What if your company were hit by a cyberattack tomorrow? What if… production came to a complete standstill, your employees were unreachable, confidential data disappeared (or worse, appeared online, visible to everyone).
Your customers and partners began to lose trust; the impact was significant.
Then the question suddenly arose: “Who was responsible?”
Cybersecurity as a cornerstone of good governance
Cybersecurity was long neglected, it was often not even on the radar of many organizations, who assumed the IT department had it under control.
It was often seen as a task for IT, led by the security officer. In reality, we see that it goes much further than just the IT department. Cybersecurity (or rather, cyber resilience) is part of good governance. The goal is to ensure the continuity of the organization, along with its strategic advantages, financial health, reputation, intellectual property (IP), and so on.
This is also increasingly emphasized within a legal framework (think NIS2). Governing bodies must understand cyber risks, approve certain measures, exercise oversight, and also take specific training courses to maintain their knowledge of the subject.
“Today, Cybersecurity also belongs in the boardroom, not just within the IT department and the server room.”
IT-problem of management responsibility
Today, the statement “Digital risks are solely a technical issue” remains a persistent problem, a statement we often encounter during initial introductory meetings.
In reality, it’s just as much a strategic/organizational issue. It’s about risk management:
- Making decisions about specific priorities
- Making decisions about investments
- Determining a policy for the future
Has anything fundamental changed today regarding boardroom responsibility?
We’re seeing clear shifts in boardroom responsibility. Although ensuring continuity has been a core task for years, and cybersecurity has always been implicitly included, new legislation such as the NIS2 directive does emphasize this responsibility.
At ACEN, we look at responsibility more broadly than just the legal context. As cybersecurity advisors, our core focus is on risks. If you start to study the legislation in detail to determine what you will and won’t do, you’ll be disappointed.
Every entrepreneur, no matter how big or small, embraces digital technology. It’s a powerful enabler for any business. With new opportunities come new challenges. In this case, cyber threats. Unfortunately, we also see that entrepreneurs tend to underestimate the risks of digital entrepreneurship.
However, the board does have a duty to ensure that the organization handles its data securely and that it is therefore sufficiently resilient in the event of a cyber threat.
A corporate body that monitors financial health, sustainability issues, or innovation should also monitor digital resilience these days.
Or put another way… good governance means looking ahead, recognizing risks, developing adapted strategies, and acting accordingly. This applies to cybersecurity as much as to any other domain within the company.
Act as a prudent and reasonable person
While “liability” sounds very legalistic (and, of course, it partly is), for us it’s essentially about taking responsibility. In this case, not only after the cyber incident, but also beforehand.
As a director, you have a duty to act as a “prudent and reasonable person” in the best interests of the organization. This means that a director must not ignore risks, especially when the signs are clearly demonstrated.
For example: You can continue driving with worn tires. Your car will still run, but you know the risk of an accident increases dramatically. Once that accident happens, you can no longer say you didn't see it coming.
Good governance is also a digital governance
As mentioned above, cybersecurity isn’t just a technical matter; it’s also a management responsibility.
Do you run a company? Of course, you don’t need to know how a firewall works, but you do need to understand the risks a cyberattack can pose to your company’s continuity and reputation.
Tips for good digital governance:
- Maintain cybersecurity as a regular priority on the management (board of directors) agenda.
- Request regular reports from your IT or security team, mapping and monitoring your organization’s cybersecurity maturity.
- Stay informed about new developments in cybersecurity through training (and awareness sessions).
- Dare to question yourself, the entire board, and the organization. Make sure you ask the right questions. (How vulnerable are we really? What would a ransomware attack mean for us? Are our employees sufficiently familiar with the subject?)
The solution?
A strong cybersecurity posture starts with knowledge: where do we stand today and where do we want to go? At ACEN, we make this visible through our Cybersecurity Maturity Assessments. A structured method that balances people, processes, and technology.
To make it digestible for executives, such an assessment translates the technical details into strategic insights such as:
- How well are our risks mapped?
- Which measures have the greatest impact?
- How can we deploy our resources more efficiently?
Our assessments are based on the CCB CyberFundamentals framework, developed by the Centre for Cybersecurity Belgium. This framework consolidates best practices from global standards such as NIST, ISO, and CIS Controls, allowing us to systematically map your company’s capabilities. Based on this, we can define the most impactful steps to measurably improve your cybersecurity posture.
