Awareness and training
Management and the board are today the attacker's favourite target: CEO fraud, a fake invoice, a call that clones the boss's voice. And, under NIS2, they are also responsible by law for the company's cybersecurity: they have to approve the measures, oversee them and get trained, and they answer in person if something fails. Cybersecurity training for management and the board is not the staff course. It is short, strategic and tailored to them, so they decide with judgement and comply with what the rules require of them.
Training for management, across Spain.
Why
Executives handle what the attacker wants and sign off on what carries the most weight. That is why senior management is the target, and why the law points to them personally.
CEO fraud, the fake invoice, the urgent order from a "boss". The highest value deception is aimed at the top.
A clumsy email is no longer needed. They clone the executive's voice or face to slip in an order that looks real.
Article 20 requires board members and directors to approve the measures, oversee them and get trained. The liability is personal: they answer if something fails.
If the top does not take it seriously, no one will. And NIS2 expects them to ensure their people get trained too, not just themselves.
What's included
Training for executives is not the staff e-learning: it is a session that speaks the language of senior management, the language of risk, decision and responsibility.
Short and to the point, in the language of the committee: the business risk, not the technical jargon.
What NIS2, DORA, the ENS or the GDPR require of you depending on your sector, what you answer for and how to cover it, not just article 20.
Not security in the abstract: where you are exposed, what is critical for the business and how prepared you are today.
A mock CEO fraud against the committee itself, to train the reaction where it hurts most.
What to do faced with an urgent, credible order that asks to skip the procedure. The reflex to verify.
Proof that the board has been trained, ready for the board minutes and for when the auditor asks.
The approach
A board member does not need to learn how to configure a firewall. They need to know the laws that apply to them and the level of risk of their organisation just enough to approve the measures sensibly, oversee that they work and answer for them. You cannot oversee what you do not understand.
The real level of risk of your company, the laws that affect you (not just NIS2, but also DORA, the ENS or the GDPR depending on the sector) and the reflex not to fall for the deception aimed at them.
With that, management goes from being the most expensive link to break to governing cyber risk the way it governs financial or legal risk.
The difference
Putting executives through the same e-learning as everyone else does not comply, does not engage and does not respect their time.
For the committee, the same e-learning as the whole staff. It neither speaks to them, nor covers what the rules require of them, nor respects a management agenda.
Short, in their language, with their threats and their legal responsibility on the table. The one that really complies with article 20 and leaves evidence.
When
Your company is an essential or important entity, and the board has to approve measures, oversee them and get trained.
An attempt to impersonate management, or a close scare, and you want it not to get through.
Security is delegated to IT and the top does not look at it. That no longer works, neither in fact nor in law.
ISO 27001 or the ENS require a visible commitment from management, and it has to be demonstrated.
Method
We look at your context, your risk and what the rules require of you depending on the sector.
We prepare the tailored session, with your real threats and your concrete responsibility.
An in person, direct session, with a drill targeted at the committee itself so it sinks in.
We leave the evidence ready for the board minutes and for the audit.
Fits with
Training for executives does not go it alone: it sets the tone of training for the whole staff and is practised with drills aimed at the top, within the same awareness programme.
And it connects with security governance: it is the management's NIS2 training and fits with the master plan and the role of the CISO they need by their side to decide.
FAQ
Yes. Article 20 of NIS2 requires management bodies to approve cybersecurity measures, oversee them and receive specific training. It is not a recommendation: it carries personal liability and, in case of negligence, can even lead to disqualification. That is why this training must be documented.
Not long. They are short, to the point sessions, designed for the agenda of a committee or a board. The aim is not to turn management into technicians, but to give them the judgement to decide and comply, without taking up more of their time than needed.
CEO fraud is an email or message that impersonates a senior executive so that someone authorises a payment or an access. The deepfake goes further: it clones the executive's voice or face on a call or a video. The session trains exactly how to recognise and stop those scams aimed at the top.
For management we prefer it this way: an in person session allows closeness, discretion and a frank dialogue about risks and responsibilities, with supporting material afterwards. It can also be combined with an online format when that suits.
Yes. Both ISO 27001 and the ENS require a visible commitment from management to security. Specific, documented board training is one of the best ways to demonstrate that commitment to an auditor.
No, it complements it from the top. Executives set the tone and take on their responsibility; the staff cover the day to day. If the top does not take it seriously, the rest of the company is unlikely to.
Would your board respond if something fails?
Tell us where your executives stand. We prepare a tailored session that covers their legal responsibility and the attacks aimed at them.
Get in touch