There's a version of this conversation that's been happening in boardrooms for the last decade. Security is important. We need to invest. We'll get to it after the next product launch, after the next funding round, after we've scaled.

The organisations still having that conversation are now operating in a different world — one where cybersecurity and technology are no longer support functions. They are critical business drivers affecting revenue, regulatory standing, and the ability to win and retain enterprise clients. The question is no longer whether to invest in the right talent. It's whether you can afford not to.

The Real Cost of Under-Resourcing

When security teams are understaffed or misaligned, the effects aren't always immediate and visible. They compound. Security leaders operate in permanent firefighting mode — reactive, stretched thin, unable to step back and build anything properly. Compliance initiatives get deferred. Tools get purchased but nobody owns them properly. Good people burn out and leave, and each time that happens the organisation reaches for another consultant or another platform, which compounds cost without addressing root cause.

4.8 million cybersecurity roles are unfilled globally. In the UK, 71% of organisations report persistent skills shortages. CISO salaries have risen 14.2% in the past year. The best candidates are typically off the market in under three weeks. AI security has become the most in-demand specialism across the board — a category that barely existed two years ago.

Why Talent Selection Matters More Than Volume

The mistake most organisations make is treating cybersecurity recruitment like general IT hiring. It isn't.

Effective hiring in this space requires genuine understanding of the organisation's risk appetite, its budget realities, its regulatory context, and what a good hire actually looks like in that specific environment versus what looks impressive on paper.

"A misaligned hire at senior level doesn't just fail to deliver. It consumes resource, slows decisions, and in some cases actively increases risk exposure."

The right candidate becomes a force multiplier — someone who makes the whole security function more effective. The wrong candidate does the opposite, often while looking credentialed on the surface.

What the Right Hire Actually Delivers

Organisations that get security talent right don't just fill seats. They build teams where there is:

• Clear ownership of security outcomes — no ambiguity about who is responsible for what
• Faster decision-making — because the right people have the authority and context to act
• Lower dependence on external consultants for routine security operations
• Security programmes that mature over time rather than stagnate or regress
• Better alignment between security investment and business priorities

That's a commercial advantage. The ability to demonstrate a mature, well-staffed security function is increasingly a competitive differentiator — particularly in enterprise sales cycles and in sectors where vendor due diligence is rigorous.

How GSC Approaches This

Garzon Cyber Solutions was built around the recognition that cybersecurity recruitment requires domain expertise, not just a recruitment process. We work with organisations to understand what they actually need — not what they think they need based on a job description written six months ago — and we match accordingly.

That means outcome-driven placement focused on capability over credentials. Contingency-based models that align our incentives with yours. Speed, because the window for the best candidates is narrow. And flexibility across permanent, contract, and interim engagements.

If the talent question is one you're navigating — whether that's a CISO search, building a GRC function, or trying to find someone who actually understands AI risk — the conversation is worth having.

The DSIT Cyber Security Breaches Survey 2025 is out. The headline number is 50% of UK businesses reported a breach or attack in the last 12 months. For large enterprises, that rises to 74%.

Most people see that number and nod. They've seen versions of it before. What most organisations don't do is read it properly — past the headline, into what it's actually telling you about where the failure is.

The Number That Should Be in Every Board Pack

74% of breaches involved a human element. Not a zero-day exploit. Not an advanced persistent threat. A process failure, a misconfiguration, a phishing email that should have been caught.

That number matters because it shifts the diagnosis. Most organisations, when they think about security investment, think about technology. New tools, new platforms, better detection. But if three in four breaches come from human failure, the gap isn't in your tooling. It's in your architecture — the people, processes, and governance that sit around the tools.

"The ICO fine on British Airways was £20 million — for a single governance failure. In most organisations I speak to, that number still hasn't made it into board discussions."

What the Breach Data Is Actually Telling You

Phishing remains the entry point in 85% of cases. Ransomware incidents doubled in 2025. The average cost of cyber-facilitated fraud per incident is £10,000 — before downtime, reputational damage, and the regulatory conversations that follow.

The problem isn't a lack of awareness. Most leadership teams know they're exposed. The gap is between knowing and acting — and specifically, between acting and acting in a structured, deliberate way that produces a security posture that holds up under pressure.

Why Most Responses Miss the Point

The typical response to breach data is to buy something. A new endpoint product. A security awareness training platform. An additional monitoring layer. These aren't bad decisions in isolation. But without an architecture connecting them — without people with the ownership and authority to make the architecture function day to day — they're expensive additions to a broken system.

The organisations that come through this period well are those that stopped treating security as a compliance exercise and started treating it as an operational priority. That means the right framework, the right people, and the governance to back both up. All three. In that order.

Most UK businesses are not unprotected. They have endpoint tools, firewalls, cloud security products, and probably an incident response plan buried somewhere that hasn't been updated since the person who wrote it left the company.

What they don't have is a framework — something that connects all of it into something coherent. Documented. Tested. Defensible when a regulator, an acquirer, or a major client asks to see it.

The Distinction That Matters

There is a meaningful difference between having security tools and having a security architecture. Tools address individual vectors. Architecture defines how your organisation governs, manages, and responds to risk across every vector simultaneously.

An organisation with strong architecture and moderate tooling is typically better protected than one with best-in-class tools and no framework holding them together. Because architecture defines ownership. It tells you who is responsible for what, how decisions get made, and what happens when something goes wrong.

"The organisations that get breached are not always the ones with the fewest tools. They're often the ones with no architecture holding those tools together."

The Six Pillars of a Mature Security Framework

A defensible security posture requires six components — each necessary, none effective in isolation:

01 — Information Security Governance

Policies, procedures, and classification frameworks that define how your organisation treats information. Board-level oversight. Clear accountability from the top down. This is the foundation everything else sits on.

02 — Network Security

Controls governing how data moves across your infrastructure. Segmentation, access controls, monitoring, and the ability to detect lateral movement before it becomes a breach.

03 — Cloud Security

As workloads have migrated to cloud environments, the attack surface has expanded in ways many security frameworks haven't kept pace with. Configuration management, identity controls, and visibility across multi-cloud environments are non-negotiable now.

04 — Application Security

Security embedded into the development lifecycle — not bolted on after deployment. Code review, dependency management, API security, and the testing processes that find vulnerabilities before attackers do.

05 — Incident Management

The capacity to detect, contain, investigate, and recover from incidents. Not just a plan that exists on paper — an operational capability that has been tested, refined, and is genuinely executable under pressure.

06 — Security Management

The people, reporting structures, and ongoing programme management that keeps all of the above functioning. Risk reporting to the board. Supplier assurance. Continuous improvement processes. The operational layer that makes security a living programme rather than a static document.

Where Most Organisations Are Actually Failing

In practice, most organisations have reasonable coverage in pillars two and three — network and cloud security are areas where vendor products are mature and procurement is straightforward. The failures tend to cluster in pillars one, five, and six: governance, incident management, and the ongoing operational management of the programme.

These are the areas that require people, not just products. And they're the areas where talent gaps create compounding risk — because without the right people owning these functions, the framework exists in theory but not in practice.

March was a productive month for content — and looking back at the themes that came up across my posts and writing, there's a thread running through all of it worth pulling together properly.

Three topics. One underlying problem.

1. The Talent Problem Is Structural — Not a Pipeline Issue

I've been writing about this since January. The response tells me it hits a nerve. Most organisations don't have a talent problem in the way they think they do. They have a strategy problem dressed up as a hiring problem.

What I see consistently is security leaders operating in firefighting mode — permanently reactive, stretched thin, unable to step back and build anything properly. Compliance initiatives keep getting pushed. Tools get bought but nobody owns them. Good people burn out and leave. And each time that happens, the organisation reaches for another tool or another consultant, which compounds the cost without fixing the root cause.

The organisations that get this right don't just fill seats. They build teams where there's clear ownership of security outcomes, faster decision-making, lower dependence on external consultants, and security programmes that mature over time rather than stagnate. That's a commercial advantage, not just an operational one.

2. The UK Breach Figures Are Not Improving

The DSIT Cyber Security Breaches Survey 2025 came out and the headline numbers are stark. 50% of UK businesses experienced a breach in the last 12 months. For large enterprises that rises to 74%. Ransomware incidents doubled in 2025. Phishing remains the entry point in 85% of cases.

The ICO fine on British Airways — £20 million for a single governance failure — is the kind of number that should be making its way into board discussions, not just IT risk registers. In most organisations I speak to, it still isn't.

What the breach data tells you, when you read it properly, is that the problem isn't a lack of awareness. Most leadership teams know they're exposed. The gap is between knowing and acting — and specifically, between acting and acting in a structured, deliberate way that produces a security posture that actually holds up under pressure.

"This connects directly to the talent point. You cannot build a coherent security framework without the people to design, implement, and maintain it. The two problems are the same problem viewed from different angles."

3. The Framework Gap — Tools Are Not Architecture

Most UK businesses are not unprotected. They have endpoint tools, firewalls, cloud security products, and probably an incident response plan buried somewhere that hasn't been updated since the person who wrote it left the company.

What they don't have is a framework — something that connects information security governance, network controls, cloud posture, application risk, incident response, and security management into something that functions coherently. Documented. Tested. Defensible when a regulator, an acquirer, or a major client asks to see it.

The organisations that get breached are not always the ones with the fewest tools. They're often the ones with no architecture holding those tools together, and no people with the ownership and authority to make that architecture function day to day. Which brings you back, again, to talent.

What This Actually Means

I set up Garzon Cyber Solutions to operate across three service lines because these problems don't exist in isolation. A business that can't hire cybersecurity talent can't build or maintain a security framework. A business without a framework can't demonstrate compliance. A business that can't demonstrate compliance is exposed — to the ICO, to NIS2, to the contractual scrutiny that comes from enterprise clients running vendor due diligence. These aren't separate conversations. They're the same one.

The UK market is at a genuine inflection point. The regulatory environment is tightening. The threat landscape is not improving. The talent shortage is making it harder, not easier, for organisations to respond. The businesses that come through this period well will be the ones that stopped treating security as a compliance exercise and started treating it as an operational priority — with the people, the architecture, and the governance to back it up.

Looking Ahead to April

April I'll be focused on two areas being significantly underestimated in the UK market right now.

The first is AI and IT compliance. The EU AI Act is already in force. ISO 27001:2022 introduced new controls specifically covering AI and cloud environments. DORA is live for financial services. Most UK organisations with any EU exposure have obligations they haven't fully mapped yet, and the compliance teams I speak to are still treating AI governance as something separate from their existing security frameworks. It isn't.

The second is AI recruitment and what it's actually doing to the talent market. There's a meaningful difference between hiring someone who uses AI tools and hiring someone who understands AI risk — how models fail, where the attack surface sits, how to govern AI responsibly at an organisational level. Most hiring processes aren't equipped to make that distinction.

Part 3 of the NIS2 Compliance Series by Garzon Cyber Solutions. Part 1 looked at the board. Part 2 was the CISO. This one is for the person whose architecture the regulator is about to scrutinise.

