Managed Security Services: CISO Does Not Bear Sole Liability
Benedikt Langer
8 min. read In many organisations, the CISO is seen as the person who stands accountable for security. ...
Read Article
TL;DR
- Only 20% of CISOs report directly to the CEO – the rest are buried deep within the IT organisational chart.
- Under the EU’s NIS2 Directive, executives are now personally liable for security shortcomings – dramatically elevating the CISO’s strategic importance.
- More than 50% of CISOs experience burnout.
- The modern CISO is a risk manager – not a technologist – and articulates security in business terms.
- Three KPIs translate security into boardroom language: Risk Exposure (in Euro), Compliance Maturity, and Security ROI.
The CISO of an industrial company had requested budget for a Security Operations Center (SOC) for two years. Then came the ransomware attack: three weeks of operational downtime, €12 million in damages. Budget approval arrived the day after systems were restored.
Too little influence to prevent incidents – yet full accountability when things go wrong: the CISO dilemma. NIS2 changes the rules of the game.
The Structural Problem
The CISO reports to the CIO, the CIO to the CFO, and the CFO to the CEO – three layers separating cybersecurity from executive leadership. Security budgets compete directly with IT infrastructure projects. Security risks are communicated as IT risks – not as business risks.
The solution: A direct reporting line to the CEO or executive board. Cybersecurity sits alongside market risk, financial risk, and operational risk.
NIS2: Personal Liability
Under the EU’s NIS2 Directive, company executives are personally liable for implementing appropriate cybersecurity measures. In Germany, this affects an estimated 30,000 companies.
For the CISO, the dynamic shifts: He or she is no longer the supplicant – but the individual whose involvement shields the board from personal liability.
From Technician to Risk Manager
Business Acumen: He understands how the company generates revenue and where security protects value creation.
Communication: Instead of firewalls and patches, he speaks in terms of risk exposure, business impact, and security ROI.
Strategic Thinking: He prioritises based on business risk – not technical elegance.
Three KPIs for the Executive Board
Risk Exposure in Euro: Probability of occurrence × expected loss. The FAIR methodology makes this assessment systematic.
Compliance Maturity: A 1-5 scale aligned with NIS2, ISO/IEC 27001, and BSI IT-Grundschutz (BSI Basic IT Protection). Includes benchmarking against competitors.
Security ROI: Value generated per euro invested in security – covering avoided incidents, reduced insurance premiums, and fulfilled compliance obligations.
Frequently Asked Questions
To whom should the CISO report?
Directly to the CEO or to a member of the executive board who is not the CIO. Reporting to the CIO creates a conflict of interest.
How large should the security budget be?
10-15% of the IT budget – or up to 20% for highly regulated industries – guided by quantified risk exposure.
Does a mid-sized company need a CISO?
Yes, if it has 500 or more employees. Smaller companies can engage a virtual CISO (vCISO) for €3,000-€8,000 per month.
Source of the cover image: Unsplash / Hunters Race