INCYBER 2026 Cyber risk: governance shifts toward a business continuity logic

Through the debates and discussions at the Forum INCYBER 2026 in Lille, a clear trend is emerging: cybersecurity is changing status within the company. It is no longer limited to a technological protection requirement, but extends to a broader reflection on continuity, governance, and an organization’s ability to absorb a shock without disrupting its operations. The various contributions converge on the same idea: cyber risk must now be understood at the scale of the company as a whole.

The first shift is conceptual, but its effects are very tangible within organizations. Cybersecurity is no longer solely associated with system protection or data confidentiality. It now directly concerns a company’s ability to maintain its operations, preserve its flows, protect its image, and secure its information assets. The threat now impacts the entire value chain. “We must now adopt a systemic vision. For large companies, this means no longer treating tech or cyber as a simple technological issue, but integrating them into a broader reflection on business continuity, resilience, continuity of operations, and the protection of digital assets and data,” says Franck Le Moal, Chief Information Officer of the LVMH group.

This broader perspective is reshaping the analytical framework. Cybersecurity is now part of an operational resilience logic. It is no longer just about preventing incidents, but also about preparing the organization to absorb a shock, restart, and maintain its essential functions in a degraded environment. “Operational resilience is not limited to cyber resilience. It is therefore not the sole responsibility of the CISO, but of the entire organization, since it combines technical and organizational measures designed to enable recovery and continuity of activity in the event of an IT failure, cyberattack, or data breach,” adds Odile Duthil, Head of Cybersecurity at Groupe Caisse des Dépôts.

The role of the CISO is undergoing transformation

As soon as cyber risk affects operations, reputation, revenue, and service continuity, its scope within the organization changes. It can no longer remain confined to experts or be monitored remotely by cybersecurity teams. It now plays a role in executive committee decisions, management committees, and business unit leadership. This shift is naturally transforming the CISO function. While it retains a role of leadership, structuring, and oversight, it is no longer isolated from the rest of the organization. It is increasingly embedded in business operations, compliance, ongoing transformations, and decision-making bodies. The CISO is no longer seen as an isolated gatekeeper, but as a transversal actor in the company’s functioning.

“We have moved away from a strictly technical role to become a business partner serving operational teams. Our role now is to support these teams in their evolution. We are no longer in a position of systematically opposing the CIO, but in a logic of enabling different departments to move forward while securing all new technologies,” adds Odile Duthil.

Cybersecurity must be integrated from the design stage

This “rise in governance” only produces real effects if it is accompanied by a change in methods. Cybersecurity can no longer be added as a control layer at the end of a project. It must instead be integrated from the outset, into the very design of applications, products, architectures, and development chains. “Building a trusted digital environment requires a real paradigm shift. The time between the disclosure of a vulnerability and its exploitation is now measured in hours. It is therefore no longer possible to add cybersecurity at the end of the process. Security by design is becoming essential and must be integrated from the very first lines of code,” explains Nolwenn Le Ster, COO of Almond and President of the Cyber Commission at Numeum.

This requirement becomes even more critical with the rise of generative artificial intelligence and AI agents. Development cycles are accelerating, software dependencies are multiplying, and exposure surfaces are expanding. Cyber governance must therefore make decisions in a more dynamic environment, where execution speed and risk control must progress in parallel.

Speaking the “business language” to embed cybersecurity in governance

Another clear takeaway is that cybersecurity gains more traction when expressed in clear, operational terms. Company leaders and business unit managers do not fully engage with the topic when it is presented through highly technical vocabulary filled with acronyms, standards, or architectural diagrams. However, they immediately grasp its importance when cyber risk is translated into concrete business consequences: a checkout system that no longer works, a blocked delivery, disrupted production, a malfunctioning store, or degraded customer relations.

“As soon as you use their language and explain the risks they face in their day-to-day operations, they become much more interested in what you are doing. We did not talk about technical acronyms. We talked about their activity and cyber risk in very simple and understandable terms,” comments Fabrice Bru, Director of Cybersecurity and Architecture at Groupement Les Mousquetaires and member of CESIN.

This shift in language is not anecdotal. It determines the quality of the dialogue between experts and decision-makers. It also helps move cybersecurity away from abstract alerts and reposition it within the realm of operational management. Governance can then make decisions based on concrete, understandable impacts directly linked to the organization’s actual performance.

Business units become co-responsible for cyber risk

This evolution in language reflects an even deeper shift: the distribution of cybersecurity responsibility across the organization. The topic is no longer the sole responsibility of the CISO, or even the CISO/CIO pair. Business units are now expected to contribute to risk analysis, decision-making, and the integration of cybersecurity into their own practices and processes. “We no longer just want facilitators whose role is essentially to raise awareness within their teams. We are going much further. We want business partners, meaning individuals who take ownership of these issues, understand them, and step back enough to assess what they imply for their business,” notes Nolwenn Le Ster.

Finally, and perhaps most structurally, the response to cyber risk can no longer remain confined within the boundaries of each organization. Attackers cooperate, pool their resources, industrialize their methods, and exploit dependencies across value chains. In response, companies must also strengthen their cooperation with public administrations, state services, and technology players. “The time has come to change our posture because, in any case, this is beyond us. Cybercriminals are organizing themselves, and if we do not implement a collaborative approach, it will impact us. We must now significantly strengthen, in a very operational way and not just in discourse, collaboration between large private companies, major public administrations, and public sector organizations,” concludes Franck Le Moal.