Part 1 dealt with governance exposure at the board level. Part 2 covered the CISO's operational burden. But when an auditor walks in and starts pulling at threads, the threads lead to infrastructure. And infrastructure is the CTO's domain.

"CTO" does not appear anywhere in the NIS2 directive. It does not need to. Every technical requirement, from monitoring through to cryptography, traces back to architecture choices somebody made, or chose not to make, years ago. The budget got allocated elsewhere. The migration slipped another quarter. The workaround became permanent. These are familiar stories in every technology function across Europe.

What has changed is that a regulator now prices that backlog in euros.

The Monitoring Question Nobody Wants to Answer

There is one question that separates CTOs who are ready from those who are not. If a breach happens at 2 am on a Saturday, does your tooling detect it before your customers do?

We asked a CTO at a listed German industrial group earlier this year. Roughly 3,000 employees, a hybrid estate, two on-premise data centres alongside a growing Azure footprint. He could not give a confident yes. His cloud workloads were well instrumented. His legacy estate was not. The SIEM rollout had stalled eighteen months prior. Alert fatigue had driven his security team to ignore most of what the tooling did produce.

That pattern repeats everywhere. IBM's 2024 Cost of a Data Breach Report found that the average time to identify a breach globally remains 194 days. Organisations with mature security monitoring cut that figure nearly in half. The directive expects continuous monitoring, centralised tamper-proof logging, and automated detection. Fifteen years of CTO budget requests have asked for exactly the same things. The difference is that the CFO can no longer say no. The regulator has removed the optionality.

The Shared Responsibility Blind Spot

One misconception persists in boardrooms regardless of sector or geography: "We moved to the cloud, so we are covered."

Cloud providers are responsible for their platform. Configuration, identity management, access policy, data classification, encryption standards: all of that remains with the customer. Gartner projects that through 2027, 99% of cloud security failures will be the customer's fault. NIS2 is explicit. MFA across the board. No standing wildcard permissions. Credentials removed from code repositories and compute layers. Segmentation that would actually contain an attacker, not just satisfy a diagram.

In one assessment this year, we found an IAM configuration error that had been live since January. A security group left open from a developer test eight months earlier. An unencrypted storage bucket from a decommissioned proof-of-concept that nobody recalled existed. The Cloud Security Alliance's 2024 State of Cloud Security report identifies misconfiguration as the leading cause of cloud breaches for the fourth consecutive year. None of these were unusual findings. What has changed is the regulatory weight. Each now constitutes a citeable compliance failure, and the citation lands against the customer organisation, not the cloud vendor.

Access Control: The Consistent Worst Performer

Every CTO assessment we conduct surfaces the same weakness. Access governance is, without exception, the most neglected area in enterprise infrastructure.

Verizon's 2024 Data Breach Investigations Report attributed 31% of all breaches over the past decade to stolen credentials. The Ponemon Institute's 2024 Cost of Insider Threats study puts the average annual cost of credential misuse at $4.1 million per organisation. These are not obscure findings. They are the most cited statistics in the industry, and still, the controls remain absent.

A typical finding: service accounts carrying domain administrator privileges that have not been reviewed since 2021. The person who provisioned them left the company two years ago. Role-based access control is documented thoroughly in SharePoint, but technically enforced nowhere. Joiner provisioning is functioning correctly. Mover-and-leaver processes were abandoned, and the last update to the tracking spreadsheet was over a year ago.

Article 21 expects documented policies, technical enforcement, exception logging, and evidence of regular review. That is four layers of rigour applied to the single area where most organisations have the least. When the regulator asks, and they do ask in exactly that sequence, most cannot answer past the second question. CTOs have been aware of this for years. The budget conversation changes when the consequence is €10 million in fines and personal liability for directors.

What Changed: The Regulator Priced the Backlog

Technical debt has always existed. Deferred patching cycles, identity sprawl across acquisitions, and network documentation that stopped being current years ago. Engineering teams have pitched remediation annually, framed it as risk reduction, and presented heat maps. And annually, it lost to whatever carried a revenue figure.

Essential entities now face fines of up to €10 million or 2% of global annual turnover. Important entities face €7 million or 1.4%. Individual managers can be held personally liable for governance negligence. ENISA's 2025 NIS Investments Report found that 42% of in-scope organisations had not increased their cybersecurity budgets since the directive was adopted in 2022. That figure alone tells you how many are about to receive a difficult audit finding.

The remediation roadmap already exists in most technology functions. It has sat in a slide deck or a deprioritised Jira backlog, waiting for the authority to proceed. NIS2 is that authority. "We would like to modernise" competes with every other budget line. "The regulator requires this, and the board carries personal exposure" does not compete. It closes the discussion.

What Regulators Are Asking Right Now

A compliance officer we spoke with in the Netherlands described her regulatory engagement as "polite but unforgiving." The auditors arrived with a structured checklist. They asked about monitoring coverage. They tested log centralisation and tamper resistance. They walked through access control from policy to technical enforcement to audit trail. They checked the asset register against the risk framework. They stress-tested incident response against the 24-hour and 72-hour notification windows.

Germany and France are conducting comparable exercises. The Commission's Implementing Regulation (EU) 2024/2690 sets out the specific technical and methodological requirements that competent authorities are now auditing against. The standard is documentation, not intention. If you cannot produce the paperwork, the finding is non-compliance.

Closing the Gap

Garzon Cyber Solutions works alongside CTOs and technology leaders to close the distance between current infrastructure and regulatory expectations.

Cybersecurity Advisory. Architecture review, monitoring strategy, and incident readiness. We establish what is in place, measure it against NIS2, and build a remediation programme that the board will fund.

Compliance and Regulatory Readiness. Translating regulatory obligations into infrastructure specifications that engineers can build to. NIS2, DORA, the EU AI Act, ISO 27001, SOC 2.

Security and Technology Talent. Security architects, cloud engineers, DevSecOps leads, and IAM specialists. We place the people the programme needs. We understand the brief because we advise the organisations doing the work.

Technical debt was always a risk. NIS2 made it a regulated one. The CTOs who move now will pass the audit. The rest will spend time explaining to the board why the regulator found what the engineering team had been raising for years.

Why closing the oversight gap is now a board mandate, not an IT project

A week ago, I made a direct argument: most organisations have an AI oversight gap. Adoption is outpacing governance, and the exposure is compounding quietly on the balance sheet.

The response from CISOs, CIOs, and board directors was consistent. The gap is real. The harder question is who closes it, and how fast.

The answer is already moving. AI risk is shifting out of the IT function and onto the board agenda, and the organisations that recognise this first will convert governance from a cost centre into a competitive advantage.

The board has become the backstop

Three forces have quietly shifted the accountability line.

Regulation is now enforceable. The EU AI Act's prohibited-practice provisions took effect in February 2025, with obligations for general-purpose AI models live from August 2025 and high-risk system requirements arriving in August 2026. According to the European Commission, fines reach up to 7% of global annual turnover, exceeding GDPR in severity.

Fiduciary duty has caught up. Deloitte's 2025 survey of corporate directors found that 79% of boards now treat AI governance as a standing agenda item, up from 41% twelve months earlier. The driver is legal exposure. When AI causes harm, regulators and shareholders look first at the board, not at IT.

Insurers are repricing the risk. Marsh and Aon have both signalled that cyber policies are being re-underwritten to carve out or limit AI-related claims where governance is absent. The message to leadership is simple. Self-insure your AI exposure, or evidence your controls.

The board is no longer the audience for AI governance. It is the accountable party.

Three shifts defining the next 12 months

1. From policy to proof. Every organisation has an AI policy. Few can produce the artefacts that prove it is operating. Regulators, auditors, and clients are moving past policy documents and asking for model inventories, risk classifications, human-in-the-loop evidence, and incident logs. According to Gartner, by 2027, 60% of enterprises will fail to realise the value of their AI investments because governance controls cannot be evidenced to customers and regulators.

2. From IT to board. AI risk cuts across cyber, legal, compliance, HR, and commercial. No single function owns it end to end. Leading organisations are appointing a named executive accountable for AI risk, reporting into the CEO or board risk committee, with a direct line to the CISO and General Counsel. PwC's 2025 AI Jobs Barometer identifies this role as one of the fastest-growing executive appointments globally.

3. From compliance to advantage. The organisations treating AI governance as enablement, not overhead, are winning enterprise deals. IBM's 2024 Cost of a Data Breach report found that organisations with mature AI and automation in their security programmes reduced breach costs by $2.22 million on average. McKinsey's latest State of AI survey shows that firms generating material EBIT impact from AI are three times more likely to have formal governance embedded at deployment, not bolted on after.

Governance is becoming a sales enabler. It is showing up in RFPs, vendor questionnaires, and cyber insurance renewals.

What leading organisations are doing differently

Five moves separate the leaders from the laggards.

One, a live AI inventory. Every model, tool, and third-party API in use, classified by risk tier, refreshed monthly.

Two, board-level ownership. A named executive sponsor, quarterly reporting, and a defined escalation path when controls fail.

Three, integrated controls. AI governance built into existing NIS2, DORA, and ISO 27001 programmes, not managed as a parallel workstream.

Four, assurance over attestation. Independent testing, red-teaming, and third-party review, because self-certification will not survive regulatory scrutiny or enterprise procurement.

Five, talent with the right mandate. AI governance leads, model risk specialists, and compliance engineers, recruited as strategic hires rather than filled reactively.

The common thread is treating AI as an enterprise capability with the same rigour applied to finance or operations, not as an experimental sandbox.

The commercial case

The argument for accelerating now is not regulatory fear. It is margin protection and market access.

Organisations that move first will price AI risk into their contracts, win enterprise deals that demand governance evidence, and avoid the insurance repricing their competitors are about to face. In our work with CISOs and boards, we consistently see that closing the gap retrospectively runs two to three times the cost of embedding governance from day one.

The AI oversight gap was the diagnosis. The accountability shift is the prescription. The boards that act in the next two quarters will set the governance standard their industries have to follow.

The ones that do not will find the standard set for them, at a price they did not budget for.

What's your board doing about AI accountability right now?

If the answer is "we have a policy," you are already behind.

At Garzon Cyber Solutions, we build the operating capability that sits beneath the policy. We partner with CISOs, CIOs, and boards to operationalise AI governance as an evidence-led, audit-ready programme, integrated with cybersecurity, compliance, and the specialist talent to sustain it.

One capability. One line of accountability. One board narrative.

Two weeks ago, we identified the oversight gap. Last week, we made the case that accountability has shifted from IT to the boardroom. The logical question now is: can your organisation prove it?

The answer, for most, is no.

Grant Thornton's 2026 AI Impact Survey found that 78% of executives lack confidence their organisation could pass an independent AI governance audit within 90 days. That is not a policy problem. It is an assurance problem. Organisations have the documentation. What they cannot produce is the evidence.

The Proof Gap Is Now the Primary Exposure

Three dynamics are converging to make assurance the defining governance challenge of the next 12 months.

1. Regulators have moved from guidance to enforcement.

The EU AI Act's high risk system requirements take full effect on 2 August 2026. Fines reach up to 35 million EUR or 7% of global annual turnover, whichever is higher. Conformity assessment alone takes 6 to 12 months. Organisations starting now are already behind the curve. The window between voluntary preparation and mandatory enforcement has closed.

