Cybersecurity - a strategic business issue

^{Margarita Sallinen and Daniel Lilliehöök}

This article was first published in Current Security April 14, 2025

Sweden is one of the most connected countries in the world, which creates great business opportunities for companies, but also greater exposure to cyber threats. With increasing threats and stricter requirements from both EU regulations and the Swedish government, cybersecurity has become a priority for more and more businesses. Management teams have become more aware of the importance of cybersecurity, and many companies are hiring cybersecurity experts and consultants to address these challenges.

Nevertheless, a key question remains: what role should management play in cybersecurity? 

From IT issue to business strategy decision

A common misconception today is that cybersecurity is only about technology and IT systems, but in reality it is a business strategy issue that directly affects business continuity, profitability and trust. Business leaders who see cybersecurity as an integral part of its business strategy are better placed to manage both financial and operational risks. This is not only about protecting against cyber attacks, but also about ensuring that investments in cybersecurity help reduce risks in a cost-effective way.

What does this mean in practice?

Cybersecurity is fundamentally about risk management, similar to other forms of risk management. Like financial and operational risks, cybersecurity risks need to be carefully analyzed and prioritized based on their impact on business operations. Management has a crucial responsibility to govern and integrate cybersecurity risks into the overall business risk management strategy. This is to ensure that the organization - and therefore the business - can continue to function despite cyber attacks, data breaches or other cyber threats. Questions that management should ask themselves include:

- How does a cyberattack affect our ability to deliver our services?

- What are the costs of an outage or data leak?

- How much less risk do we get for the money we invest in cybersecurity?

Being hit by ransomware is a concrete example of a business-critical risk linked to cyber threats. It is one of the biggest cyber threats to businesses today and is considered by many as the biggest and most urgent single risk. Ransomware attacks can cause serious financial losses through, for example, business interruption, loss of revenue and legal consequences. In addition, a ransomware attack can lead to legal and regulatory penalties for non-compliance. By integrating cybersecurity into the overall risk management strategy, management can prevent and manage this type of risk more effectively.

Cybersecurity as an investment, not a cost

A structured approach to cybersecurity helps management take control of the costs of security. Instead of investing in the latest technology without a clear link to business benefits, the business can focus on investing in the measures that reduce the greatest risks. Measuring the effectiveness of cybersecurity efforts - and demonstrating how they are protecting the business from financial loss - is key to engaging in a more strategic dialog at the executive level.

How to work in a systematic and continuous way? Incorporating information security as an integral part of the organization's management system, for example by implementing an ISO/IEC 27001 information security management system (ISMS), is a way to give management the power to control, measure and monitor security efforts. It gives the work the right business perspective and provides clarity on why different cybersecurity measures are implemented and how they contribute to the overall business objectives.

A strategic issue for the future

New regulations, such as the NIS2 Directive and the upcoming Cybersecurity Act, also increase the requirements for management accountability. For many organizations, this means that cybersecurity issues can no longer be delegated to the IT department. Instead, it's about understanding how digital risks affect the business and engaging at the right level.

Organizations whose leaders take cybersecurity seriously today and integrate it into their business strategy will be better prepared for the cyber threats of the future. By ensuring that cybersecurity is part of their business strategy, they can not only protect their business - but also create the conditions for profitability and growth.

Margarita Sallinen, Information Security Specialist, Omegapoint
Daniel Lilliehöök, Senior Information Security Specialist, Omegapoint