5 foundations of cybersecurity in a large organisation

When people imagine cybersecurity in a large organisation, they picture firewalls or teams monitoring threats around the clock. The reality is less dramatic but far more complex. At scale, cybersecurity isn’t one wall of defence but a system of interlocking foundations that safeguard data, systems, and people. Neglect one, and vulnerabilities emerge.

The urgency is already visible. Enterprises are investing heavily, adding staff and technology every year. According to a 2024 report, companies with over 5,000 employees dedicate 21% more attention to security than smaller firms. Yet risk continues to escalate.

The same report found 81% of security professionals consider today’s threat landscape the toughest in five years. Nearly eight in ten leaders in medium and large organisations are concerned about criminals using generative AI for convincing phishing and social engineering. Another 80% highlight supply chain security as a growing risk — a serious issue when third-party networks underpin so much of enterprise activity.

Regulators are raising the bar and rightly so. Frameworks such as GDPR and the NIS2 Directive now mandate structured risk management and accountability. Against this backdrop, five foundations stand out — reducing exposure, strengthening resilience, and supporting compliance at a time when the cost of failure has never been higher.

1. Assigning clear responsibility

Large organisations must be explicit about who “owns” cybersecurity. Often it is the Chief Information Security Officer (CISO) or a dedicated security function. 

The regulatory environment reflects this. NIS2 requires management bodies to approve and oversee security measures, meaning leadership cannot take a hands-off stance. The Dutch National Security Centre (NCSC) also highlights that assigning ownership is a core board duty.

When accountability sits at the top, it sets the tone across the business. It signals that cybersecurity is a central business priority.

Why responsibility shapes security outcomes

Clear ownership drives faster crisis response, consistent policy enforcement, and fewer gaps. When no one knows who is responsible, organisations face delays, data loss, and compliance breaches that can spiral into reputational damage.

That’s why GDPR requires many organisations to appoint a Data Protection Officer (DPO). This role creates a visible line of accountability, ensuring decisions are aligned across functions.

Engaged leaders also strengthen awareness. Where executives actively address cyber risks, employees show higher security literacy. The reverse is true as well: without visible commitment, teams feel isolated, stressed, and more likely to make mistakes.Most importantly, cybersecurity cannot sit solely with IT. It must run through every function, enabling people to make informed, responsible decisions — even when no one is watching.

Practical steps to lock down cybersecurity responsibility 

1. Appoint a CISO or security lead: Give the role authority, resources, and direct access to leadership so decisions can be made quickly and effectively.
2. Board-level oversight: Keep cybersecurity on the board agenda. Review updates and run simulations to turn abstract risks into tangible scenarios.
3. Define roles clearly: Assign specific ownership of areas like HR, legal, and IT so no critical task is left unclaimed during daily operations or crises.
4. Provide training and support: Provide leaders and staff with awareness programmes shaped to their roles, rather than length, generic training sessions.
5. Integrate into governance: Tie security metrics into KPIs and performance reviews so accountability extends beyond policy into measurable outcomes.

2. Safeguarding assets at enterprise scale

Without visibility, protecting your environment is like trying to secure a building without knowing all its entrances. An accurate, up-to-date inventory of assets, from laptops and servers to cloud services and data stores is the foundation of any security strategy. Each asset is a potential doorway for attackers. NIS2 reinforces this, requiring structured asset management. 

Why asset inventory is non-negotiable in cybersecurity

Forgotten devices — an unpatched laptop, a network printer, or an abandoned cloud account — can expose entire networks. Remote work and IoT only add complexity. Enterprises now manage thousands of assets, making manual oversight impossible.

Visibility is critical in industries where digital transformation has created interconnected networks of machines, interfaces, and cloud-linked systems. Without mapping these assets, security teams cannot prioritise risks effectively.

What happens when inventory is overlooked

Untracked assets open silent backdoors. Legacy servers, unmanaged OT systems, and shadow IT are frequent culprits. Many OT assets last 20 years or more without security patches. AI tools rolled out without proper safeguards can also become liabilities.

Even strong passwords or firewalls cannot help if attackers find an unknown device on the network. Compliance frameworks such as ISO 27001 also require asset management, meaning neglecting this step carries both technical and legal risks.

Practical steps to protect what you own

1. Automated discovery: Deploy tools that continuously detect new devices, apps, and services across on-premise, cloud, and hybrid environments.
2. Centralised inventory: Keep a single, updated record of hardware, software, accounts, and data stores that teams can access and use in daily operations.
3. Classify assets: Sort assets by criticality so resources are directed to the systems that would cause the most damage if compromised.
4. Track lifecycle changes: Update inventories automatically when assets are added, retired, or reconfigured to prevent blind spots.
5. Shadow IT monitoring: Identify unsanctioned tools or services early, then either formalise them under governance or phase them out.
6. Supply chain visibility: Track vendor-linked systems and demand regular reviews or certifications to avoid hidden third-party risks.

3. Identify and evaluate cybersecurity risks

Once assets are visible, the next step is to understand the threats they face. Risk assessment means asking three questions: what could go wrong, how likely is it, and what would the impact be? This is not a one-off audit but a continuous process of reassessment as systems and threats evolve.A risk-adjusted approach is essential. You could spend your entire IT budget chasing every vulnerability and still not eliminate risk. Instead, focus where exposure is greatest.

Why “risk” should be your compass

Cybersecurity isn’t about eliminating risk, it’s about understanding it. NIS2 requires organisations to adopt policies based on risk analysis, while the EU AI Act applies a risk-based framework to AI systems. GDPR also mandates proportionate measures relative to the risks posed to individuals.