2. Audit is replacing attestation.

Self certification is losing credibility with regulators, insurers, and enterprise buyers. Deloitte's 2026 State of AI report found that only 21% of organisations have a mature governance model for AI, despite nearly three quarters planning to deploy agentic AI within two years. The gap between ambition and auditability is the single largest risk most boards are not tracking.

3. Governance maturity now correlates directly with financial performance.

Grant Thornton's data shows that organisations with fully integrated AI are nearly four times more likely to report revenue growth than those still piloting (58% versus 15%). They are also ten times more likely to pass an independent governance audit. Governance is no longer a cost of compliance. It is a predictor of commercial performance.

What Assurance Ready Organisations Look Like

The leaders share five observable traits.

One, a live evidence registry. Not a policy binder, but a continuously maintained record of model inventories, risk classifications, decision logs, and human in the loop evidence. Updated monthly, audit accessible in hours.

Two, independent testing. Red teaming, bias audits, and third party validation built into the deployment cycle. Self assessment will not survive regulatory scrutiny or enterprise procurement diligence.

Three, board level reporting with quantified metrics. Governance dashboards that track control effectiveness, incident response times, and risk exposure in commercial terms the board can act on.

Four, integrated frameworks. AI governance embedded within existing NIS2, DORA, and ISO 27001 programmes. Parallel governance structures create duplication, cost, and blind spots.

Five, the right talent in the right seats. AI governance leads, model risk specialists, and compliance engineers recruited as strategic hires. 59% of cyber leaders report critical skills shortages, and governance roles are the hardest to fill because they sit at the intersection of technical, legal, and commercial.

The Commercial Case for Moving Now

The argument is not regulatory fear. It is market access and margin protection.

Organisations that can evidence their AI governance are winning enterprise contracts that now require proof in RFPs and vendor questionnaires. They are securing favourable cyber insurance terms while competitors face exclusions and repricing. And they are deploying AI faster because governance is built into the pipeline, not bolted on as a gate at the end.

In our work with CISOs and boards, the pattern is consistent. The cost of building assurance from scratch after deployment runs two to three times what it costs to embed it from day one. And the reputational cost of failing an audit in a regulated sector is not a line item you can budget for.

The Series Conclusion

Part 1 was the diagnosis: most organisations have an AI oversight gap. Part 2 was the prescription: accountability must sit at board level, not in IT. Part 3 is the standard: policy without proof is not governance. It is exposure.

The EU AI Act enforcement date is 108 days away. The question is no longer whether your board has an AI policy. It is whether your organisation can prove that policy is operating, under scrutiny, in 90 days or less.

If the answer is not yet, the time to act was last quarter. The next best time is today.

At Garzon Cyber Solutions, we build the assurance capability that sits beneath the policy. From AI governance frameworks and audit readiness programmes to the specialist talent that sustains them, we partner with CISOs, CIOs, and boards to make AI governance evidence led, audit ready, and commercially advantageous.

One framework. One evidence base. One board narrative.

According to the ISC2 2025 Cybersecurity Workforce Study, 4.8 million cybersecurity roles remain unfilled globally, a figure that has climbed steadily for five consecutive years. Most organisations continue to treat this as a recruitment challenge. It is a strategy problem. The organisations that have recognised the distinction are building teams while their competitors remain constrained by vacancies they cannot close.

The Numbers Behind the Crisis

The scale of the gap should concern every board in every sector.

In the United States alone, over 470,000 cybersecurity roles remain open. In the United Kingdom, the median cybersecurity salary has reached approximately 46,000 GBP, yet ISC2 reports that 59% of cybersecurity leaders continue to cite critical or significant skills shortages.

For the first time in the study's three-year history, skills gaps have overtaken headcount shortages as the industry's primary workforce challenge. Organisations are not simply missing people. They are missing the right capabilities.

The financial impact is equally clear. IBM's 2025 Cost of a Data Breach report found that organisations with significant security staffing shortages face breach costs that are, on average, 1.76 million USD higher than their adequately staffed counterparts.

Why Traditional Recruitment Is Failing

Three structural failures are compounding the problem.

1. Job specifications are written for candidates who do not exist.

Most cybersecurity job descriptions read as aspirational wish lists rather than hiring strategies. Organisations routinely require five or more years of experience in technologies that have existed for three. They demand certifications that show limited correlation with on-the-job performance. They benchmark compensation against enterprise salary bands they cannot match. The result is predictable: roles remain open for six to nine months while the threat landscape evolves in weeks.

2. Demand for AI skills is outpacing supply.

ISC2's workforce data identifies artificial intelligence and machine learning as the number one skill requirement in cybersecurity, cited by 41% of security teams. New AI-specific security roles, including AI Threat Hunter, AI Security Architect, and AI Governance Specialist, are growing at over 25% annually. The talent pipeline has not kept pace. Organisations are competing for a candidate pool that barely exists, using recruitment methodologies designed for a market that no longer operates in the same way.

3. Budget constraints have overtaken talent availability as the primary barrier.

For the first time, economic pressures and budget reductions have surpassed a lack of qualified candidates as the principal driver of staffing shortages. Organisations recognise the need for specialist talent but cannot secure the budget to acquire it. The cost of inaction, measured in breach exposure, regulatory risk, and operational drag, compounds on the balance sheet quarter by quarter.

What Leading Organisations Are Doing Differently

The organisations that are successfully filling their cybersecurity teams share four observable traits.

First, they hire for capability rather than credentials. Leading firms have shifted from certification-first hiring to competency-based assessment. They evaluate what candidates can demonstrably do, not which accreditations they hold. This approach widens the pipeline and accelerates time to hire.

Second, they treat recruitment as a strategic function rather than an administrative one. Cybersecurity hiring requires deep market knowledge, technical fluency, and the ability to assess candidates against evolving threat landscapes and regulatory requirements. The organisations achieving results are engaging specialist recruiters who understand the distinction between a compliance engineer and a penetration tester.

Third, they build talent as well as buying it. Forward-thinking organisations invest in upskilling programmes, internal mobility pathways, and apprenticeship pipelines alongside external recruitment. They are developing the capabilities they require rather than depending solely on a constrained external market to produce them.

Fourth, they are deploying AI to recruit, not merely recruiting for AI. Research from Talent MSH shows that artificial intelligence usage across human resources functions has climbed to 43% in 2026, up from 26% in 2024. AI-powered sourcing, screening, and candidate matching are compressing time to shortlist while improving quality of hire. The technology driving skills demand is also the most effective tool for addressing it.

The Commercial Reality

Data from the Bureau of Labor Statistics projects 33% employment growth for information security analysts from 2024 to 2034, approximately six times the average across all occupations. The AI-in-cybersecurity market is valued at 30.9 billion USD in 2025 and, according to industry estimates, is growing at 22 to 24% annually, roughly double the growth rate of the broader cybersecurity market.

This is not a temporary hiring squeeze. It is a structural shift in how the global economy values security talent. Organisations that build a coherent talent strategy now, one that integrates specialist recruitment, AI-augmented hiring processes, and deliberate capability development, will establish a compounding advantage over those that continue to post vacancies and wait for the market to deliver.

The question for every CISO and board member is direct. Is your organisation treating cybersecurity talent as a hiring problem to be managed, or as a strategic capability to be built? The gap between those two approaches is already visible on the balance sheet.

At Garzon Cyber Solutions, we place the specialist cybersecurity, AI, and compliance talent that organisations cannot afford to get wrong. From CISO-level appointments to AI governance specialists, we combine deep market knowledge with technical fluency to close the roles that generalist recruiters cannot fill.

The right hire is not a filled seat. It is a closed risk.

The cybersecurity talent gap is not closing. According to the ISC2 2025 Cybersecurity Workforce Study, 4.8 million roles remain unfilled globally and the average time to fill a specialist security position now exceeds six months. Traditional recruitment methodologies, built for a market with surplus candidates and stable skill requirements, are structurally incapable of operating at the speed the threat landscape demands.

Artificial intelligence is changing that equation. Not by removing human judgement from the hiring process, but by eliminating the inefficiencies that have made cybersecurity recruitment unacceptably slow, expensive, and imprecise.

The Scale of the Shift

The adoption curve has been decisive. Research from SHRM's 2026 State of AI in HR report found that 87% of organisations now deploy AI at some stage of the recruitment process, including 99% of Fortune 500 firms. Talent MSH data shows AI usage across human resources functions has climbed to 43% in 2026, up from 26% just two years earlier.

This is no longer an early adopter trend. It is the operational baseline.

The commercial case is equally clear. Organisations implementing AI driven recruitment tools report time to hire reductions of 30 to 50%, cost per hire reductions of up to 30%, and an average return on investment of 340% within eighteen months of deployment. In a market where every unfilled cybersecurity role carries measurable breach exposure, those efficiency gains translate directly to reduced organisational risk.

Three Ways AI Is Transforming Cybersecurity Hiring

The impact is concentrated in three areas where traditional recruitment has consistently underperformed.

1. Sourcing: from keyword matching to capability discovery.

Conventional sourcing relies on Boolean queries and keyword filters that systematically exclude qualified candidates. A penetration tester who describes their work as "offensive security assessment" will not appear in a search built around "pen testing." The result is a artificially narrow candidate pool that reinforces the perception of a talent shortage.

AI powered semantic search changes the dynamic fundamentally. Industry data from Second Talent indicates that semantic sourcing tools find 60% more relevant candidate profiles than traditional Boolean queries while reducing false positive rates by 62%. Candidate pools expand by an average of 340%, and sourcing time drops by 67%.

The talent is not missing. The search methodology has been wrong.

2. Screening: from credential filtering to competency assessment.

Most cybersecurity screening processes default to certification checklists and years of experience thresholds. These filters are blunt instruments in a field where a CISSP holder may lack practical incident response capability and a self taught analyst may outperform a five year veteran in cloud security architecture.

AI driven screening tools evaluate candidates against competency frameworks rather than credential lists. They assess demonstrated capability through technical assessments, project portfolios, and contextual analysis of career progression. According to recruitment industry research, organisations using AI assisted screening report a 50% improvement in quality of hire metrics and are 9% more likely to make a successful placement.

3. Matching: from intuition to predictive precision.

The final stage of traditional recruitment, matching a candidate to a role, remains heavily dependent on recruiter intuition. In cybersecurity, where the difference between a compliance analyst and a threat intelligence specialist requires deep domain knowledge, intuition based matching produces high failure rates and costly mis-hires.

Predictive analytics are compressing this gap. Data from Taleva's 2026 AI Recruiting Report shows that predictive matching algorithms improve candidate to role alignment by 67%, while simultaneously increasing diversity hiring effectiveness by 48%. The technology does not replace the hiring manager's judgement. It ensures the shortlist reaching that hiring manager is materially stronger.

The Human-AI Balance

The most common objection to AI in recruitment is that it removes the human element. The evidence suggests the opposite. SHRM's research found that 93% of hiring managers consider human involvement essential to the recruitment process, a figure that has not declined as AI adoption has accelerated.

