By Paul C Dwyer, 16 December 2024
In today’s rapidly evolving digital landscape, the importance of cybersecurity governance has never been more pronounced.
With the recent implementation of the Network and Information Security Directive 2 (NIS2) and the imminent enactment of the Digital Operational Resilience Act (DORA), organisations across sectors must confront the increasing demands of regulatory compliance.
For senior management, this is not merely a technical challenge but a fundamental governance issue that requires a strategic, top-down approach.
Both NIS2 and DORA place significant emphasis on strengthening digital operational resilience, making it clear that cybersecurity is now a board-level priority.
While NIS2 applies to a broad range of critical infrastructure sectors, DORA is designed specifically to safeguard the financial sector from cyber threats. However, the overarching message from both regulations is that senior management plays a pivotal role in driving compliance and ensuring that their organisations are prepared to withstand digital risks.
Top-down approach
One of the key lessons from NIS2 and DORA is that effective cybersecurity governance must begin at the top.
Senior management is no longer able to delegate responsibility for cybersecurity purely to IT departments. Instead, they must take an active role in shaping, overseeing, and ensuring the implementation of robust cybersecurity measures.
A top-down approach requires senior leaders to embed cybersecurity into the organisation’s overall governance framework. This involves setting a clear vision and establishing the right culture, where cybersecurity is prioritised across all functions.
In practice, this means ensuring that cybersecurity is regularly discussed at the board level, integrated into risk management processes, and treated as a strategic business risk, rather than a purely technical issue.
NIS2 and DORA both highlight the need for comprehensive risk management frameworks that account for digital risks alongside traditional business risks.
For senior management, this means fostering an environment where risk assessments include cyber threats, and where incident response plans are not only developed but regularly tested and updated.
What’s expected?
Both NIS2 and DORA place explicit governance responsibilities on senior management.
Under NIS2, organisations deemed as essential or important entities –
such as those in energy, health, or transport sectors – must adopt measures that ensure the security of their networks and information systems. Senior management must take ultimate responsibility for compliance with these requirements and could face penalties for non-compliance.
Similarly, DORA establishes stringent rules for financial entities, requiring them to maintain a high level of digital operational resilience.
Senior management is expected to ensure that the institution’s ICT risk management framework is robust and capable of withstanding cyberattacks and other digital disruptions. Importantly, the regulation mandates that ICT risk is treated with the same level of rigour as other financial risks.
Key expectations for senior management under both frameworks include:
- Accountability for ICT risk management: Senior leaders are expected to oversee the implementation of ICT risk management frameworks, ensuring that risks are identified, assessed, and mitigated effectively. This includes overseeing third-party risk, where supply chains and service providers must be continuously monitored for potential vulnerabilities.
- Incident reporting: Both NIS2 and DORA have stringent requirements for incident reporting. Under NIS2, essential entities must report incidents with a significant impact on their operations, while DORA mandates financial institutions to report major ICT-related incidents to supervisory authorities. Senior management must ensure these mechanisms are in place, tested, and functioning efficiently.
- Governance of third-party providers: DORA, in particular, places emphasis on managing third-party ICT providers, recognising the risks they pose to financial institutions. Senior management must ensure that contracts with ICT service providers include provisions for oversight, regular testing, and incident management.
- Continuous resilience testing: Both regulations call for the regular testing of systems and processes to ensure operational resilience. Senior management should lead efforts to ensure that resilience testing becomes a core part of the organisation’s risk management strategy, with testing results used to inform decision-making at the highest level.
Leadership and cultural change
To meet the demands of NIS2 and DORA, senior management must go beyond compliance. Leaders are expected to cultivate a security-conscious culture throughout the organisation.
This involves clear communication of the importance of digital resilience to all staff, from the C-suite to operational teams. When senior leaders visibly prioritise cybersecurity, it signals to the entire organisation that digital resilience is critical to business success.
This cultural shift also extends to resource allocation. Senior management must ensure that appropriate resources – both financial and human – are dedicated to managing cybersecurity risks.
This includes investing in the right technology, hiring skilled personnel, and providing ongoing training to ensure that staff across the organisation are equipped to handle cybersecurity threats.
Senior management’s strategic role
One of the critical roles of senior management is to integrate cybersecurity into broader business strategies. Digital operational resilience should be a central pillar of business continuity planning, ensuring that the organisation can continue operating in the event of a cyber incident.
Senior leaders must also be prepared to engage with regulators, shareholders, and other stakeholders, demonstrating that the organisation is proactively managing digital risks and complying with regulatory obligations.
The strategic nature of cybersecurity governance under NIS2 and DORA also means that senior management must be forward-thinking. As cyber threats evolve, so too must the organisation’s approach to managing them.
This requires ongoing assessment of the organisation’s cybersecurity posture, continuous improvement of risk management practices, and an openness to adopting new technologies and approaches that enhance resilience.
Seizing the opportunity
For senior management, the introduction of NIS2 and DORA should be seen as an opportunity to lead the charge in building a digitally resilient organisation.
By taking a top-down approach to cybersecurity governance, senior leaders can not only ensure compliance with these regulations, but also strengthen the organisation’s ability to navigate the increasingly complex digital landscape.
As digital operational resilience becomes an essential element of business success, senior management must prioritise cybersecurity at the highest levels.
This means fostering a culture of security, embedding cybersecurity into governance frameworks, and ensuring that the organisation is prepared to meet the challenges of both today and tomorrow.
About the author
Paul C Dwyer is President of the International Cyber Threat Task Force (ICTTF). The ICTTF was established in 2010, as a not-for-profit initiative promoting the ecosystem of an international independent non-partisan cyber security community.