The cost of neglecting cybersecurity risks

Skipping regular assessments leaves organisations exposed to breaches, outages, and fines. Cybercrime costs are projected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028. Under NIS2, essential entities face penalties of up to €10 million or 2% of global revenue, while important entities risk €7 million or 1.4% — whichever is higher. 

Practical steps to assess risk

1. Run regular assessments: Carry out full reviews annually and after major organisational or technology changes, supported by vulnerability testing.
2. Adopt structured frameworks: Use standards like NIST CSF or ISO 27005 to keep risk analysis consistent, transparent, and easy to communicate.
3. Maintain a risk register: Log risks with severity and likelihood scores, updating regularly so leadership can prioritise using clear data.
4. Cover diverse threats: Evaluate not only technical flaws but also human, physical, and third-party risks to capture the full spectrum of exposure.
5. Make it ongoing: Pair monitoring tools with post-incident reviews to ensure risk management evolves continuously, not just annually.

4. Apply targeted security controls

Once you’ve identified your key risks, the next step is to put in place layered controls. These include administrative (policies and processes), technical (tools and monitoring), and physical (secure facilities, access badges). The aim is defence in depth: if one control fails, others still hold.

Why layered defences matter in cybersecurity

Layering reduces exposure and makes it harder for attackers to succeed. The threat landscape is evolving fast, with advanced AI tools and increasingly professionalised cybercrime making technology alone insufficient. The human factor remains the most common entry point, which means real protection comes from a holistic approach that combines people, processes, and technology.  NIS2 also highlights baseline measures such as MFA and training.

The risks of neglecting security controls

Something as simple as failing to enable MFA on admin accounts has already caused countless breaches. Skipping hygiene measures like patching, network segmentation, or reliable backups can escalate into data loss, prolonged outages, or full business interruption. And when regulators step in, the consequences can include not only reputational harm but also significant fines.

Practical steps to implement targeted security measures

Administrative controls

• Develop practical policies: Create clear, accessible rules for acceptable use, access, and incident response that employees can easily follow. 
• Reinforce awareness: Replace one-off training with regular, engaging content that helps staff build secure habits over time.
• Apply accountability measures: Use access reviews, segregation of duties, and structured offboarding to prevent insider threats.
• Practise incident response: Run tabletop drills so staff know their roles in high-pressure situations and reporting deadlines are never missed.

Technical controls

• Strengthen authentication: Apply MFA universally and monitor for bypass techniques like push fatigue or social engineering.
• Patch and configure securely: Automate updates and enforce hardened configurations to eliminate common vulnerabilities.
• Segment networks: Restrict lateral movement by isolating sensitive systems and using firewalls and VPNs to strengthen boundaries.
• Protect endpoints: Deploy EDR on all devices, monitor continuously, and encrypt drives to protect data if hardware is lost or stolen.
• Encrypt and back up data: Secure sensitive data in transit and at rest, and test recovery from backups that follow the 3-2-1 principle.

Physical controls

• Restrict access to facilities: Use locked doors, badges, and authorisation checks for server rooms and critical spaces.
• Monitor sensitive areas: CCTV, visitor logs, and real-time alerts reduce the risk of unauthorised entry.
• Dispose hardware securely: Wipe or destroy drives and devices before decommissioning to prevent data leaks.

Promote workplace discipline: Use clean-desk policies and visible IDs to reinforce secure behaviour in daily operations.

5. Cybersecurity should be a business habit

Cybersecurity works when it becomes a daily routine. Every employee, from operations to engineering, plays a part. A single careless click can undo years of investment. Embedding security into workflows makes resilience sustainable.

Why cybersecurity culture matters

Threats evolve daily. Without practice, old habits creep back and new risks go unnoticed. NIS2 requires cyber hygiene and training as part of its baseline. Attackers are adopting advanced AI to create deepfakes and multichannel phishing campaigns. In this climate, a security-first culture is the strongest defence against human error. 

Risks of overlooking long-term resilience

Treating security like an annual audit breeds complacency. Employees forget procedures, mistakes rise, and breaches follow. Human error is involved in 82% of breaches. Security teams then carry the load, leading to burnout — with 83% of IT staff admitting fatigue has already caused incidents.

Practical steps

1. Deliver ongoing training: Use short, recurring sessions to keep staff alert to current threats without overwhelming them.
2. Run simulations: Test staff with realistic phishing or incident drills tailored to industry-specific risks and communication channels.
3. Lead by example: Executives should take part in drills and show visible commitment to security priorities.
4. Weave into workflows: Insert checkpoints for security during processes like procurement or project planning so it becomes routine.
5. Reinforce with recognition: Celebrate staff who demonstrate good security practices to normalise positive behaviours.

How SoSafe helps build resilience

SoSafe turns cybersecurity foundations into practice by combining behavioural science, gamification, and analytics. SoSafe E-learning platform delivers short, tailored training that adapts to each employee’s risk profile, driving higher engagement and lasting behaviour change.

The toolkit supports large organisations in reducing phishing click rates, strengthening asset hygiene, and embedding a security-first culture — all while aligning with compliance standards such as GDPR and NIS2. From the first rollout, companies see measurable impact: faster reporting of threats, improved awareness, and teams that are better prepared to protect critical assets.

SoSafe helps transform the human factor from a common vulnerability into a powerful line of defence.

At the end of the day

Strong cybersecurity in a large organisation rests on consistent foundations that support long-term resilience.

The five practices we’ve explored — assigning clear responsibility, inventorying assets, assessing risks, applying layered controls, and embedding security as a habit — work together as the core of an effective security strategy. Put in place, they create a culture that withstands disruption and adapts as threats evolve.

Cybersecurity is not a destination but a continuous journey of reinforcing habits, adapting to change, and protecting what matters most: your people, your data, and your reputation.

Ready to put these foundations into action? Explore our resources for IT security leaders and see how SoSafe can help you build lasting resilience.