The organisations achieving the strongest results are not automating hiring decisions. They are automating the administrative burden that prevents recruiters from making better ones. Resume screening that previously consumed ten days compresses to two. Interview scheduling that required five days of coordination reduces to one. The recruiter's time is redirected from process management to candidate assessment and stakeholder engagement.

AI does not replace the recruiter. It replaces the sixty percent of recruitment activity that should never have required a recruiter in the first place.

The Commercial Reality

The financial case for AI augmented cybersecurity recruitment is no longer theoretical. Organisations that have integrated AI across sourcing, screening, and matching report measurably faster hiring cycles, lower cost per hire, and improved retention rates. In a market where IBM estimates that understaffed security teams face breach costs 1.76 million USD higher than their adequately resourced counterparts, the cost of maintaining a manual recruitment process is compounding on the balance sheet.

The cybersecurity talent gap will not be closed by posting more job advertisements or increasing recruiter headcount. It will be closed by organisations that deploy AI to identify, assess, and secure the specialist talent their competitors are still searching for manually.

The question is no longer whether to adopt AI in cybersecurity recruitment. It is whether your organisation can afford the cost of not doing so.

At Garzon Cyber Solutions, we combine specialist cybersecurity recruitment expertise with AI augmented sourcing and assessment to place the talent that generalist recruiters cannot reach. From CISO level appointments to AI governance specialists, we close the roles that define an organisation's security posture.

The right hire is not a filled seat. It is a closed risk.

In Part 1 of this series, we examined the structural forces behind the cybersecurity talent crisis: 4.8 million unfilled roles, skills gaps overtaking headcount shortages, and a financial penalty that now costs understaffed organisations 1.76 million USD more per breach. In Part 2, we explored how artificial intelligence is transforming the way organisations source, screen, and secure specialist talent.

This instalment addresses the question every CISO and board member is now asking. If the talent pipeline cannot produce enough qualified professionals to meet demand, what do we do about it?

The answer is not a single strategy. It is three, deployed simultaneously.

1. Build: Upskill the Workforce You Already Have

The most underutilised talent pool in cybersecurity is the one already on the payroll.

ISC2's 2025 Workforce Study found that 85% of employers now prefer upskilling existing staff over external hiring. The logic is sound. Internal candidates already understand the organisation's risk profile, architecture, and culture. The cost of developing them is a fraction of the cost of recruiting externally in a market where median UK cybersecurity salaries have reached 55,000 GBP and specialist roles command significantly more.

Yet only 28% of organisations currently allocate dedicated working hours for professional development. The gap between stated intent and operational commitment is where most upskilling strategies collapse.

The organisations achieving results are treating capability development as infrastructure, not discretionary spend. IBM's 2025 data shows that structured investment in retention and training reduced security costs by an average of 259,000 USD per organisation. A Fortune 500 case study demonstrated that targeted upskilling in cloud and AI defence reduced time to fill cyber roles by 40% and increased team retention by 30% within twelve months.

The return is measurable. The barrier is not budget. It is prioritisation.

2. Buy: Rethink How You Hire

The traditional cybersecurity hiring model is broken at the specification stage. Roles requiring five years of experience in technologies that have existed for three. Certification mandates that show limited correlation with on the job performance. Compensation benchmarks that mid market organisations cannot match against enterprise salary bands.

The result: roles stay open for six to nine months. Threat landscapes evolve in weeks.

Organisations that have adopted skills based hiring, evaluating what candidates can demonstrably do rather than which accreditations they hold, are twice as likely to identify better fit candidates with improved retention and reduced time to hire. The UK government has recognised this structural misalignment. ISACA has partnered with BIT Training to embed CISM and CRISC certifications directly into the Level 4 UK apprenticeship curriculum. The UK Civil Service now operates both Level 4 and Level 6 cybersecurity apprenticeship pathways.

Yet only approximately 600 new apprenticeship starts enter the UK cyber pipeline annually against a backdrop of 2,698 core cybersecurity job postings per month. The infrastructure exists. The scale does not.

The implication is clear. Organisations that depend solely on the external market to deliver qualified talent will continue to operate below capacity. Those that combine specialist recruitment with deliberate talent development will close roles faster and retain them longer.

3. Borrow: Managed Services as a Strategic Capability

For many organisations, the most pragmatic response to the talent crisis is not to fill every role internally. It is to augment internal capability with managed security services.

52% of UK businesses already use a third party for security operations. A further 28% intend to outsource over the next two years. The primary driver is not cost reduction. 60% cite missing internal skills. 48% cite an inability to recruit qualified candidates.

The managed security services market reflects the scale of this shift, growing 22% in 2023 to reach 68 billion USD globally, with projected growth of 6.9% annually through 2029.

The UK has the widest workforce gap in Western Europe. Demand grew 27.1% while the workforce contracted 4.9% due to economic pressure and layoffs. For organisations operating in this environment, managed services are not a compromise. They are the mechanism by which security operations continue while the internal capability is being built.

The Regulatory Accelerant

The organisations waiting for the talent crisis to resolve itself face a second compounding pressure. Regulation is not waiting either.

The European Union faces a deficit of 299,000 skilled cybersecurity professionals. ENISA's 2025 analysis concluded that NIS2 compliance is structurally impossible to achieve through human capital alone, and organisations are pivoting to technology and managed services to close the gap. ENISA's European Cybersecurity Skills Framework now formally maps NIS2 role obligations to defined skill profiles, creating a compliance driven workforce planning tool across EU member states.

In the United Kingdom, the Cyber Security and Resilience Bill introduced to Parliament in November 2025 will bring approximately 2,500 managed service providers, data centres, and SOCs into regulatory scope by mid 2026. NCSC's Cyber Accelerator and CAF assessments are rolling out in parallel, adding further compliance driven pressure on in house security teams.

The regulatory environment is creating mandated demand for qualified security professionals at precisely the moment the market cannot produce them. Organisations that have not already begun building their talent pipeline, through internal development, specialist recruitment, and managed service partnerships, will find themselves caught between enforcement timelines and capability gaps.

The Commercial Reality

The data across all three strategies tells a consistent story.

Organisations with high security skills shortages face average breach costs of 5.74 million USD. Those with low or no shortage face 3.98 million USD. The difference, 1.76 million USD, represents the direct financial cost of unresolved talent gaps. ISC2 reports that 88% of cybersecurity professionals have already witnessed real world consequences from skills shortfalls within their organisations.

Employment growth for information security analysts is projected at 33% through 2034. The talent market will remain structurally undersupplied for the foreseeable future. Waiting is not a strategy. It is an accumulating liability.

The organisations that will navigate this environment successfully are those executing all three levers simultaneously. Building internal capability through structured upskilling. Buying specialist talent through skills based recruitment with deep market expertise. Borrowing capability through managed security partnerships that maintain operational continuity while the internal team matures.

At Garzon Cyber Solutions, we operate across all three. We place specialist cybersecurity, AI, and compliance talent. We advise organisations on workforce strategy and capability development. And we provide the market intelligence that connects regulatory requirements to the resourcing decisions boards need to make.

The talent crisis is structural. The response must be strategic.

I have sat through enough board meetings to know how cybersecurity typically gets discussed. It surfaces once a quarter, usually sandwiched between the audit update and lunch. The CTO or CIO gives a briefing. There are a few acronyms. Someone asks whether we are "covered." The room nods. Everyone moves on.

Then a breach happens. And the first question from the chair is always the same: "Why didn't we know?"

The honest answer, more often than not, is that the board never asked the right questions in the first place.

This is the first instalment of our Leadership and Cyber Governance series. It looks at why the boardroom, not the security operations centre, is where most organisations' cyber resilience actually breaks down.

Board Oversight Is Shrinking. The Threat Landscape Is Not.

DSIT's 2025 Cyber Security Breaches Survey paints a striking picture. Only 27% of UK businesses now have a board member with explicit responsibility for cybersecurity. In 2021, that figure was 38%. Board ownership of cyber risk is falling at exactly the moment when breach costs, regulatory penalties, and threat sophistication are all accelerating.

Among larger organisations, the picture looks better on paper. But even there, "involvement" mostly amounts to passive oversight with no real accountability attached. Having a name next to the word "cyber" on an org chart does not mean you have a director who knows what a ransomware recovery looks like in practice, or what NIS2 actually requires of them as an individual.

The Conversation Happening Too Rarely, in the Wrong Language

Secureworks published research last year showing that only 69% of board members feel aligned with their CISO on risk posture. That means nearly a third of boards hold a fundamentally different understanding of their own exposure than the person charged with managing it.

Part of the problem is frequency. The World Economic Forum found that just 60% of CISOs discuss their organisation's security posture with the board three to four times a year. The rest do so less often. If the board hears about cyber risk less frequently than it reviews the P&L, something structural has gone wrong.

But the bigger issue is language. I have watched CISOs present to boards using terminology that means everything to them and nothing to the room. Most security leaders are technically excellent. Very few have ever been coached to talk about threat exposure the way a finance director talks about margin erosion, or to pitch a security investment as if it were a capital allocation decision competing for the same pot. That gap in translation is where governance falls apart. The board switches off because the briefing does not feel relevant to their commercial responsibilities. The CISO stops pushing because no one at the table seems to want the detail.

Everyone walks away thinking the other side has it handled. Nobody does.

Where the CISO Reports Tells You Everything

Heidrick and Struggles' 2025 global survey captured a real structural shift. In 2024, 48% of CISOs reported to a CIO or CTO. By 2025, that had dropped to 30%, with 42% now reporting directly to the CEO. A threefold increase in a single year.

Three in five CISOs now present to the full board. Four in five present to at least a sub committee.

This matters more than most boards appreciate. Where the CISO sits in the hierarchy is not an HR question. It determines how fast a material threat reaches the people who can act on it. When a CISO reports through two or three layers before reaching the board, every escalation gets filtered, softened, or quietly deprioritised by someone who may not grasp what is at stake. I have seen it play out repeatedly. The organisations with the slowest incident response, the thinnest security budgets, and the widest disconnect between stated risk appetite and operational reality almost always share one structural flaw: the security leader is too far removed from the people making the decisions.

The Numbers the Board Cannot Afford to Ignore

IBM's 2025 Cost of a Data Breach report put the global average at $4.88 million per breach in 2024. The highest figure recorded since the pandemic. In the UK, DSIT estimates that a significant breach costs an organisation roughly £195,000 on average, and across the economy, the aggregate runs to approximately £14.7 billion a year.

What rarely makes it into the board pack is the market reaction. Research published this year in Information Systems Frontiers found that listed companies shed an average of $309 million in market capitalisation on the day a breach goes public. The share price does not drop because the firewall failed. It drops because investors read the disclosure and conclude the board was not paying attention.

On the other side of that equation, Gartner's research shows that organisations running Continuous Threat Exposure Management programmes can reduce breaches by two thirds by 2026. Those programmes require board level sponsorship to work. The commercial return from getting governance right is considerable. But it will not happen while cyber sits as a standing agenda item that everyone politely endures.

The Regulatory Ground Has Moved Beneath the Board's Feet

If the commercial case were not sufficient, the regulatory environment has removed any remaining ambiguity.

