Cybervize – Cybersecurity Beratung
All articles

Cybersecurity in SMEs: Management over Tools

Alexander Busse·August 26, 2025
Cybersecurity in SMEs: Management over Tools

The Threat Landscape Is Intensifying Dramatically

The numbers tell a clear story: 82 percent of companies report an increase in cyberattacks in 2025. What was considered a marginal risk just a few years ago has become an existential threat for small and medium-sized enterprises (SMEs). Ransomware attacks continue to rise, and with the use of artificial intelligence, phishing campaigns are becoming increasingly sophisticated and harder to detect. The consequences are severe: operational disruptions, high costs, and not least, personal liability risks for executives and board members.

The reaction of many companies is understandable but not effective: they invest in more and more security tools. Firewalls are upgraded, endpoint protection solutions implemented, SIEM systems purchased. Yet despite these investments, a crucial element is neglected: the systematic governance of cybersecurity as a management responsibility.

The Core Problem: Tools Without Governance

Technology alone does not solve the problem. Too often, there is a lack of overarching structure to systematically identify, assess, and manage risks. Metrics are not collected, evidence for compliance requirements is not documented, and when an incident occurs, reporting channels are unclear and responsibilities are diffuse.

This gap becomes particularly critical as NIS2 (Network and Information Security Directive 2) brings new regulatory requirements to SMEs. The directive obligates companies in critical sectors to implement comprehensive cybersecurity measures and introduces personal liability risks for management. Those who are not prepared risk not only fines but also criminal consequences.

What Leadership Teams Need Now

1. Establish Cybersecurity as a Management Responsibility

Cybersecurity is no longer purely an IT matter. It belongs on the executive agenda. Concretely, this means:

  • Define clear roles and responsibilities: Who is responsible for which area of cybersecurity?
  • Systematically identify and assess risks: Which assets are critical? Where are the greatest threats?
  • Implement and monitor controls: Which measures are effective? How is their effectiveness measured?
  • Document evidence: For audits, insurance, and authorities, evidence must be available at all times.
  • Conduct regular reviews: Cybersecurity is a continuous process, not a one-time project.

2. Translate NIS2 into Concrete Processes

The NIS2 directive may sound abstract, but its requirements are very concrete. Companies must:

  • Designate responsible persons: Who bears overall responsibility for cybersecurity?
  • Establish reporting channels: How are security incidents reported within 24 hours?
  • Secure the supply chain: What risks do suppliers and service providers introduce?
  • Prepare for audits: What documentation is needed? Are all processes comprehensibly documented?

Many companies underestimate the effort required for this transformation. It's not about buying another tool, but about fundamentally changing processes and embedding them in the organization.

3. Leverage Virtual CISO as a Flexible Solution

This is where the concept of the Virtual CISO (Chief Information Security Officer) comes into play. Instead of spending months searching for a full-time hire who is often difficult to find and expensive, a Virtual CISO offers:

  • Immediate availability: Start within days instead of months
  • Experience and methodology: Proven frameworks and best practices from numerous projects
  • Flexible capacity: Scalable according to need, without long-term personnel commitment
  • Clear governance: Focus on measurable results and roadmaps
  • No headcount: Budget-friendly and flexible in cost structure

A Virtual CISO brings not only expertise but also the necessary distance to critically question existing structures and enforce improvements.

4. Integrated Systems Instead of Excel Chaos

Many companies still manage their cybersecurity in countless Excel spreadsheets: risk registers here, asset lists there, controls in a third document. This fragmentation leads to:

  • Inconsistent data
  • Missing connections between risks and controls
  • High manual effort
  • Lack of transparency for management
  • Difficult audit preparation

The solution lies in integrated ISMS platforms (Information Security Management System) that map all aspects of cybersecurity in one system:

  • Risk management: Identification, assessment, and treatment of risks
  • Asset management: Overview of all critical systems and data
  • Control management: Which measures are implemented and how effective are they?
  • Action planning: Prioritization and tracking of improvements
  • Incident management: Structured handling of security incidents
  • Evidence management: Central repository for all relevant documents
  • Reporting: Automated reports for management and supervisory authorities
  • Audit preparation: All information for ISO 27001, IT-Grundschutz, or NIS2 in one place

Platforms like Cybervize enable companies to live ISMS with NIS2, ISO 27001, and IT-Grundschutz as a continuous process, not as parallel projects.

Practice Over Theory: The Difference Lies in Implementation

Companies rightfully expect a convincing, methodical, and comprehensive approach. Theoretical concepts are abundant. What matters is practical implementation based on decades of experience.

With over 25 years of experience in cybersecurity, including many years at Big Four consulting firms and now as founder of a specialized ISMS platform, the focus is on what actually works: pragmatic solutions that integrate into daily business operations without overwhelming the organization.

The Critical Question: Speed or Delay?

Ask yourself this question: What brings faster impact and better protection?

Option A: Six months of recruiting for a full-time CISO, followed by several months of onboarding during which the new person must first familiarize themselves with your structures.

Option B: A Virtual CISO who starts next week with a clear roadmap, immediately establishes operational capability, and relies on proven methods and tools.

In a time when the threat landscape worsens daily, speed is a decisive factor. Every month without adequate governance increases the risk of a successful attack.

Conclusion: Management Beats Tools

The message is clear: More security tools alone do not solve the problem. What SMEs need now is systematic governance of cybersecurity as a management responsibility. This means:

  • Clear governance structures
  • Risk-oriented approach
  • Demonstrable compliance
  • Integrated systems instead of siloed solutions
  • Experienced leadership, whether internal or virtual

The combination of Virtual CISO and modern ISMS platforms offers a pragmatic, quickly implementable, and cost-effective solution to meet increasing requirements.

Next Step: Check Your Status

Do you want to know where your company currently stands? What gaps exist and which measures are priorities? Take advantage of a free consultation to assess your status and develop an initial roadmap.

In a time of rising threats and tightening regulation, it is no longer a question of whether you act, but how quickly and how systematically. The tools and expertise are ready. Now it's up to you to take the first step.

Back to all articles