This is how you convince management to invest in information security

NIS2 and DORA are on everyone's security agenda

In recent years, the need for better safety legislation has increased and new rules have come into force. Since 2018, for example. The NIS Directive, which improves cybersecurity within the EU and protects critical infrastructure. In 2023, DORA was launched to increase digital security for the financial sector, and by October 2024, NIS2 will become national legislation.

– I think the administration will start to “hound” their organization in the same way as with the GDPR. Both NIS2 and DORA will be fined, but the panic many felt before GDPR will be easier to deal with because most people now have a functioning organisation, says Per Gustafsson, chief information security officer at Stratsys.

Three arguments justify investing in information security

Although companies increasingly recognize the importance of information security, it can be difficult to convince management to prioritize the necessary investments. Here are three ways to justify value:

1. You get evidence that enhances your competitiveness. Certificate ISO-27001 It shows that you prioritize information security, demonstrates your security to the outside world and provides competitive advantages.
2. Information security prevents major losses. With the help of a cost analysis, you can provide details about what downtime will cost you.
   How big is the loss of customers, for example? I mean if you can't deliver for a while?
3. It's an investment that pays off in the long run. Although it requires high costs initially, information security leads to significant savings. By identifying what is critical, and focusing on protecting it, the investment will be worth it.

Therefore, culture is more important than processes

The question is not like that if Will your company suffer – the question is when. What determines the extent of damage is how well you handle crisis situations. In addition to having a competent CISO, the right system and an established information security business, culture is an essential element:

– Culture trumps process every time. Thanks to a strong corporate culture, you can trust that everyone is doing their job and knows how to act on various security matters. With this security, the employee who made a mistake will contact you directly – and that's exactly what you want, concludes Per Gustafsson.

Want to know how Stratsys can help your organization take information security to the next level? Read more about our country Information security tools!