NIS2 came into force across the European Union in October 2024. It introduces personal liability for every member of the management body of essential and important entities. Fines reach €10 million or 2% of global turnover. Sanctions include public naming, suspension, and disqualification of individual directors. These responsibilities cannot be delegated to a committee or an external adviser. The liability sits with the management body, individually.

DORA took effect in January 2025 across twenty categories of EU financial entity. It requires boards to approve ICT risk management frameworks, receive regular updates on incidents, complete cyber training, and accept personal accountability for operational resilience.

In the UK, DSIT and the NCSC published the Cyber Governance Code of Practice in April 2025. Voluntary for now, it covers five pillars: risk management, strategy, people, incident planning, and assurance. But DSIT has been explicit that if voluntary adoption proves insufficient, mandatory mechanisms will follow. The Cyber Security and Resilience Bill is already widening the scope of regulated entities.

The FCA now treats cyber resilience as equivalent to financial risk for regulated firms. Boards must be able to demonstrate active, evidenced oversight.

The direction is the same everywhere you look. Personal accountability at board level is no longer aspirational. It is becoming the regulatory floor.

What the Boards Getting This Right Actually Do

Having worked with organisations at different stages of governance maturity, the pattern among the strongest boards is surprisingly similar.

They bring the CISO into direct contact with the CEO or the board itself, removing layers that dilute urgency. They receive substantive cyber briefings at least quarterly, with clear escalation protocols for anything material in between. They either appoint a director with cybersecurity expertise or invest in structured training so the existing board can engage meaningfully with the risk.

PwC's research shows that 51% of Fortune 100 boards now assign cyber oversight to a dedicated audit or technology committee. Gartner expects 70% of boards to include at least one cybersecurity expert member by 2026. The majority are not there yet.

The returns are tangible. 57% of organisations with mature cyber investment cite customer trust as a primary commercial outcome. 49% cite brand integrity. McKinsey's analysis of industrial boards frames this directly: the differentiating factor is not oversight quality alone, but the willingness to make strategic investment decisions from the top.

The Choice in Front of Every Board

The boards treating cyber governance with real rigour are spending less on breaches, standing on firmer ground with regulators, and holding up better when markets get nervous. Those that are not will find themselves exposed to personal liability under NIS2 and DORA, escalating financial penalties, and the kind of reputational fallout that no amount of crisis communications can repair once a breach goes public.

Whether the board should own cyber risk is no longer up for discussion. Regulation has closed that question. What remains open is whether your board is governing it with the competence, the investment, and the seriousness the current environment demands.

At Garzon Cyber Solutions, we work with boards and senior leadership teams to close the gap between cyber exposure and governance capability. From CISO advisory and board level risk translation to compliance readiness across NIS2, DORA, and the UK Cyber Governance Code, we provide the strategic intelligence that moves cybersecurity from a technology line item to a board level priority.

Cyber risk is a governance problem. The board is where it gets solved.

In Part 1 of this series, we examined why the boardroom, not the security operations centre, is where most organisations' cyber resilience breaks down. Board ownership of cyber risk is declining. Budgets are tightening. And the person expected to absorb all of it is the CISO.

This instalment looks at the reality from the CISO's side of the table. Two pressures, in particular, are reshaping the role faster than most organisations have acknowledged.

The first: "I am accountable for risk I do not fully control."

The second: "Regulation is increasing faster than we can operationalise it."

Both are structural. Neither can be solved by hiring one more person or buying one more tool.

The Accountability Trap

I speak to CISOs regularly who describe the same dynamic. They own the security risk register. They present to the board. They sign off on incident response. But they do not control the infrastructure, the procurement decisions, the cloud migration roadmap, or the headcount allocation that determines whether any of their plans are executable.

The infrastructure sits under IT. The cloud strategy was driven by the CTO. The workforce training budget was decided by HR. The third party vendor was onboarded by procurement without a security review. And when something goes wrong, the first name on the incident report is the CISO's.

IANS Research captured this gap in their 2025 State of the CISO report. Only 11% of CISOs report being sufficiently staffed. 89% describe themselves as stretched thin or operating below minimum viable capacity. Just 47% received a budget increase this year, down from 62% in 2024 and 78% in 2022. Average security budget growth has dropped to 4%, a five year low. Security's share of IT spend fell from 11.9% to 10.9%.

The expectation on the CISO is growing. The resources are moving in the opposite direction. And the person in the middle absorbs the difference.

When It Goes Wrong, the CISO Pays Personally

The legal precedents of the past three years have made this imbalance significantly more dangerous.

In 2022, Uber's former Chief Security Officer, Joe Sullivan, was convicted of obstruction of justice and failure to report a crime after concealing a 2016 breach that exposed data from over 50 million riders and 600,000 drivers. He did not cause the breach. He managed it the way the company's leadership expected him to. He was the one who faced criminal charges.

Then SolarWinds. The SEC pursued its CISO, Timothy Brown, for securities fraud related to how the company described its security posture to investors. While the court dismissed most of the claims in July 2024, the signal to the market was unmistakable: the CISO is now personally on the hook for how risk is communicated externally, not just how it is managed internally.

The Berkeley Technology Law Journal published a piece earlier this year titled "The Security Scapegoat." The framing captures what many CISOs already feel. Liability is increasing. Authority is not keeping pace. And 93% of organisations have already begun changing their internal liability policies in response.

Proofpoint's 2025 Voice of the CISO report found that 63% of cybersecurity leaders have experienced or witnessed burnout among their peers in the past year. Sophos put the figure at 76%. Just 34% of cybersecurity professionals plan to stay in their current role.

This is not a wellbeing issue. It is an enterprise risk. When a CISO leaves, the organisation loses six to nine months of continuity. IBM's 2025 data shows that organisations with high security staffing shortages face average breach costs of $5.74 million, versus $3.98 million for those without. The $1.76 million gap is the price of not addressing the structural pressures driving people out of the role.

The Regulatory Collision

The second pressure reshaping the CISO's world is the sheer volume and velocity of regulation arriving simultaneously.

Consider what has landed in the past 18 months alone.

NIS2 came into force across the European Union in October 2024. It embeds personal liability for management body members, requires incident notification within 24 hours, and expands the scope of regulated entities to include supply chain providers, managed services, and digital infrastructure operators. First administrative penalties were issued in Q1 2026. Most member states are still finalising transposition, meaning CISOs are trying to comply with a framework whose national interpretation is not yet settled.

DORA took full effect in January 2025 across twenty categories of EU financial entity. It requires boards to approve ICT risk management frameworks, mandates regular threat led penetration testing, and imposes direct oversight on critical third party technology providers. For financial services CISOs, this arrived on top of everything else, not instead of it.

The EU AI Act enters its main application phase in August 2026. Any organisation deploying high risk AI systems must demonstrate governance, risk assessment, and ongoing monitoring that, in many cases, falls squarely on the CISO's desk.

In the United Kingdom, the Cyber Security and Resilience Bill is expected to receive Royal Assent in late 2026. It brings approximately 2,500 managed service providers, data centres, and SOCs into regulatory scope. It places the NCSC's Cyber Assessment Framework on a statutory footing and tightens incident reporting to 24 hours for initial notification and 72 hours for a full report.

The UK Cyber Governance Code of Practice, published by DSIT in April 2025, adds five governance pillars that boards are expected to implement. Voluntary for now. But DSIT has been explicit: mandatory enforcement will follow if uptake is insufficient.

And the SEC's four day material incident disclosure rule, effective since December 2023, means CISOs in US listed organisations are simultaneously managing European and American disclosure obligations that operate on different timelines and different definitions of materiality.

The issue is not that CISOs are unaware of these requirements. They are deeply aware. The issue is capacity. ENISA's 2025 analysis concluded that NIS2 compliance is structurally impossible to achieve through human capital alone. The European Union faces a deficit of 299,000 skilled cybersecurity professionals. The UK has the widest workforce gap in Western Europe, with demand growing 27.1% while the workforce contracted 4.9%.

CISOs are being asked to operationalise four or five major regulatory frameworks simultaneously, with teams that were already too small before any of them arrived.

The Structural Mismatch

These two pressures compound each other.

The CISO who is accountable for risk without controlling the systems, the budgets, or the people is the same person being asked to stand up compliance programmes across NIS2, DORA, the AI Act, and the UK Cyber Governance Code. They are doing this with flat or shrinking resources, in an environment where personal liability for failure is now embedded in law, and where the average tenure in the role is 39 months.

Gartner's research shows that 88% of boards now recognise cybersecurity as a business risk. That is progress. But recognition without investment is performative. The same boards acknowledging cyber as a strategic risk are approving budgets that make it harder to manage.

Heidrick and Struggles' 2025 data shows that 42% of CISOs now report directly to the CEO, up from roughly 14% the year before. Three in five present to the full board. Reporting lines are improving. Compensation is increasing, with average total packages reaching $700,000 at large enterprises and $1.1 million at organisations above $20 billion in revenue.

But neither a better reporting line nor a higher salary resolves the fundamental problem. The role has expanded beyond what one person, or even one internal team, can sustainably deliver.

What This Means for the Board

The CISO's dilemma is not the CISO's problem alone. It is the board's problem.

If the person accountable for your security posture, your regulatory compliance, and your incident response does not have the authority, the budget, or the team to deliver on those responsibilities, the board has not delegated risk. It has concentrated risk in a single point of failure.

In Part 3, we will examine the third pressure facing today's CISOs, the tension between business speed and security friction, and lay out what organisations can do to resolve all three.

At Garzon Cyber Solutions, we work with boards and CISOs to close the gap between accountability and authority. From CISO advisory and board level risk translation to compliance readiness across NIS2, DORA, the EU AI Act, and the UK Cyber Governance Code, we provide the strategic intelligence that turns cybersecurity leadership from an operational burden into a strategic advantage.

The CISO cannot carry this alone. The board has to meet them halfway.

In Part 1 of this series, we examined why the boardroom is where most organisations' cyber resilience breaks down. In Part 2, we looked at the CISO's dilemma: accountability without authority, and regulation arriving faster than any team can operationalise it.

This instalment addresses the third structural pressure reshaping enterprise security. The tension between business velocity and security capacity.

Every board wants speed. Faster product cycles. Faster cloud migration. Faster AI adoption. The competitive logic is sound. But when the organisation accelerates and the security function does not, what emerges is not efficiency. It is exposure.

The Velocity Imperative

The pressure to move fast is not imaginary. It is existential.

Sixty per cent of organisations now release software at least daily. Cloud migration timelines that once spanned years have compressed into quarters. The race to deploy generative AI has moved from exploratory to operational in under eighteen months. And in nearly every case, the team responsible for securing these deployments was not consulted at the pace the business demanded.

I speak regularly with CISOs who describe the same pattern. A cloud migration was approved at board level and executed before the security architecture review was complete. An AI tool was deployed across three business units before anyone assessed the data governance implications. A third party vendor was onboarded through procurement with no security due diligence because the commercial team needed the integration live by quarter end.

The business did not intend to create risk. It intended to move quickly. The risk was a byproduct of structural misalignment between the speed at which decisions are made and the speed at which security can evaluate them.

