Rick Vanover, Vice President of Product Strategy, Veeam, explains why senior executives need to take a more proactive approach to cybersecurity.

The C-suite has long left data resilience and cybersecurity in the hands of security and IT teams.

It’s been a case of ‘leave it to the experts’, and for a long time, that made sense.

But as organisations have become increasingly dependent on technology and breaches have become a case of ‘when’ rather than ‘if,’ cybersecurity has become a part of everyone’s day-to-day.  

Recent cybersecurity regulations (including NIS2 and DORA) reflect this, enshrining corporate accountability into their requirements.

Now, in the event of a breach, it’s not just the CISO that can be held responsible, but the entire C-suite.  

They are directly accountable for management and training on cybersecurity measures and will also face penalties for non-compliance.

Most are waking up to the fact that just assuming their security teams and third-party providers have everything covered is now a real risk.

If gaps exist, or if they’re not supporting the process enough, it’s their reputation on the line.

Collectively, boards need to be educated on cyber threats as they face the risk of individual fines alongside the wider organisation.

It’s time for them to step up and engage with the processes themselves.   

Spotlight on the C-suite   

Naturally, it’s unreasonable to expect most executives to be cybersecurity and resilience experts.

For many, this could be the first time they truly interrogate their data resilience and incident response plans.

With cyber threats mounting and regulations tightening, executives must not only accept that breaches are inevitable but also take proactive steps to strengthen their defences and ensure regulatory compliance.  

Under cybersecurity regulations, NIS2 in particular, the C-suite has gained a new laundry list of responsibilities.

For the first time, they must actively and directly manage cybersecurity risks and their organisation’s security strategy.

They’ll also be responsible for organisational risk management and mitigation, as well as incident reporting measures.

In addition, senior leaders who fail to comply face personal liability and the potential for fines of up to £7 million or 1.4% of global annual turnover for important entities, whichever is higher.  

So, the pressure’s on. C-levels will need to integrate their organisation’s resilience and incident response preparedness.

This will mean both investing in security and training, but also holding internal stakeholders to account.

And that’s the operative word here, accountability.

Regulation like NIS2 includes senior leadership in the accountability bubble not because it should all come down to them, but because they are the people with the weight to ensure everyone who should be responsible is.    

It’s not that C-levels need to become cybersecurity experts – far from it. These regulations don’t expect executives to know all the details inside and out.

They just need to be aware of how their incident response plans work. It’s the same as any physical security or safety plan.

As a C-suite, you’re only expected to oversee the plan, to be aware of where the first aid kit and the fire extinguishers are.

No one expects you to fight the fire itself or tend to wounds, just to ensure these things happen. 

In many ways, these regulations simply formalise a process that should have been occurring naturally within organisations.

For a long time now, the majority of business-critical functions have been digital, making cybersecurity a vital business outcome with the same importance as any other commercial aspect.

It’s only logical then that C-suites should be taking accountability. But for some C-suites, this hasn’t been the case.  

Cybersecurity can be a tricky priority to realise, often the benefit of it can’t be seen until a breach actually occurs, and by then it’s too late.

This is exactly why regulations like NIS2 and DORA have been introduced.

Bolstering resilience means that an organisation will be able to recover faster and minimise both the reputational and financial damage faced.    

But resilience doesn’t just stop internally. Organisations operate across an often complex web of key partners and suppliers.

Once they’ve got to grips with internal resilience, C-suites will be keen to extend this accountability externally.

From supply chain partners to IT and security vendors including backup-as-a-service (BaaS) providers, crucial links in the data resilience and recovery chain can’t be ignored.  

Third-party providers in the hot seat  

According to EY’s Global Third-Party Risk Management Survey, 44% of organisations expect to increase their work with third parties over the next 5 years.

As this trend continues, expect executives to scrutinise their third-party partners more closely, examining every aspect of their data resilience and incident response measures.

Previously, an agreement or certification may have given the C-suite adequate confidence.

However, with corporate accountability now a factor, there will be a stronger demand for greater accountability from third parties.  

This could manifest in several ways, from renegotiations of service level agreements (SLAs) to more in-depth investigations as executive leaders look to secure the chain of custody for their data resilience and investigate every step of the process.

While it’s impossible to outsource the risk and accountability to third parties, senior leaders need transparency from their third-party providers.

So when a breach does occur, the point of failure can be identified and acted upon promptly to avoid any penalties.   

Diving into the deep end   

These measures will certainly boost overall data resilience, but it’s impossible to eliminate the risk of a breach entirely.

Being compliant sadly doesn’t equal immunity from cyberattacks. 

Besides, regulations like NIS2 and DORA don’t ask you to become invulnerable.

Instead, it’s about mitigating as much risk as possible, and more than anything, being prepared to respond to incidents when they occur, which they will.   

You can have all of the SLA agreements, processes, and technology in the world, but it’s impossible to certify them without testing.

This is the single most important step in addressing and improving resilience.

By all means, the C-suite should do all of the investigating necessary to build confidence in their data chain through suppliers, but they need to put this confidence to the test.

They can’t just rely on crossed fingers and hope.  

Consistent, comprehensive testing that pushes your measures to the edge, and not just in perfect conditions, is the only way to truly be confident in your incident response plans.

A breach can come at any time, so test at the worst time, when security teams are occupied or certain stakeholders are on leave.   

This practice doesn’t just benefit compliance, it sets you up to deal with the demands of the cybersecurity landscape as a whole.

Each day brings new attack surfaces and vulnerabilities, and C-suites need to ensure their incident response plans can keep up.

The consistent testing prompted by these regulations shouldn’t just be seen as a tick box, but as an opportunity to nurture a data-resilient and security-aware culture.   

Fundamentally, it’s about going beyond plans on paper.

First-person experience of your plans is integral. You can’t learn to swim by reading a book. The only way to learn is to try.

Sure, you might swim through it with no problems.

But you might also sink.

And it’s better to sink when you’ve got some armbands on hand, rather than during the real thing.   

This article was originally published in the April 2025 Edition of Security Journal UK. To read your FREE digital edition, click here.