Cybersecurity is not merely a technical issue but a matter of management. Where leadership understands information security as a natural part of how the organisation functions, cybersecurity standards are also higher. Where information security is seen as a pointless obligation, an unavoidable nuisance or an external imposition, there is little reason to expect meaningful improvement.
If leadership does not take responsibility, make decisions, allocate resources or explain underlying principles, results will not follow. This applies equally in the public and private sectors, and in both large and small organisations. Documentation may be flawless, policies neatly drafted and audit folders carefully assembled, yet this amounts to only a semblance of information security that provides a false sense of security. In the worst case, this false sense of security quickly leads to an incident.
Cybersecurity is not an expensive box you buy and forget
We often hear that there is “no money” for cybersecurity. The assumption is that cybersecurity means costly hardware with flashing lights in a server room or cloud services with impressive names. In reality, the issue is not funding but the willingness and ability to think through the problems and follow agreed-upon rules. Asset inventories, clearly defined responsibilities, sensible access management, disciplined backups and change management are activities whose financial cost is often modest.
We still encounter the belief that supervision or audits should focus primarily on the existence of documents. In fact, documents are not for supervisors but for the organisation itself, to explain how processes are meant to work.
The focus of supervision is not on paperwork but on whether processes function in practice. Documentation should exist only to the extent that it describes and supports real activities. A mature organisation uses documents as working tools, while an immature one produces them to appease supervisors or auditors.
Standards do not replace understanding
It makes little difference in practice whether an organisation follows E-ITS, ISO 27001 or another framework, because problems rarely arise from an inability to implement controls. They emerge much earlier. Organisations often stumble at the asset-identification stage: they do not know what assets they have or how critical those assets are. From there, follow unanswered questions about why and how rigorously they should be protected, and who should make those decisions.
Checks frequently reveal that systems are treated as equal, that all risks are rated medium, and that controls are applied on the basis of a generic checklist rather than informed choice. Only after a serious incident do organisations realise that a system previously regarded as marginal is in fact business-critical.
Risk management is a useful litmus test here. When no distinction is made between risk and threat, when risks are treated as a formal table rather than a decision-making tool, security measures become arbitrary and either under- or over-engineered. In an immature organisation, risk analysis is a dirty word.
Responsibility cannot be outsourced
For smaller organisations, cooperation, joint procurement, and the use of shared or centralised services are often sensible and unavoidable. They make it possible to achieve more, more efficiently.
In supervision, however, we sometimes encounter the mistaken assumption that using a cloud or security service shifts substantive responsibility for information security to the provider. When asked about risk assessment or oversight of the service provider, organisations point to the contract or the provider’s reputation. In reality, the provider fulfils the contract but does not make strategic decisions on the organisation’s behalf. A mature organisation understands that responsibility remains with it even when services are outsourced.
Start with yourself
The level of cybersecurity is a direct reflection of organisational maturity: leadership culture, capacity for responsibility, clarity of processes and willingness to make decisions.
If an organisation wants to improve its cybersecurity posture, it should not start by searching for a new standard or the next technical solution. It should start with itself.
A mature organisation understands what it does, why it does it and who is responsible.
An immature one deals with symptoms rather than causes. In cybersecurity, this distinction becomes brutally clear.
Responsibility always rests with the organisation itself. When this principle is not understood, problems quickly begin to accumulate.
Last updated: 11.02.2026