Security as the Department That Says No

The consequence of this misalignment is cultural as much as operational.

When security cannot keep pace with the business, it becomes the function that slows everything down. Eighty one per cent of professionals report that application security testing often slows development and delivery. Nearly half of organisations still rely on predominantly manual processes to integrate new projects into their security testing queues. And over 71% of security alerts are noise, including false positives and duplicate results that consume analyst time without reducing actual risk.

The rational response from the business is predictable: go around security. Eighty per cent of employees now use applications that have not been sanctioned by IT. The average enterprise believes it runs 91 cloud services. The actual number is 1,220. Only 8% of organisations have full visibility into their shadow IT footprint.

This is not negligence. It is the market's natural response to friction. When the formal path through security takes longer than the business can afford, the business finds an informal path. And that informal path has no controls, no visibility, and no incident response plan attached to it.

The Cost of the Shortcut

The data on what happens when speed outpaces security is unambiguous.

Third party involvement in breaches doubled in the past year, rising from 15% to 30% of all confirmed incidents in the 2025 Verizon Data Breach Investigations Report. These are not sophisticated nation state operations. They are the consequence of vendor integrations that moved faster than security could evaluate them.

Shadow AI, the deployment of artificial intelligence tools without governance oversight, has already contributed to security incidents in 20% of organisations. Those incidents add an average of $670,000 to the cost of a breach. And 63% of organisations have no AI governance policies in place.

Meanwhile, the adversary is getting faster. CrowdStrike's 2026 Global Threat Report recorded an average breakout time of 29 minutes, the interval between initial compromise and lateral movement. Down from 48 minutes the year before. The fastest observed breakout was 27 seconds. In one case, data exfiltration began within four minutes of initial access.

The mismatch is stark. Organisations are deploying technology in weeks that attackers can exploit in minutes, while the security team is still waiting for the architecture review to be scheduled.

The Structural Problem

What connects the three pressures examined across this series is a single structural failure.

In Part 1, we showed that boards recognise cyber as a business risk but have not translated that recognition into governance and investment. In Part 2, we demonstrated that CISOs carry accountability without the authority, headcount, or budget to deliver on it. And in this instalment, we see the operational consequence: the business accelerates, security cannot keep pace, and the gap between them becomes the attack surface.

These are not three separate problems. They are three symptoms of the same organisational design failure.

The board sets the risk appetite but does not fund the capacity to manage it. The CISO absorbs the accountability gap. And the business, under pressure to deliver, routes around whatever controls exist because the alternative is missing the quarter.

IBM's 2025 data quantifies the resolution. Organisations that integrate security into their development lifecycle, the DevSecOps approach, reduce the average cost of a breach by $227,192. Those using AI and automation extensively save $1.9 million per incident compared to those without. The average breach lifecycle has dropped to 241 days, a nine year low, driven almost entirely by organisations that embedded security into their operating model rather than bolting it on after the fact.

The evidence is not theoretical. Organisations that treat security as a structural capability, embedded into how the business operates, move faster and lose less. Organisations that treat it as a checkpoint to be routed around move quickly until they do not.

What This Means for the Board

The speed paradox is resolvable. But it requires three things that most organisations have not yet put in place simultaneously.

The first is strategic security leadership. Not a CISO buried three levels below the board, but security intelligence that sits at the table where investment decisions are made. The person advising on risk needs to be in the room when the cloud migration is approved, not consulted after the contract is signed.

The second is regulatory architecture. NIS2, DORA, the EU AI Act, the UK Cyber Governance Code, and the SEC disclosure rule are not going away. They are compounding. The organisations that will manage this are not the ones hiring more compliance analysts. They are the ones building frameworks that allow a single governance structure to satisfy multiple regulatory obligations simultaneously.

The third is talent. ENISA has concluded that NIS2 compliance is structurally impossible through human capital alone. The European Union faces a deficit of 299,000 cybersecurity professionals. The UK has the widest workforce gap in Western Europe. No organisation can hire its way out of this at market rates and market timelines. The ones that will close the gap are those with access to specialised recruitment capability that understands what a modern security function actually needs.

These three capabilities, strategic advisory, regulatory readiness, and specialist talent acquisition, are precisely what Garzon Cyber Solutions was built to deliver. Not as three disconnected services, but as an integrated model designed to close the structural gap between how fast the business wants to move and how effectively it can manage the risk created by that movement.

In Part 4, we will examine the role that has quietly become the most consequential in enterprise security: the CTO. As the boundary between technology strategy and security governance dissolves, the CTO's mandate is evolving in ways most organisations have not yet recognised.

At Garzon Cyber Solutions, we work with boards, CISOs, and technology leaders to resolve the structural pressures that make organisations slower, more exposed, and less resilient than they need to be. From CISO advisory and board level risk translation to compliance readiness across NIS2, DORA, the EU AI Act, and the UK Cyber Governance Code, and from security leadership recruitment to workforce strategy, we provide the strategic intelligence that turns cybersecurity from an operational constraint into a competitive advantage.

Speed and security are not competing priorities. The organisations that understand this will outperform the ones that do not.

In Part 1 of this series, we examined why boards are failing to govern cyber risk. In Part 2, we explored the CISO's dilemma: accountability without authority, regulation without capacity. Part 3 showed how business velocity creates the attack surface when security cannot keep pace.

This final instalment turns to the role that sits at the intersection of all three pressures: the Chief Technology Officer.

The CTO has always owned the technology roadmap. What has changed is that the security implications of that roadmap are no longer someone else's problem. The boundary between building technology and securing it has dissolved. Most organisations have not updated their leadership model to reflect that reality.

The Convergence No One Planned For

For the past decade, most enterprises operated on a clear division. The CTO built. The CISO secured. Cloud migration, product development, and digital transformation sat on one side. Firewalls, compliance, and incident response sat on the other side. Adjacent lanes. Separate owners.

That model is breaking down, and the numbers tell the story clearly.

Two-thirds of CISOs still report into IT, typically to the CIO or CTO. 78% now share joint accountability with other technical C-suite leaders for security operational risk. At large enterprises generating over $1B in revenue, 47% of CISOs hold executive-level titles, up from 33% in 2023.

The structural shift is unmistakable. Security is no longer a function that reports up through the technology department. It is becoming embedded within it. The CTO who treats cybersecurity as the CISO's department to manage is operating under an organisational model that the threat landscape, regulatory environment, and talent market have all moved beyond.

The AI Governance Gap Lands on the CTO's Desk

Nowhere is this convergence more visible than in artificial intelligence.

I speak with CTOs regularly who are deploying AI at pace. Generative models embedded into customer-facing products. Machine learning pipelines running across cloud infrastructure. AI agents automating internal workflows. The velocity is real. The governance, in most cases, is nowhere close to matching it.

Here is the number that should concern every technology leader: 63% of organisations have no AI governance policies in place. One in five have already experienced security incidents linked to ungoverned AI deployments, and those incidents add an average of $670,000 to the cost of a breach. The EU AI Act enters its main application phase in August 2026, bringing requirements for high-risk AI systems, including governance, risk assessment, and ongoing monitoring. Those obligations will fall directly onto the technology leadership function.

Think about the chain of decisions. The CTO approved the deployment. The CTO chose the models. The CTO signed off on the architecture. When the regulator asks who is responsible for AI governance, the answer in most organisations points back to the same desk.

This is not a hypothetical risk. There is a structural gap between how quickly technology leaders are deploying AI and how slowly governance frameworks are being built around it. The CTO who does not own AI governance will find that someone else, most likely a regulator, defines it for them.

The Security Debt in Every Technology Decision

Every technology decision the CTO makes carries a security surface. I have watched this pattern play out across dozens of organisations, and it follows a remarkably consistent trajectory.

The decision to migrate to a multi-cloud architecture creates complexity that most security teams are not staffed to monitor. Adopting a new SaaS platform introduces third-party risk that may never be assessed before the contract is signed. Building on open-source frameworks carries supply chain exposure, as the 2025 Verizon DBIR quantified with uncomfortable clarity: third-party involvement in breaches doubled in the past year, rising to 30% of all confirmed incidents.

The pattern repeats itself. The CTO drives a technology initiative with clear business value. The security team is consulted late, sometimes not at all. The initiative goes live. Six months later, the organisation discovers that the integration created an unmonitored attack surface, or that the vendor's security posture was never validated, or that the data flowing through the new system falls under regulatory obligations no one mapped at the outset.

The cost is not abstract. IBM's 2025 data puts the average breach at $4.44M globally. In the United States, that figure reached $10.22M. Organisations that integrate security into their development lifecycle through a DevSecOps approach reduce that cost by $227,192 per incident. Those using AI and automation extensively save $1.9M compared to those who do not.

The pattern is consistent across every dataset I have reviewed: the earlier security is embedded into the technology decision, the lower the cost and the faster the business moves. The CTO controls that timing.

The CTO as the Bridge

What has changed most fundamentally is not the CTO's technical responsibilities. It is the CTO's governance responsibility.

The CTO now sits at the intersection of four pressures that this series has examined across its full arc.

The board expects cyber risk to be governed, but has not built the interpretive capacity to distinguish genuine risk posture from assurance theatre. The CTO is often the most technically literate person in the room when the board asks whether the organisation is secure.

The CISO carries accountability without authority. In most organisations, the CTO controls the infrastructure, the architecture, and the vendor relationships that determine whether the CISO's plans are executable. A CTO who does not actively enable the CISO is passively undermining them.

The business demands velocity. The CTO owns the technology roadmap that drives that velocity. Security friction is not something that happens to the CTO's function. It is a direct consequence of how the CTO builds.

And the regulatory environment is compounding. NIS2 imposes personal liability on members of the management body. DORA requires boards to approve ICT risk management frameworks. The EU AI Act demands governance over high-risk AI systems. The UK Cyber Governance Code places five governance pillars on the board. The CTO is not the compliance officer. But the CTO's decisions determine whether compliance is achievable in practice.

The CTO who understands this becomes the bridge between the board's risk appetite and the organisation's operational reality. The CTO who does not become the source of the gap.

What the Strongest Organisations Are Doing Differently

The organisations managing these pressures most effectively share three characteristics. I see them consistently in the leadership teams that are pulling ahead, and their absence in those that are struggling.

First, they have invested in strategic security leadership that operates at the board level. Not a CISO buried in the IT hierarchy, but a security function with direct access to the decision makers. In these organisations, the CTO and CISO operate as a joint leadership partnership with shared ownership of a single risk register, joint architecture governance, and aligned reporting to the board. Security is not a gate the CTO must pass through. It is a capability the CTO builds with.

Second, they have built a regulatory architecture rather than a set of compliance checklists. NIS2, DORA, the EU AI Act, the UK Cyber Governance Code, and the SEC disclosure rule are not five separate workstreams. The organisations that will succeed are those building governance frameworks that simultaneously satisfy multiple obligations, driven by technology leadership that understands how these regulations interact with actual infrastructure and deployment decisions.

