From firefighting to foresight: Why governance is the key to strong cybersecurity

Every time a major cyber incident dominates the headlines, the same story repeats itself. At first, the narrative focuses on the technical dimension, but as investigations progress, another, deeper story emerges. The breach was not simply about code or systems — it was about leadership. It was about decisions that were not taken, risks that were not prioritized, and accountability that was absent. The lack of governance is often the root cause.

A pattern hiding in plain sight

Every time a major cyber incident dominates the headlines, the same story repeats itself. At first, the narrative focuses on the technical dimension: a vulnerability left unpatched, a firewall misconfigured, or credentials stolen. But as investigations progress, another, deeper story emerges. The breach was not simply about code or systems — it was about leadership. It was about decisions that were not taken, risks that were not prioritized, and accountability that was absent. The lack of governance is often the root cause.

This pattern should alarm us. Because if the root cause of our most damaging breaches lies in governance rather than technology, then our current approach to cybersecurity is dangerously incomplete.

One breach that changed the conversation

Take the case of Equifax, one of the largest consumer credit reporting agencies in the United States. In 2017, Equifax was the target of a data breach, which resulted in the personal data of 147 million Americans being compromised. The technical root cause was a known vulnerability in a widely used software library. A patch was available. It had been available for months. Yet the organization failed to act. Why? Because no one felt responsible for making sure the patch was applied. No process escalated the urgency of the risk. No oversight ensured that leadership understood the stakes.

Equifax became a global cautionary tale, not of technological weakness, but of governance failure. A problem that should have been straightforward to solve by applying a patch spiralled into a catastrophe because leadership structures were not in place to ensure accountability and action.

When leadership fails, trust breaks

The same lessons can be drawn closer to home. Danske Bank’s money laundering scandal, discovered in 2017, exposed systemic weaknesses in risk management and leadership oversight. Billions in suspicious transactions flowed through the institution because governance structures were ineffective, fragmented, or ignored. The result was devastating fines and reputational damage that still shadows the organization years later.

Or consider the Vastaamo case in Finland, where hackers exfiltrated deeply sensitive psychotherapy records between 2018–2019 and published them in 2020. The public outrage was enormous, not only because of the breach itself, but because the leadership response lacked transparency and accountability. Victims were left vulnerable in the moment when they most needed protection.

From firefighting to foresight

These cases reveal a hard truth: without governance, cybersecurity devolves into firefighting. Organizations react to incidents as they happen, rushing to contain damage while struggling with unclear roles, conflicting responsibilities, and inconsistent processes. In this state, security becomes a matter of luck rather than design.

Governance offers a way out of this chaos. It provides clarity, structure, and foresight. With governance, risks are managed systematically rather than reactively. Responsibilities are defined, accountability is enforced, and priorities are aligned with the broader business strategy. Well-established frameworks for managing information security serve as compasses, turning abstract principles into practical guidance.  

Frameworks and standards create a common language across the organization, so that security is not seen as a technical add-on but as part of the rules of the game that everyone understands.

  • Peter Hellström

Beyond frameworks, a growing set of EU regulations now mandates clear oversight and robust governance in cybersecurity and technology risk management. The European Union’s NIS2 Directive , for example, significantly raises the bar for digital and critical infrastructure organizations, requiring executives to be directly accountable for cybersecurity risk and to demonstrate effective risk management and incident response processes. 

Similarly, the Digital Operational Resilience Act (DORA)  imposes stringent governance and resilience obligations on financial sector entities, demanding comprehensive oversight of ICT risks, third-party dependencies, and continuity planning. The forthcoming EU AI Act , effective for most provisions from August 2, 2026 onwards, will also require organizations to implement governance frameworks for the development, deployment, and monitoring of artificial intelligence systems, emphasizing accountability, transparency, and risk management throughout the AI lifecycle. 

Together, these regulations reflect a broader shift: strong governance is not just best practice but a legal and strategic imperative for organizations operating in an increasingly complex and regulated digital environment.

The business value of governance

It is tempting to view governance as an administrative burden, a box-ticking exercise to satisfy regulators. But in reality, governance is a source of competitive advantage. Organizations that can demonstrate strong governance win trust more easily. Customers and partners are reassured when they see that oversight is transparent, accountability is clear, and security is prioritized. Investors, too, are more willing to commit when they know risks are actively managed.

Consider Norsk Hydro’s experience during the 2019 ransomware attack. When the company was hit by LockerGoga malware, operations across multiple plants were disrupted, forcing a shift to manual processes. Instead of hiding the incident, Hydro demonstrated exceptional governance: leadership communicated openly with employees, customers, and the public, providing daily updates and full transparency. 

