Article content
We sat down with Anett Numa, Chief of International Affairs at Neverhack, to discuss why cybersecurity must be treated as a strategic leadership issue rather than just an IT problem.
Why should organisational leaders today see cybersecurity as a strategic management risk?
Cybersecurity is clearly no longer just a technical matter because the consequences of a cyber incident are rarely limited to IT systems. A serious attack can disrupt entire operations, damage a company’s reputation, expose highly sensitive data, create regulatory liability, and directly affect revenue and customer trust. In other words, cyber risk is business risk.
For leadership, this means cybersecurity must be treated the same as financial, legal, or other operational risks. Leaders make decisions about growth, digitalisation, outsourcing, supply chains, and investments, all of which have cybersecurity implications. If cybersecurity is managed only at the technical level, organisations often discover too late that their strategic decisions have created vulnerabilities.
The most resilient organisations are those where leadership understands cybersecurity as part of governance, continuity, and long-term competitiveness rather than merely as a technical safeguard. At Neverhack Estonia, we support our partners in making cybersecurity a strength of their business.
The EU’s NIS2 directive has introduced stronger cybersecurity requirements and placed greater responsibility on leadership. How do you see this changing the way organisations approach cybersecurity?
NIS2 is becoming important because it shifts cybersecurity out of a purely technical domain and makes it a leadership responsibility as well. It sends a very clear signal: boards and executives are expected to understand cyber risk, oversee it, and also take accountability for it.
In practical words, this changes the conversation inside organisations. Cybersecurity can no longer sit in a different silo. Leadership must ensure there is proper risk management, incident reporting, supply chain oversight, business continuity planning, and clear governance. That means more board-level discussions, more cross-functional ownership, and stronger internal processes.
The biggest positive effect of NIS2 is that it encourages organisations to mature. Instead of asking questions like “Do we have the right tools?” they start asking, “Are we actually prepared to manage cyber risk as an organisation?” That is a much more strategic and valuable question.
Many organisations still treat regulation as a tick-box exercise. Why is it important that companies approach cybersecurity requirements as a real security issue rather than just compliance?
Because compliance alone does not guarantee resilience, a company may technically meet a requirement yet remain vulnerable in practice. Attackers do not care whether an organisation has completed its documentation; they care whether they can exploit weak access controls, poor visibility, or unprepared teams.
When regulation is treated as a tick-box exercise, organisations usually do the minimum required. That mindset creates a false sense of security. The better approach is to see regulatory requirements as a baseline, not the finish line. They should be used to strengthen the actual security posture, improve governance, and build real operational preparedness.
The organisations that benefit most from regulation are those that use it as a driver to improve how they work, not just as an obligation to satisfy.
Neverhack focuses on preventing cyber incidents rather than only responding to attacks after they happen. Why is this preventative approach so important in cybersecurity?
In cybersecurity, prevention is always cheaper, safer, and more effective than recovery. Once an incident occurs, the organisation is already dealing with disruption, uncertainty, financial loss, and, often, reputational damage. Even if the response is strong, the damage cannot always be fully undone.
A preventative approach means reducing the likelihood and impact of incidents before they escalate. That includes continuous monitoring, strong visibility over systems and endpoints, identifying weaknesses early, improving employee awareness, and building security into daily operations. It is about creating an environment where attackers have fewer opportunities and where suspicious activity is detected early.
At Neverhack, we see prevention not as a one-time action but as an ongoing discipline. The goal is not simply to react faster when something goes wrong, but to make serious incidents less likely in the first place.
Your team also runs crisis simulations in which organisations practise responding to cyber incidents. What do organisations typically learn from these exercises that they didn’t realise before?
One of the most common lessons is that organisations overestimate their preparedness until they test themselves. On paper, roles may seem quite clear, processes may look complete, and communication plans may exist. But in a realistic simulation, gaps quickly become more visible.
Organisations often realise that decision-making is slower than expected, that responsibilities are unclear, that escalation paths are incomplete, and that technical teams and business leaders do not always share the same understanding of priorities. Another major lesson is that cyber incidents are not just technical events, but they immediately become management, legal, communication, and operational issues.
Crisis simulations are valuable because they reveal these weak points in a controlled environment. They help organisations move from theoretical confidence to practical readiness, which is exactly what matters in a real crisis.
Estonia is one of the most digitalised societies in the world. How does operating in such a highly digital environment shape Estonia’s cybersecurity approach?
A highly digital society creates both efficiency and exposure. Estonia’s digital model depends on trust, availability, and secure access to services. When so much of daily life, public administration, and business activity relies on digital systems, cybersecurity becomes fundamental to how society functions.
This creates a mindset where cybersecurity is closely linked to resilience. In Estonia, the question is not whether cybersecurity matters, but how to ensure continuity in a digital-first environment. That has helped shape an approach that values preparedness, public-private cooperation, secure digital identity, and the ability to continue functioning even under pressure.
Operating in a highly digital environment also means that cybersecurity cannot be reactive. It must be designed into systems, governance, and national thinking from the start.
Looking ahead to the next five to ten years, what cybersecurity risks or trends should leaders already be preparing for today?
One major trend is the growing complexity of the attack surface. Organisations are relying more on cloud services, connected devices, outsourced partners, software supply chains, and AI-enabled tools. That creates more interdependencies and more points of weakness.
Another important issue is the increasing sophistication of attackers. Social engineering is becoming more targeted, automated, and convincing. We also expect more attacks that combine technical intrusion with psychological pressure, disinformation, or extortion.
Leaders should also prepare for the reality that resilience will matter as much as prevention. The question will not only be how to stop attacks, but how to continue operating when disruption happens. That means stronger continuity planning, better crisis leadership, and more realistic testing.
In the coming years, cybersecurity leadership will increasingly be defined by an organisation’s ability to anticipate, adapt, and recover, rather than defend.
What will actually happen in Estonia if a major cyberattack disrupts critical government digital services for a day? What would that teach organisations about preparedness?
If critical digital government services were disrupted for a day, the impact would be immediate and visible. Depending on which services are affected, this could prevent access to public services, disrupt citizens and businesses, interrupt administrative processes, and place significant pressure on communication channels and support functions.
But the most important lesson would be about dependency. In a highly digital society, even a short disruption shows how many everyday processes depend on systems being available and trusted. It would highlight the importance of continuity planning, alternative processes, clear communication, and decision-making under pressure.
For organisations, the message is simple: resilience cannot depend on the assumption that systems will always be available. Preparedness means knowing how to operate when they are not.
Many companies still assume cyber incidents are unlikely to happen to them. In your experience, what is the biggest misconception leaders have about cybersecurity today?
The biggest misconception is that cybersecurity is mainly about protecting against rare, highly sophisticated attacks. In reality, many incidents occur due to ordinary weaknesses: poor visibility, weak processes, inconsistent patching, human error, unclear responsibilities, or lack of preparation.
Another misconception is “we are too small” or “we are not an obvious target.” Today, organisations are often targeted because they are connected, vulnerable, or part of someone else’s supply chain, not because they are well-known. Attackers do not always need a specific motive; opportunity is often enough. And even more, the use of AI is making it easier for attackers, especially, to target smaller companies.
The most mature leaders understand that cybersecurity is not about assuming the worst, but about accepting reality. Incidents are not exceptional anymore. The real differentiator is whether an organisation is prepared.