Third, they have solved the talent problem. ENISA has concluded that NIS2 compliance is structurally impossible through human capital alone. The European Union faces a deficit of 299,000 cybersecurity professionals. The UK has the widest workforce gap in Western Europe. The organisations closing this gap are not waiting for the market to produce candidates. They are working with specialist recruitment partners who understand what a modern, integrated technology and security function actually requires.

The Series in Full

Across four instalments, this series has examined the structural failure that underpins most organisations' cyber resilience.

Part 1 showed that boards recognise cyber as a business risk but have not translated that recognition into governance and investment. Part 2 demonstrated that CISOs are held accountable without the authority, headcount, or budget to deliver on it. Part 3 revealed how business velocity creates the attack surface when security cannot keep pace. This final instalment has shown that the CTO's mandate has expanded to encompass security governance, AI risk, and regulatory accountability in ways that most leadership models have not yet adapted to.

These are not four separate problems. There are four symptoms of one organisational design failure: the separation of technology strategy from security governance at every level of the enterprise.

How Garzon Cyber Solutions Closes the Gap

Garzon Cyber Solutions was built specifically to resolve the structural pressures this series has examined. Not as a vendor selling point solutions, but as an integrated advisory and delivery partner that works across three interconnected capabilities.

Cybersecurity Advisory. We work alongside boards, CISOs, and CTOs to build security leadership that operates at the strategic level. From CISO advisory and board-level risk translation to architecture governance and threat intelligence, we provide the capability that closes the gap between the board's risk appetite and the organisation's operational reality. For CTOs, this means security intelligence embedded in technology decisions from the design phase, not bolted on after deployment.

Compliance and Regulatory Readiness. We help organisations build governance frameworks that satisfy NIS2, DORA, the EU AI Act, the UK Cyber Governance Code, and the SEC disclosure rule through a single integrated structure. For technology leaders managing AI deployments, cloud migrations, and third-party ecosystems simultaneously, we provide the regulatory architecture that turns compliance from a bottleneck into a competitive advantage.

Security and Technology Talent. We source, assess, and place the cybersecurity and technology leadership that modern organisations cannot find through generalist recruitment channels. From CISOs and security architects to DevSecOps engineers and AI governance specialists, we understand what integrated technology and security functions actually need because we advise them.

These three capabilities are not separate service lines offered independently. They are designed to work together because the problems they solve are interconnected. The organisation that needs a stronger CISO also needs the compliance framework that the CISO will operate within and the team that the CISO will lead. The CTO building an AI strategy needs governance, regulatory mapping, and the talent to execute all three.

If any part of this series has resonated, the conversation starts with a single step. Reply to this article, connect with me on LinkedIn, or visit the Garzon Cyber Solutions website. We will respond within one business day.

The separation of technology strategy from security governance is the structural failure of this era. The organisations that close that gap will outperform the ones that do not. Every time.

Part 1 of the NIS2 Compliance Series by Garzon Cyber Solutions. This series examines what NIS2 enforcement means for every level of the organisation: boards and executives (Part 1), CISOs (Part 2), CTOs (Part 3), and the frontline workforce (Part 4).

First penalties issued. Personal liability is now active at leadership level. And the vast majority of in-scope organisations still have not done the work.

The Readiness Illusion

NIS2 spent two years as a future problem. Something to prepare for eventually. A regulatory horizon that felt comfortably distant.

That comfort evaporated in Q1 2026. Twenty-two of 27 EU member states have transposed the directive into national law. Germany, France, and the Netherlands are actively auditing and issuing fines. The enforcement phase is operational, not theoretical.

CyberSmart surveyed 670 in-scope business leaders across eight European countries this April. The findings should alarm every boardroom on the continent: 84% admit their organisations are not ready. Only 16% consider themselves fully prepared. And 11%, remarkably, were unsure what NIS2 actually is, despite sitting squarely within its scope.

Not a minor gap. A structural exposure at the leadership level, playing out in real time.

The Penalty Architecture

NIS2 was designed with penalties large enough to command attention at the executive table.

Essential entities, those in energy, transport, health, and digital infrastructure, face a ceiling of €10 million or 2% of global annual revenue, whichever bites harder. Important entities spanning manufacturing, food, waste, and postal services face €7 million in losses, or 1.4%. These figures are not hypothetical. Administrative fines landed in Q1 2026, and regulators across the most active jurisdictions have shifted their posture from guidance to enforcement.

Personal Liability: The Provision Most Boards Have Missed

Ask a board member about NIS2 penalties, and they will usually reference the organisational fines. Ask about personal liability, and the room goes quiet.

Article 20 places direct accountability on management bodies for approving cybersecurity risk management measures and completing regular training. Read that again: approving, not delegating. The directive requires directors to understand the substance of their organisation's security posture. Signing a document prepared by the IT department does not satisfy it.

Germany has gone furthest. Individual managers there face fines of up to €500,000 for governance failures, entirely separate from any penalty on the company. Directors can be temporarily banned from holding management roles. Other member states are moving in the same direction.

If you sit on a board and have been treating NIS2 as a compliance workstream managed three levels below you, Article 20 is the reason that needs to change.

Why the Gap Persists

Indifference is not the problem. 75% of the leaders CyberSmart surveyed acknowledge that compliance confers a competitive advantage. They get it. The barriers sitting between acknowledgement and readiness are structural.

Budget came first among the obstacles cited. Then, there is unclear implementation guidance. Then a shortage of internal expertise. All three are compounded by the talent crisis ENISA documented in its 2025 analysis: a deficit of 299,000 cybersecurity professionals across the EU, three-quarters of organisations struggling to attract qualified candidates, and 71% unable to retain the staff they manage to hire.

Regulatory scope has expanded. The workforce has not expanded with it. And unlike previous regulatory cycles, there is no transitional grace period to fall back on. The clock started months ago.

What Compliance Actually Demands

Treating NIS2 as a project with a deadline and a finish line is a mistake that will surface at the worst possible moment: during an audit, an incident, or a regulatory inquiry.

Compliance under NIS2 is continuous. It spans risk management, incident response, supply chain oversight, and board-level accountability. The areas where most organisations are weakest are well known. Monitoring and response processes are incomplete. Evidence bases, logs, structured reports, and documented risk assessments are thin or absent. Supply chain obligations are addressed through a one-off vendor questionnaire. Cloud and identity environments that have not been hardened. Incident playbooks that cannot meet the 24-hour early warning window.

Closing these gaps takes sustained investment in governance capability, backed by leadership with the authority to direct it and technical professionals with the skill to deliver it. A single procurement decision will not get you there.

The Board's Responsibility

There is a pattern I see repeatedly. The board says cybersecurity matters. A CISO or CTO gets the brief. Budget arrives, usually thin. Compliance becomes a workstream, reviewed quarterly at best, and assumed to be on track because nobody has raised a flag.

Then the regulator arrives and asks a different set of questions entirely. Not whether the organisation has a cybersecurity team. Whether the management body can demonstrate that it has approved specific risk management measures. Whether it understands the residual risk profile. Whether its members have completed the training NIS2 requires.

Personal liability exists to close exactly this gap. Delegation is not a defence under the directive. Informed engagement at the highest level is the standard.

The Commercial Dimension

Penalties and personal exposure are the stick. The commercial upside is worth understanding, too.

Regulated customers are already building NIS2 alignment into their procurement requirements, regardless of whether the supplier falls directly in scope. Insurance underwriters are recalibrating premiums based on governance maturity. Institutional investors are weighing regulatory readiness in their risk models. Procurement teams are writing compliance into contracts.

Organisations that reach genuine NIS2 compliance will carry a measurable edge in procurement cycles, insurance terms, and stakeholder confidence. Those who do not will find themselves gradually excluded from the commercial relationships where compliance has become a prerequisite.

Closing the Gap

Garzon Cyber Solutions works with boards, CISOs, and senior technology leaders to close the distance between where their security and compliance posture sits today and where NIS2 enforcement now requires it to be. That work spans three integrated capabilities.

Cybersecurity Advisory. Board-level risk translation, CISO advisory, security architecture governance, and incident readiness. We provide the strategic capability that enables leadership teams to govern cyber risk with the rigour regulators now expect.

Compliance and Regulatory Readiness. Operationalising NIS2 alongside DORA, the EU AI Act, ISO 27001, and SOC 2 through a single integrated governance structure. Not shelf ware. Working frameworks that hold up under audit.

Security and Technology Talent. Sourcing, assessing, and placing the cybersecurity and compliance professionals that the market cannot produce at scale. We understand what integrated security functions are needed because we advise them.

NIS2 enforcement is here. The organisations that close the readiness gap now will operate with confidence through the enforcement cycle ahead. The rest will make headlines.

Part 2 of the NIS2 Compliance Series by Garzon Cyber Solutions. Part 1 examined the board's exposure. This instalment turns to the person expected to deliver: the CISO.

We covered the readiness gap in Part 1. 84% of in-scope organisations admit they are not prepared. Personal liability at the board level is already operational, and penalties landed in Q1 2026.

So what happens next? Boards turn to the Chief Information Security Officer. One question: where do we stand?

Most CISOs I speak with already know the answer. Obligations have expanded. Headcount and budget have not kept pace.

Article 21: The Ten Measures No One Can Ignore

Article 21 of the directive sets out 10 cybersecurity risk management measures that every essential entity must implement. All ten. Not a subset. Regulators in Germany, France, and the Netherlands are already auditing against them.

What falls under those ten? Everything from risk analysis and incident handling through to business continuity, supply chain security, and cryptography policies. Throw in acquisition controls, effectiveness assessments, cyber hygiene training, access management, and multi-factor authentication, and you start to see why no single project plan can cover it. You are looking at a permanent operating model, not something with a go-live date and a handover.

Documentation alone won't satisfy auditors. Each measure has to function in practice, with evidence you can produce when asked. CISOs who have been working towards ISO 27001 or SOC 2 will recognise plenty of overlap. Where NIS2 goes further is supply chain oversight, the speed required for incident reporting, and one provision that catches people off guard: board members themselves must sign off on risk management measures and undergo cybersecurity training. Personally. Not through a delegate.

The 24 Hour Clock

Article 23 introduces an incident-reporting obligation that most organisations have not stress-tested.

You get twenty-four hours. From the moment anyone in the organisation becomes aware of a significant incident, a clock starts running. Within that window, an early warning must be sent to your national CSIRT or competent authority. And the early warning cannot be vague. Regulators want an initial assessment: was this malicious? Could it cross borders?

Then comes the 72-hour follow-up with a more detailed notification. One month after the incident, a final report is due covering the root cause, what you did about it, and any cross-border consequences.

In practice? I have yet to meet a CISO whose current playbook would hold up under that kind of pressure. Escalation paths wind through too many people. At 2 am on a Saturday, nobody is entirely certain who can authorise external notification. The data you need to assess cross-border implications is stored in systems that most teams cannot query quickly enough. And the coordination required between technical, legal, and communications teams has almost never been rehearsed at anything close to Article 23 speed.

When the process falls apart during a real incident, the CISO is the one standing before the regulator, explaining why.

