NIS2 Compliance: The CISO / Executive Primer

This CISO / Executive primer on NIS2 compliance is meant to help the CxO and Board of Directors enable your cybersecurity-accountable leader (CISO) to be successful. Some of this may seem self-evident, but I guarantee it is worth your while to make sure the CxO, CISO, and CIO are aligned. The next blog NIS2 entry will be for CISOs to help you.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Guidance for NIS2 compliance

 

Why is cybersecurity important for your company?

Security and business are a two-way street. The board must understand the complex legal and operational details of cybersecurity to stay secure and compliant in an increasingly perilous and regulated area of business. The CISO must have a crystal-clear understanding of the business and how they can best serve its interests. They must know why cybersecurity is important for the company’s short and long-term operations and growth.  

It comes down to your capability to generate revenue and be competitive. Based on my experience, cybersecurity can enable revenue generation and competitive advantage in the following ways:

  1. You will not generate revenue and outperform the competition if you are not allowed to participate in the dance, meaning regulatory non-compliance will halt business activities.  
  2. You will not generate revenue if your employees cannot work.
  3. You will not generate revenue if your operations enabling technologies are down.
  4. Your capability to generate revenue in future is endangered if your valuable IP and data are stolen.

I suggest you meet with your CISO and map out:

  • The relevant regulation
  • The losses if your operations are down for a day
  • What generates your long-term competitiveness  
  • How would a breach impact your customer relationships

Ask them to document this conversation and return to you with a high-level risk analysis about your company.  

  1. How are cybersecurity risks viewed with regard to the above topics, within the context of your company’s divisions and functions.  
  2. On a high-level, how are protection mechanisms viewed for business divisions and functions.
  3. Collaboratively define a high-level goal for cybersecurity, e.g. meeting or exceeding the standards of your competition.
  4. Your company might also have functions or areas where your CISO does not have the power to make changes (e.g. the factory floor equipment, oil drilling rigs, etc.). Agree with the CISO on how to map their risks and how to address them.
  5. What are his proposals for key risk reduction KPIs to follow on a company level to see that you are going in the correct direction.

About the author: Petri Kuivala has led security functions at major companies for 25 years. He has been the chairman of the board of directors with a publicly listed company and he has advised or served as the CISO of publicly traded companies such as Nokia, Microsoft, and NXP Semiconductors. He has supervised the security of M&A activities with companies like Qualcomm and Siemens.  

Want to learn more?
Be sure to check out these articles recommended by the author:
Download the NIS2 Checklist
Get more cybersecurity insights like this