aware of their new obligations, companies may be slow to allocate the resources and drive the necessary changes.

Implications for companies :

Cybersecurity must be raised to the strategic level. Boards of directors need to make digital risk management as much a part of their remit as financial, legal or operational risks. We are also seeing the emergence of Risk and Cyber Committees on boards, and the appointment of directors with responsibility for digital issues. Some companies are also choosing to link their executives’ variable remuneration to cybersecurity performance criteria (e.g. number of incidents, level of compliance with audits, etc.). These practices, encouraged by NIS 2, aim to ensure that cybersecurity benefits from the right toneat the top.

Cyber governance best practices for CIOs/CIOs

How can CIOs and CISOs support their companies in this evolution? Here are a few best practices for strengthening cyber governance:

• Raise awareness among top management: Organize dedicated training or information sessions for executives. Present them with concrete examples of attacks, the risks involved, and of course the legal obligations (e.g. obligation to notify incidents within 72 hours, risk of personal sanctions). It may also be useful to run a cyber drill (crisis simulation exercise) involving senior management, to help them make the right decisions in the event of an attack. The ANSSI, for example, offers national exercises(CyberEx) which can serve as a model for internal exercises.
• Clarify roles and responsibilities: Update internal governance to formalize everyone’s role. Appoint a cybersecurity manager at executive committee level (often the CISO reporting to the CIO, or directly to the CEO in some organizations). Ensure that this person has regular access to the board of directors (participation in audit/risk committees, presentation of a cyber report at each board meeting, etc.). Document the board’s responsibility for cybersecurity in your corporate governance charter, to ratify this new situation.
• Establish regular cyber reporting to the board: periodically provide management with clear indicators on the state of IS security. For example: number of attack attempts blocked, level of exposure to critical vulnerabilities, progress on the NIS 2 action plan, comparison with a benchmark (maturity score). This reporting must be pedagogical and avoid jargon, to enable non-specialists to understand. The idea is to create a constructive dialogue between the CISO and the board, so that senior management can ask questions, challenge plans and make informed investment decisions.
• Align cybersecurity with business objectives: To capture management’s attention, link cybersecurity to the company’s business challenges. For example, point out that customer trust depends on your ability to protect their data and services (a major breach can drive away customers and tarnish the brand). Point out that in some tenders, a high level of security has become a selection criterion. By making the link between cyber and performance, you will help management to see these expenses not as a pure cost, but as a strategic investment (protection of sales, competitive advantage, etc.).
• Involve the board in cyber strategy: Rather than presenting cyber security as a technical compliance issue, encourage management to see it as part of corporate strategy. For example, discuss cyberrisk appetite with the board: how willing is the company to take digital risks in order to innovate? What scenarios are unacceptable (production stoppage, theft of intellectual property, etc.)? This strategic reflection will help guide investments (we spend where we absolutely don’t want a disaster) and create a risk culture shared from top to bottom.
• Formalize a security governance policy: Ideally, the way in which cybersecurity is governed should be written down. Some companies draw up a document such as a “Security Governance Charter”, which details the steering structure (committees, roles of each), reporting procedures, indicators monitored, etc. This document, approved by management, is then sent to all employees. This document, approved by top management, formalizes management’s commitment. It also serves as a supporting document in the event of an audit (showing that the subject is being taken seriously at the highest level).

In short, NIS 2 encourages synergy between CISOs, CIOs and senior management. The CISO must become a business partner, able to dialogue with top management in their own language, to help them make informed decisions. For top management, this means integrating cybersecurity into the very definition of the company’s success – in the same way as physical security or legal compliance. This evolution in governance is undoubtedly one of the most structuring (and positive) effects of NIS 2 on European companies.

Smart Global Governance’s answer for better cyber governance

Smart Global Governance ‘s solutions have been designed to support this integration of cyber security into corporate governance. In particular, Smart Global Governance’s ” Information Security Officer ” suite and strategic steering modules provide CIOs/CIOs and senior management with the tools they need to collaborate effectively on cyber risk management.

In concrete terms, Smart Global Governance creates a bridge between the technical and management levels:

• Tailor-made executive dashboards: The platform transforms technical security data into business KPIs that top management can understand. For example, you can track an overall cyber maturity index, the percentage of progress on the NIS 2 plan, the number of critical risks treated vs. remaining to be treated, etc. These indicators are updated in real time on the basis of actions carried out in the tool (audits, incidents, plans). The CEO or CFO can thus consult a summary of the company’s risk exposure at any time, making it easier to include the subject on the agenda of management committees.
• Responsibility management and action plans: Smart Global Governance helps you to clearly formalize who is responsible for what when it comes to cybersecurity. The governance module enables you to assign roles (e.g. continuity plan manager, board security sponsor, etc.) and monitor the execution of responsibilities. It’s easy to demonstrate that “yes, management has validated this policy on this date”, because everything is traced in the tool. In the event of management turnover, continuity is assured: the new arrival immediately sees his or her cybersecurity responsibilities and the history of decisions.
• Validation workflows: Need to have a new ISS policy or security investment approved by management? The platform integrates electronic validation workflows. The CISO can submit a document or request via the tool, the manager concerned receives a notification, and can approve or comment in just a few clicks. This establishes a fluid, documented interaction between the operational and decision-making levels. No more informal email approvals that get lost: everything is centralized.
• Automated reporting for management bodies: in the run-up to an audit committee or board meeting, the CISO can automatically generate a summary report from Smart Global Governance, covering the required points (e.g. incidents occurring during the quarter and corrective actions, regulatory compliance status, ongoing risk reduction plans, etc.). These customizable reports save valuable time and ensure that the information transmitted to the board is up-to-date and accurate. Some of our customers have reduced the time they spend preparing their committees by 40% thanks to this automation.
• Holistic vision via the modular ecosystem: Smart Global Governance’s strength also lies in its integrated approach. Risk, Compliance, Audit and other modules share the same database. Thus, a risk identified during a technical audit can be automatically reflected in the risk dashboard presented to the board. Similarly, a strategic decision by the board (e.g. to increase the cyber budget by X%) can be translated into objectives in the action plan module, and monitored operationally. This digital continuity avoids the loss of information between top management and operational teams.

With Smart Global Governance, CIOs and CISOs have a powerful lever for engaging their managers. The platform speaks to technicians and strategists alike: for the former, it offers the level of detail and rigor expected, and for the latter, a synthetic overview. By structuring cyber governance and facilitating vertical communication, Smart Global Governance helps your company to respond to the spirit of NIS 2: cybersecurity managed at the highest level, a factor of confidence and resilience for the entire organization.