We build and sell software for security and compliance. So this might sound strange: the software won’t solve your problem. Not by itself. Let us explain what it actually can’t do.
A good system keeps track of what needs to be done. It sends reminders when something is overdue. It shows who changed what, and when. It makes an audit less painful and good order easier to demonstrate. All of that is valuable.
But it cannot give anyone the authority to actually decide. And without that authority, all the responsibility in the world is just words on a page.
Responsibility without authority isn’t unusual. It’s almost the rule.
We see this again and again in the organisations we meet. Someone is listed as responsible for information security. On paper, it’s crystal clear. In reality, the decisions sit somewhere else entirely: the money, the priorities, what gets done. The person has the title and the responsibility but not the right to decide over what they’re accountable for.
It’s not an exception. It’s a pattern. Someone higher up hands down the responsibility and keeps the authority for themselves.
Here’s how it usually plays out. A new law arrives. Half the leadership team starts wondering what they personally could be held accountable for if something goes wrong. So they call for help. There’s always someone who promises to fix the whole thing quickly and smoothly, without disrupting operations and without costing too much. Everything will be in place just in time for the audit.
And you get your documents. Lots of documents. Neat binders, long lists, a report where everything glows calmly green.
Then someone asks the only question that matters: who’s actually responsible for this?
And the finger points downward. At the IT manager. At the security officer. Someone who gets the responsibility written down but not the authority to do anything about it.
The law has changed this
Since 15 January 2026, the Cybersecurity Act applies in Sweden. It’s the law that gives the new EU rules, what’s known as NIS2, real teeth here at home. And it says something important: the leadership themselves must approve the security work, oversee that it actually gets done, and can be held personally accountable if it isn’t. Pointing to IT is no longer a way out. It isn’t even allowed.
In other words: whoever holds the authority must now also carry the responsibility. They finally sit together.
And that’s exactly what no piece of software can sort out for you. Put an unclear chain of responsibility into a system and all you get is neatly organised confusion.
So we start at the wrong end, on purpose
We don’t build a button that promises everything is done. We start with the hard questions. Who’s responsible? Who gets to decide? And do those two sit with the same person, or has someone been handed the blame in advance?
Tools help. But they never replace the person who leads actually carrying the responsibility, for real and with their own name on it.
That’s why our CISO-as-a-Service doesn’t start with a system to fill in. It starts with sorting out who owns what, which decisions need to be made and by whom, and how the responsibility connects to the mandate. Only once that structure is in place do the tools become truly useful. If you want to know where your organisation stands today, get in touch.
Order and structure first. Then tools. And security all the way through.
More insights
Related articles
The maturity report is written for the board. Not for the crisis.
Status reports test no one. When the alarm goes off at 02:14 on a Friday, what matters is the board's ability to decide, not the maturity score. Practise, don't just report.
What was right yesterday isn't right today
Europe isn't stuck with the hyperscalers by force. We made good decisions and stopped reconsidering them. NIS2, DORA and the Cybersecurity Act now make reconsideration a formal duty.
Six frameworks. One governance structure. No excuses.
NIS2, GDPR, DORA, CRA, AI Act and the Cybersecurity Act impose overlapping requirements. Five signs your governance falls short.