Governance, it is crucial for companies to contain cyber risk

The digital threat scenario burdens companies as an operational-level risk. Dealing with this risk from a sustainable perspective means transforming the governance approach and accountability (responsibility) of corporate decision-makers. This is confirmed by experts in security operations, European regulations (Nis, Dora), but above all the World Economic Forum (Wef) reiterates: "Organisations can transform cyber risk into resilience and trust into sustainable value creation. The call for leaders and decision-makers is to redefine the roles of security' by setting out from strategy, the evolution of cyber security into an enabler of growth, a lever of trust and a tool for sustainable innovation. But 'adaptive governance' is also needed, as Oreste Pollicino, professor and founder of AIdvisory, explains.

According to the Wef Global Cybersecurity Outlook 2025 survey, for almost twice as many respondents, the biggest consequences of cyber incidents are brand damage and loss of customer trust. In general, cybersecurity is seen as a business risk, but on cybersecurity risk priorities there is still a mismatch between the executive level and security operatives.

The former consider priorities limited to IT systems, while the latter are aware of the systemic effect on the entire organisation. An initial remedy has come from major European regulations, which have imposed specific accountability for digital security risks on boards of directors and senior decision-makers, demanding that their responsibility be integrated into corporate governance processes, including risk and vendor management. Microsoft in its Digital Defence 2025 Report, among its action measures, calls on boards of directors to manage cyber risk as one of their operational risks, considering cyber security as a challenge, on a par with financial or legal challenges affecting the sustainability of the entire company.

The Wef at the end of October further strengthened this approach with specific publications related to the principle of resilience and to cyber risk governance, calling for interventions capable of guaranteeing corporate sustainability in the long term: provision of specific budgets for digital security, extension of delegation to security managers, frequent listening to these figures, setting targets and incentives for other managers called upon to collaborate in the prevention and resolution of cybersecurity risks. However, since there is no one-size-fits-all recipe for all types of companies, adaptive governance can be considered.