Supply Chain: The Obligation Most Are Avoiding

NIS2 explicitly requires organisations to manage cybersecurity risk across their supply chains. Not with a vendor questionnaire completed during onboarding and buried in a folder nobody revisits. The directive expects continuous, documented assessment of every supplier relationship. Contractual provisions that specifically address cybersecurity. Proof that you actually monitor how your suppliers handle their own security posture.

Most in-scope organisations are nowhere near that standard.

For CISOs in manufacturing, digital infrastructure, or healthcare, supplier dependencies run deep and wide. This single obligation could swallow an entire team's capacity. And the professionals who can actually deliver it, people who blend GRC knowledge with supply chain risk expertise and genuine regulatory fluency, are among the scarcest profiles in the European market right now.

The Capacity Equation

Every obligation above runs into the same wall.

ENISA's 2025 analysis put the EU cybersecurity workforce deficit at 299,000 professionals. 89% of CISOs report their teams are understaffed. Attracting qualified candidates is a struggle for three out of four organisations, and 71% struggle to retain the people they manage to bring on board.

NIS2 expanded the CISO's mandate considerably. The talent pool did not expand with it. And regulators will not accept "we know we have a gap, but we cannot find the people" as a reason for non-compliance.

Consider what Article 21 demands in purely human terms. Somebody has to run risk analysis. Somebody else has to execute incident response under live pressure at speed. Supply chain oversight requires GRC specialists with niche expertise. Cryptography and access control rely on engineers. Training programmes require someone to design and deliver them. Continuous monitoring means a team operating around the clock, every day.

Budget, authority, and a capable team. Get all three, and compliance becomes achievable. In most organisations I work with, at least one is missing. Usually two.

What Evidence Actually Looks Like

NIS moved the conversation from "do you have a cybersecurity programme" to "prove it works." NIS2 pushed that bar considerably higher.

What do regulators actually want to see? Structured risk assessments built on methodologies that they can follow and challenge. Incident response plans are tested against realistic scenarios, not written up once and left on a shelf. Supply chain risk registers that reflect where suppliers stand today, not where they stood eighteen months ago. Training records showing genuine comprehension, not just a tick in the completion column. Monitoring logs that are centralised, tamper-resistant, and reviewed on a schedule you can demonstrate.

Awareness and compliance are very different things. A CISO who acknowledges the gaps is in a fundamentally different position from one who can show, with hard evidence, that those gaps are actively closing. NIS2 only recognises the latter.

Closing the Gap

Garzon Cyber Solutions works alongside CISOs and security leadership teams to build the operational capabilities required by NIS2 compliance.

Cybersecurity Advisory. From incident readiness and response architecture to board-level risk translation, we provide the strategic support that enables CISOs to operate at the governance level while maintaining operational grip. We help build the reporting structures, evidence frameworks, and escalation processes that stand up to regulatory scrutiny.

Compliance and Regulatory Readiness. We operationalise NIS2's Article 21 requirements alongside DORA, ISO 27001, and SOC 2 through integrated governance structures. Not shelf ware. Auditable, working frameworks that close the gap between obligation and evidence.

Security and Technology Talent. We source, assess, and place the GRC, incident response, and security engineering professionals that CISOs cannot find through generalist channels. We understand what integrated security functions are needed because we advise them.

Any CISO who waits for the next budget cycle to address the capacity gap will find themselves explaining that decision to a regulator who is not interested in hearing about hiring timelines.

Part 4 of the NIS2 Compliance Series by Garzon Cyber Solutions. Part 1 examined the board's exposure. Part 2 explored the CISO's operational burden. Part 3 addressed the CTO's infrastructure debt. This final instalment turns to the people who will determine whether any of it actually works: the frontline workforce.

The board has approved the strategy. The CISO has built the programme. The CTO has modernised the infrastructure. And then a junior employee clicks a phishing link at 9:14 on a Tuesday morning, and everything that was built to prevent this moment is tested in real time.

This is not a hypothetical scenario. It is the most common one.

ENISA's 2025 Threat Landscape report concluded that phishing accounts for 60% of all intrusion access points across European organisations. Not zero day exploits. Not sophisticated nation state attacks. Phishing. The simplest, cheapest, most repeatable attack vector in existence, and it works because the human layer remains the least governed, least trained, and least measured component of most organisations' security architecture.

NIS2 was written with this reality in mind.

The Training Obligation Is Not Optional

Article 20 of the NIS2 directive requires management bodies to undergo cybersecurity training and to offer similar training to employees on a regular basis. Article 21 reinforces this by listing basic cyber hygiene practices and cybersecurity training as one of the ten mandatory risk management measures.

The critical word is "regular." This is not an annual compliance module completed in December and forgotten by January. The regulation expects ongoing, evidence based training that demonstrably changes behaviour over time.

And the scope is broader than most organisations have implemented. NIS2's training obligation extends to every individual with access to an organisation's networks, systems, or sensitive information. That includes full time employees, contractors, temporary staff, and external suppliers with credentials. There are no exceptions based on role, contract type, or technical background.

For the mid level professional reading this, whether in finance, operations, HR, marketing, or any function that touches the organisation's digital environment, NIS2 means that cybersecurity awareness is now part of your professional obligations. Not because your employer decided it should be. Because European law requires it.

Phishing: The 60% Problem

The numbers deserve attention because they define the threat landscape that NIS2 is designed to address at the human level.

60% of intrusions begin with phishing. The techniques have evolved well beyond the poorly written emails of a decade ago. Modern phishing campaigns use AI generated content, brand impersonation, compromised supplier accounts, and multi stage social engineering that targets specific individuals based on their role, their access, and the information available about them online.

Business email compromise, where an attacker impersonates a senior executive or trusted supplier to request payments, credentials, or sensitive data, continues to generate significant financial losses across every sector. CEO fraud attempts are specifically highlighted as a training focus under NIS2 guidance documents.

The frontline employee is not a passive target. They are the first line of detection. An employee who recognises a phishing attempt and reports it through the correct channel has just triggered the organisation's incident response process at the earliest possible stage. An employee who clicks the link has just given the attacker access to everything their credentials can reach.

The difference between those two outcomes is training. Not theoretical training. Practical, repeated, measured training that builds the muscle memory to pause, assess, and report.

Shadow IT: The Risk Most Organisations Cannot See

80% of employees use applications their security team has never approved or assessed. That statistic, drawn from industry analysis of enterprise software usage, represents one of the most persistent compliance challenges under NIS2.

Shadow IT is not malicious. It is pragmatic. Employees adopt tools because they solve an immediate problem faster than the approved process allows. A project manager uses an unapproved file sharing service. A marketing team signs up for an AI content tool using a corporate email. A developer spins up a cloud instance outside the governed environment to test something quickly.

Each of these actions creates an unmonitored, ungoverned surface that sits outside the CISO's visibility, the CTO's architecture, and the compliance team's evidence base.

Under NIS2, the obligation to maintain visibility and control over the organisation's information systems means that shadow IT is not simply an inconvenience. It is a compliance gap. The organisation cannot evidence monitoring of systems it does not know exist. It cannot demonstrate access control over applications it has not assessed. And it cannot meet incident reporting timelines for breaches that originate in environments it is not watching.

For the individual employee, this means that the tools you adopt matter beyond your own productivity. Every unapproved application is a potential entry point, a potential data exposure, and a potential compliance failure that the organisation will need to account for under NIS2.

Incident Reporting: Your Role in the 24 Hour Clock

NIS2 requires organisations to submit an early warning to their national CSIRT within 24 hours of becoming aware of a significant incident. That 24 hour clock does not start when the CISO is informed. It starts when the organisation becomes aware.

In most cases, the first person to become aware of an incident is not the CISO. It is a frontline employee who notices something unusual. A system behaving unexpectedly. An email that does not look right. A login prompt that appears where it should not. Credentials requested through an unfamiliar channel.

The speed with which that employee escalates what they have observed directly determines whether the organisation can meet its reporting obligations. An employee who hesitates, who assumes it is probably nothing, who waits until Monday, who does not know the escalation path, is an employee who has just consumed hours of the 24 hour window before the security team is even aware there is a clock running.

This is why NIS2's training requirement is not about awareness in the abstract. It is about building the operational reflexes that enable the organisation to detect, escalate, and report at the speed the regulation demands. Every employee is part of the detection architecture. The question is whether they have been trained to function within it.

Access Hygiene: The Basics That Still Break

The most sophisticated security architecture in the world is undermined by a weak password reused across three systems and a personal device connected to the corporate network without multi factor authentication.

NIS2 Article 21 requires the use of multi factor authentication, continuous or adaptive authentication solutions, and secured voice, video, and text communication systems. These are technical controls, but their effectiveness depends entirely on whether the workforce complies with them.

Password reuse remains one of the most common vectors for credential stuffing attacks. Shared accounts erode the audit trail that NIS2's evidence requirements depend on. Personal devices without proper security configurations create entry points that bypass the organisation's controlled perimeter.

For the frontline employee, access hygiene is the single most impactful contribution you can make to your organisation's NIS2 compliance. Using unique, strong passwords. Enabling and not bypassing multi factor authentication. Reporting lost or compromised credentials immediately. Not sharing accounts or access tokens. Locking workstations when unattended. These are not complex technical tasks. They are habits, and under NIS2, they are legally required habits.

What This Means for Your Career

There is a dimension to NIS2 that extends beyond organisational compliance and into individual professional positioning.

The organisations that invest in training their workforce on cybersecurity are building a more resilient operation. But the individuals who take that training seriously, who build genuine competence in security awareness, incident recognition, and access hygiene, are building a professional skill set that the market increasingly values.

Cybersecurity literacy is becoming a baseline professional requirement in regulated industries. The employee who can demonstrate awareness of phishing techniques, understanding of access control principles, and knowledge of incident reporting procedures is more valuable to an employer operating under NIS2 than the employee who treats security training as a box to be ticked.

The talent market reflects this. Organisations are increasingly seeking professionals at every level who understand that cybersecurity is not exclusively the security team's responsibility. NIS2 has codified that expectation into law. The individuals who internalise it will find themselves better positioned as the regulatory environment continues to expand.

Closing the Gap

Garzon Cyber Solutions works with organisations to build the human layer of NIS2 compliance: the training programmes, the awareness architectures, and the talent pipelines that transform regulatory obligation into operational capability.

Cybersecurity Advisory. We help organisations design and implement security awareness programmes that meet NIS2's training requirements and produce measurable behavioural change. From phishing simulation frameworks to incident escalation training, we build the human detection capability that complements the technical controls.

Compliance and Regulatory Readiness. We operationalise the training, documentation, and evidence generation requirements of NIS2 alongside ISO 27001 and SOC 2. Compliance is not a module. It is a culture, and we help organisations build it.

Security and Technology Talent. We source and place cybersecurity professionals at every level, from GRC analysts and security awareness coordinators to the senior leadership that governs the programme. We understand the full stack of what an integrated security function needs because we advise them.

NIS2 enforcement does not stop at the boardroom. It reaches every desk, every device, and every employee with access to the network. The organisations that recognise this and invest in their frontline will be the ones that pass the audit, survive the incident, and build the culture that makes compliance sustainable. The ones that do not will discover that the strongest firewall in the world cannot compensate for the weakest link in the building.