What is the article about?

The article argues that cybersecurity can no longer be viewed as a purely IT-related issue and should instead be treated as a core element of financial management and business risk management.

Why is cyber risk also a financial risk?

Because cyberattacks can impact revenue, operations, service delivery, reputation, and an organization’s ability to create value.

Why should boards be involved in cybersecurity?

Boards are responsible for the organization's overall risk profile and must understand how digital threats can affect strategy, operations, and financial performance.

What is the relationship between governance and operational security?

Governance sets direction, defines risk, and establishes accountability, while operational security ensures the organization can detect and respond to incidents in practice.

Why is a Security Operations Center (SOC) highlighted in the article?

A SOC provides continuous monitoring and early threat detection, serving as an operational complement to the organization’s governance model.

How do NIS2 and DORA affect executive responsibility?

These regulations place greater responsibility on executive leadership and boards to take ownership of cyber risk and integrate security into corporate governance.

What is the main message of the article?

Cybersecurity is a natural part of responsible financial management because an increasing share of an organization’s most valuable assets and business processes are digital.

Cybersecurity has become good financial management

Yet I still find that one of the most significant risks organizations face today is often treated as purely an IT issue. In my view, that is an outdated way of thinking.

Cyber risk is economic risk

When an organization's most critical processes are digital, customer data is digital, and supply chains are digital, the consequences of a cyberattack become financial. Production can come to a halt. Deliveries can be delayed. Customers can leave. Reputation can be damaged. The costs can be substantial, both directly and indirectly.

That is why I believe cybersecurity belongs in the boardroom alongside financial and operational risk. Good financial management is about protecting an organization’s ability to create value. Cyber risk must therefore be part of the decision making process.

I find that many organizations still view security as a cost. It becomes an investment that must be justified and defended every budget cycle. At the same time, few question investments in finance functions, internal controls, or audits. We recognize that these functions reduce risk and contribute to better governance.

Good governance requires IT security

IT security is about ensuring stable operations, protecting cash flows, maintaining delivery capabilities, and preserving trust among customers and business partners. The board is responsible for the organization’s overall risk landscape. In my opinion, that responsibility also includes understanding which digital threats may impact the company’s strategy and financial performance.

To achieve that understanding, the board must know which digital assets are most critical and what level of risk the organization is willing to accept. The board must also understand how a major security breach would affect operations and financial performance. Downtime can mean anything from significant revenue loss to business failure.

The board must therefore know whether the organization can detect attacks early and whether it has a plan for responding to them. Having visibility into digital assets, risk exposure, and response capabilities is ultimately a matter of good corporate governance.

Where governance meets operational capability

At the same time, governance alone is not enough. A risk matrix will not protect an organization if a threat actually materializes. This is why we see a clear trend where more organizations are combining governance with operational security through a Security Operations Center, or SOC.

I often compare this to the finance function. No one would accept financial management being reviewed only once a year when the accounts are closed. We continuously monitor liquidity, margins, and key performance indicators because we want insight before problems become serious.

A modern security operations center serves the same purpose for cybersecurity. It continuously monitors the organization, identifies anomalies, detects threats early, and enables rapid response when incidents occur.

To me, this is a strong example of how strategy and operations must work together. Good governance provides direction, defines risk tolerance, and establishes accountability. The operations center ensures the organization actually has the capability to detect and respond to incidents in practice. One cannot function effectively without the other.

Cybersecurity supports corporate governance

We also see regulatory frameworks such as NIS2 and DORA moving responsibility higher up within organizations. Executive management and boards are increasingly expected to take ownership of cyber risk in the same way they do with other business risks. I believe this development is both necessary and appropriate.

The organizations that will succeed most effectively are those that integrate cybersecurity into corporate governance while simultaneously building the operational capability needed to respond when incidents occur.

Ultimately, this is about protecting an organization’s ability to create value. As an increasing share of that value becomes digital, cybersecurity becomes a natural and essential part of responsible financial management.