Every board understands growth. New markets, strategic acquisitions, expanded partnerships — these are the decisions that define an organisation’s trajectory. They get scrutinised, modelled, and approved at the highest level.

What rarely gets the same scrutiny is what growth does to the organisation’s governance structure.

Because growth doesn’t just add revenue. It adds attack surface. It adds regulatory exposure. It adds accountability gaps that don’t appear on any balance sheet — until something goes wrong.

Three patterns appear consistently across organisations navigating significant growth moments. Each one carries a governance risk that is predictable, assessable, and — if not addressed — expensive.


Pattern 1: The Acquisition

When Marriott acquired Starwood in 2016, the deal was evaluated on the metrics that M&A due diligence is built to assess: market position, financial performance, brand portfolio, operational synergies.

What the due diligence process didn’t surface was that attackers had been inside Starwood’s reservation system since 2014 — two years before the deal closed. The IT staff who understood that network were let go after the acquisition. The legacy infrastructure kept running.

Four years after the initial compromise, 339 million guest records were exposed. The FTC’s conclusion was unambiguous: Marriott had visibility into Starwood’s security posture during due diligence. That visibility came with responsibility.

The governance gap here wasn’t technical. Marriott had security teams. They had processes. What they didn’t have was a due diligence framework that treated the target company’s governance structure, risk decisions, and accountability gaps as assets to be assessed — not assumed.

When you acquire a company, you acquire its risk posture. Its undocumented decisions. Its inherited vulnerabilities. Its regulatory exposure in every jurisdiction it operates in.


Pattern 2: Market Expansion

Entering a new market feels like a growth decision. It is also a governance decision — one that most organisations make without recognising it as such.

A new jurisdiction brings new regulatory obligations. NIS2 in the European Union imposes incident reporting requirements, supply chain risk management obligations, and management body accountability that applies the moment an organisation qualifies as an essential or important entity. DORA brings equivalent requirements for financial sector organisations operating across EU member states. These are not compliance formalities. They carry personal liability for management.

The governance system that served the organisation in its home market was built for that market. Its risk assessment methodology, its incident response procedures, its documented accountability structures — all of it was designed around a specific regulatory environment and a specific definition of what “defensible” looks like.

Expansion doesn’t automatically extend that system. It exposes its boundaries.

What counts as documented risk acceptance in one regulatory environment may not satisfy the evidentiary standard in another. What passes as adequate incident reporting in one market may trigger regulatory findings in the next.


Pattern 3: Vendor Relationships at Scale

As organisations grow, their dependency on third parties grows with them. Cloud infrastructure providers. Software vendors. Managed service providers. Specialist partners embedded in critical business processes. Each relationship extends the organisation’s operational capability. Each one also extends its attack surface.

NIS2 is explicit on this point: organisations are responsible for the cybersecurity risks introduced by their supply chain. Not just their own controls — the controls of the vendors whose systems touch their critical processes.

What most organisations discover when they map this honestly is that their vendor relationships have grown faster than their governance framework. They have commercial agreements. They may have standard security questionnaires. What they often don’t have is a documented assessment of which vendors introduce material risk, what that risk looks like, and who inside the organisation is accountable for monitoring and managing it.

The governance gap here isn’t the absence of a vendor list. It’s the absence of a structured risk decision about each significant vendor relationship — documented, approved at the right level, and revisited when the relationship or the threat landscape changes.


When the Question Arrives

Each of these three patterns ends in the same place — a moment when someone external asks a question the organisation cannot answer cleanly.

For the acquisition: a regulator determines that the acquirer inherited responsibility for a compromised environment it had visibility into during due diligence. The governance trail doesn’t exist. The accountability isn’t assigned. The liability is.

For market expansion: an incident occurs in a new jurisdiction. The local regulator applies reporting requirements the organisation didn’t know applied to them. The 72-hour notification window closes before the internal process even starts.

For vendor relationships: a supplier’s systems are compromised and the impact reaches the organisation’s critical processes. The regulator’s question is not whether the organisation knew the vendor. It is whether the risk was assessed, the decision documented, and the oversight maintained. The answer to that question was determined long before the incident.

In each case, the exposure wasn’t created by the incident. It was created by the growth decision that preceded it — and the governance system that didn’t keep pace.


What This Actually Requires

The organisations that manage this well don’t have better security teams. They have governance systems that were designed to grow — systems where risk decisions are documented, accountability is assigned at the right level, and the question “what are we now responsible for?” gets answered before the regulator or the incident answers it instead.

That is not a technical problem. It is a governance architecture problem. And it becomes visible exactly when organisations are moving fastest — which is precisely when it is hardest to stop and look.

The question worth asking before the next growth decision is a simple one: was our governance system built for the organisation we are becoming, or for the organisation we were when we built it?


If your organisation is navigating a significant growth moment — acquisition, market expansion, or a rapidly expanding vendor base — and you’re not certain your governance framework has kept pace, that gap is worth understanding before it becomes a finding.


Senad Džananović is a senior Cyber and AI Governance advisor with 20+ years of experience across Central and Eastern Europe. He works with boards, CISOs and risk managers to translate governance and regulatory requirements into systems that hold under audit, regulatory scrutiny and real incidents.

Contact · LinkedIn