Cybersecurity: How Ready Are Belgian Directors and Boards?

GUBERNA's Cybersecurity Sounding Board Committee conducted two exploratory surveys with its community of Belgian directors, focusing on cybersecurity governance. These surveys aimed to evaluate directors' perceptions of cybersecurity within their strategic frameworks, their awareness of cybersecurity issues, and their depth of knowledge on the topic. Specifically, we explored how governance maturity can be achieved through various approaches, such as the frequency of cybersecurity discussions on the board’s agenda, the existence of clear incident response plans, well-defined accountability frameworks, and the regular conduct of cybersecurity audits.

This article provides an overview of the key conclusions from the Cybersecurity Sounding Board, offering valuable lessons for industries with lower levels of cyber maturity based on insights from more cyber-mature sectors.

The full survey report is available here, or at the bottom of this page. For more information about the Sounding Board Committee for Cybersecurity, visit this link.

1. Strategic Alignment and Governance

Directors from more cyber-mature industries recognise cybersecurity as an integral part of their strategic oversight, not merely a technical issue relegated to IT departments. These organisations typically integrate cybersecurity with their business strategies, ensuring it supports their overall goals and protects their operations and reputation. 
Best practices: 

  • Regular Board Discussions: Unlike in less mature industries, where cybersecurity may sporadically surface on the agenda, in more mature sectors, it is a consistent item, ensuring ongoing strategic alignment and preparedness. 
  • Clear Governance Structures: Advanced industries often have defined roles and accountability for cybersecurity within the governance framework, a practice that should be emulated by all industries to enhance clarity and response capabilities. 

 

2. Risk Management and Incident Response

High cyber-maturity industries excel in proactive risk management, including the development and regular testing of incident response plans. This proactive stance ensures that these organisations are not only prepared to handle incidents but can also mitigate risks before they escalate into serious threats. 


Best practices: 

  • Develop and Test Incident Plans: Adopt practices from more mature industries by not only having a cybersecurity incident plan in place but also regularly testing and updating it. 
  • Anticipate Regulatory Changes: More mature industries are adept at staying informed about and compliant with current and upcoming cybersecurity regulations, a practice that enhances resilience and governance.

 
3. Training and Knowledge Management.

Directors in cyber-mature sectors actively engage in continuous education and training on cybersecurity, maintaining an up-to-date understanding of the landscape, which significantly enhances their decision-making capabilities. 

Best practices: 

  • Enhance Director Education: Emphasize the need for tailored cybersecurity education and training for directors to close knowledge gaps and foster informed decision-making. 
  • Regular Updates and Briefings: Implement regular briefings and updates on cybersecurity trends and incidents to keep the board informed and proactive. 


4. Engagement with Standards and Frameworks.

The use of established cybersecurity standards and frameworks is prevalent in more mature industries. These standards help organisations maintain robust cybersecurity postures and align with best practices. 

Best practices: 

  • Adopt and Adapt Frameworks: Encourage the adoption of industry-standard cybersecurity frameworks and guidelines to strengthen defences and organisational policies. 
  • Benchmarking and Peer Learning: Engage in benchmarking against industry peers to identify best practices and areas for improvement in cybersecurity. 


5. Culture and Awareness

A strong cybersecurity culture, supported by regular training and awareness programs, is a hallmark of more mature industries. This cultural emphasis helps prevent breaches and fosters a proactive stance across the organisation. 

Best practices: 

  • Build a Culture of Cyber Awareness: Cultivate a company-wide culture of cybersecurity awareness to enhance protection across all levels of the organisation. 
  • Resource Allocation: Invest in cybersecurity resources, including skilled personnel and technology, to bolster the organisation’s cyber resilience. 
1

6. Personal Liabilities of Individual Directors

In the context of cybersecurity, individual directors face increasing personal liabilities as regulatory bodies and stakeholders hold them accountable for breaches and lapses in cyber governance. Directors in more cyber-mature industries are often better informed about their legal responsibilities and the implications of non-compliance. They proactively ensure that their organisations adhere to relevant laws and regulations, thereby mitigating personal risk. Less mature sectors can benefit from this proactive approach by educating their board members on the personal liabilities associated with cybersecurity failures. This includes potential legal actions, financial penalties, and reputational damage that can arise from inadequate oversight or failure to enforce robust cybersecurity measures. Emphasizing personal accountability not only helps protect the organisation but also aligns the interests of individual directors with the broader goals of cybersecurity governance. 

Conclusion

The gap in cybersecurity practices between industries with varying levels of maturity offers significant learning opportunities. Directors in less cyber-mature industries can leverage these insights to enhance their cybersecurity posture, align it with strategic business objectives, and foster a culture that prioritises and understands the importance of cyber resilience. Adopting these practices will not only protect against current threats but also prepare organisations for emerging challenges in the digital landscape. Given the increasing regulatory pressures in this field (cf. NIS-2, CRA, DORA*), adopting these practices will also help to avoid fines and claims, as well as generate trust for all stakeholders. And trust is needed to help the business forward.

For any comments, questions, queries on cybersecurity issues, you can get in touch with Sounding Board committee members here. 

Article by Alex Driesen, Dirk Schilders, Iwona Muchin, Jochen Maertens, Marc Vael (Sounding Board Committee for Cybersecurity) and Olivier Braet (GUBERNA) Abbreviations:
NIS-2: Directive on Security of Network and Information Systems-2 - https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
CRA: EU Cyber Resilience Act - https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act 
DORA: Digital Operational Resilience Act - https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en