Norsk Hydro’s board backed a clear crisis management structure, prioritizing safety, continuity, and trust over short-term financial concerns. This approach not only contained the damage but also strengthened Hydro’s reputation globally. Investors and partners praised the company’s openness, and Hydro turned a severe cyber crisis into a case study in resilience and trust-building — proving that governance is not just compliance, but a strategic asset.

The future – Governance in the age of complexity

The world that organizations now navigate is more complex than ever. Supply chains span multiple countries, cloud services blur the boundaries of responsibility, and emerging technologies such as artificial intelligence and the Internet of Things multiply exposure to risk. Meanwhile, regulators around the globe issue new requirements at an accelerating pace, creating a shifting compliance landscape. Add to this the human factor—skills shortages, decision fatigue, and competing priorities—and the challenge becomes daunting.

Traditional governance, built for slower and simpler times, is no longer sufficient. What is needed is adaptive governance: frameworks that evolve alongside business models and risk landscapes. Data-driven oversight, using real-time dashboards and analytics, must become the new norm for executive and board-level decision-making. Artificial intelligence will assist by automating compliance monitoring and detecting anomalies faster than human teams can manage. Just as importantly, governance must be woven into organizational culture. Security cannot remain a separate function; it must be integrated into agile development, DevOps pipelines, and digital innovation. And because cyber risk transcends national borders, governance must extend beyond the enterprise, fostering global collaboration and shared standards of defence.

Conclusion: Leading with governance

The evidence is overwhelming. Breaches are rarely just about technology. They are about governance: leadership, accountability, and the structures that translate intention into action. Governance is what transforms information security from firefighting to foresight, from a sunk cost to a source of strategic value.
Information security, at its core, is about trust. Trust is built not on technology alone, but on the courage of leaders to govern wisely.

Governance is the compass that turns risk into opportunity, fear into trust, and complexity into clarity.

  • Peter Hellström

The future of cybersecurity will not be defined by those who passively wait for change. It will be defined by those who lead it.

Key takeaways

  • Major breaches are not primarily technical failures but failures of governance.
  • Strong governance bridges strategy and security, aligning priorities with business goals.
  • Leadership accountability and clear responsibility structures are essential for resilience.
  • Well-established frameworks provide a compass for structure, clarity, and improvement.
  • A growing number of EU regulations mandate clear oversight and governance, with explicit accountability enforced.
  • Governance creates business value by enabling compliance, building trust, and securing competitive advantage.
  • Future governance must be adaptive, data-driven, AI-assisted, and globally collaborative.

By Peter Hellström
Head of Cybersecurity Management Consulting
DNV Cyber  

References

DNV Cyber (2025). Frontline insights: The Norsk Hydro cyberattack – A reflection on the importance of securing digital identities. https://www.dnv.com/cyber/insights/articles/frontline-insights-the-norsk-hydro-cyberattack-a-reflection-on-the-importance-of-securing-digital-identities/

Electronic Privacy Information Center (n.d.). Equifax Data Breach. EPIC. Retrieved 31 October 2025, from https://archive.epic.org/privacy/data-breach/equifax/#:~:text=The%20data%20breached%20included%20names,unprecedented%20in%20scope%20and%20severity.

European Commission (2023). Digital Operational Resilience Act (DORA). https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/digital-operational-resilience-act-dora_en

European Commission (2024). The EU Artificial Intelligence Act: Key provisions. https://digital-strategy.ec.europa.eu/en/policies/european-ai-act

European Union Agency for Cybersecurity (ENISA) (2023). NIS2 Directive: Overview and implications. https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new

Hydro (2019). Cyber attack – How Hydro responded. https://www.hydro.com/en/global/media/on-the-agenda/cyber-attack/

The Corporate Governance Institute (2023, October 18). Scandal at Danske: A striking saga of lousy governance. https://www.thecorporategovernanceinstitute.com/insights/news-analysis/scandal-at-danske-a-striking-saga-of-lousy-governance/

Yle (2023, February 28). Uhrimäärältään Suomen suurimman rikosjutun epäilty saapuu oikeuden eteen – tässä viisi keskeistä kysymystä Vastaamo-tapauksesta. https://yle.fi/a/74-20019922#:~:text=1.,vastasi%20noin%20450%20000%20euroa

 

Don’t wait for the next crisis to test your organisation’s resilience. Our cybersecurity management consulting team helps boards and leaders build robust governance, clear accountability, and proactive security strategies — so you can protect your business, earn trust, and stay ahead of evolving threats.

Contact us today to schedule a confidential consultation and discover how strong governance can transform your cybersecurity from a compliance cost into a competitive edge.

You might be interested