.jpg)
The awareness and understanding of cybersecurity is growing in Danish executive teams.
That’s the conclusion drawn by information security expert Marie Bjerre Simonsen from Wired Relations and Head of Cyber Risk Advisory Sofie Freja Christensen from Dubex during a webinar on risk management.
“We're seeing more businesses being compromised by hackers, and increasingly experiencing existential threats. In some cases, so severe that they’re forced to declare bankruptcy,” explains Sofie Freja Christensen, as the reason for the heightened awareness.
The growing cyber awareness is a positive development – not only because executive leadership now carries personal responsibility under the NIS2 directive, but also because their insights make it easier for those conducting risk assessments to target what truly matters to the organisation.
Think in scenarios
Risk assessments are the foundation of a strong information security program, and identifying the most relevant risks for your organisation requires a focused effort.
Threat catalogs can be a useful source of inspiration, but both Sofie and Marie emphasise the importance of thinking beyond them.
Instead, you should start with a blank piece of paper and ask: What do we see in our own reality? What are we most concerned about? This way, you avoid being constrained by existing assumptions.
“It’s incredibly important to understand what leadership is afraid of,” says Marie.
“If we only look at the risks we’ve already identified, it becomes very static. We need to elevate the conversation to the highest level and ask: Are these still the issues that matter most to our business?” Sofie adds, stressing that risk assessments should be reviewed at least once a year.
According to Marie, a great way to start the dialogue with the leadership is by talking in scenarios.
“Asking, ‘What are we most afraid could happen?’ is something I’ve used quite actively. It quickly sparks conversation because you begin discussing specific scenarios. What would be truly catastrophic for us? That is threat-based – it stems from a threat. But you're warming up the discussion in a more practical way.”
It’s a far more accessible approach for an organisation than presenting a threat catalog, which the security lead might easily understand, but the business may struggle to translate into practice. This makes it easier for more people to engage and contribute, she explains.
Creativity enhances risk assessments
Beyond the risks that may keep your CEO awake at night, there are other ways to find inspiration for your risk work – and that often requires a bit of creativity.
“There’s a tendency to have a fixed number of risks listed in an Excel sheet, and then you assume those are the only ones you need to consider. That can stifle creativity,” says Sofie.
That’s why it’s important to stay informed about what’s happening in the world – for example, through newsletters, media outlets, and professional networks.
“I’m not saying you need to follow the daily news religiously, but it does help to stay aware of what’s actually going on out there,” says Marie.
In particular, it’s valuable to look at what others in your industry are experiencing, and also examine your own internal processes to identify if anything is being done inefficiently or inappropriately.
.jpg)
.jpg)