"Vilniaus pergalė" views cybersecurity obligations as an opportunity

The law mandates it, but “Vilniaus pergalė” creates the value

The Lithuanian Cyber Security Law, updated in accordance with the NIS2 (TIS2) Directive, requires organizations operating in sectors critical to the functioning of the state—such as energy, finance, manufacturing, digital services, and others—to ensure their own cyber resilience. One of the specific requirements is to appoint a person responsible for cybersecurity and to establish information security processes and procedures. Dovydas Rokas, CFO of “Vilniaus pergalė,” says the organization viewed this new responsibility as an opportunity, not just an obligation:

“Whether a company allocates resources because it is required to do so or because it has decided to invest on its own, it is best to do so properly. We usually have no choice but to meet the standards set by the market or the sector, but we can do so in a way that also creates value for the organization. This is how we approached the requirements of the updated Lithuanian Cyber Security Law—as we grow, we are becoming increasingly digitized, so a focus on information security is inevitable anyway, and we have the opportunity to lay the groundwork.”

Although there are many titles associated with this role, Arnoldas Judinas, an information security expert at NRD Cyber Security, says that the role is best fulfilled by a CISO:

“The CISO is responsible for the organisation’s regulatory information security requirements, the implementation of best practices, the deployment of necessary technologies, and other issues related to cybersecurity. Therefore, this person in the organisation should not only be responsible for organisational measures—such as the establishment, implementation, and monitoring of information security policies and procedures—but also for overseeing the entire information security process. That is, to ensure that the described procedures and processes function properly, that responsibilities and duties are clear, that security vulnerabilities are detected and addressed in a timely manner, and so on. By law, a CISO cannot perform the functions of an IT administrator; therefore, the CISO naturally relies on colleagues in the IT department for technical tasks or to address detected security vulnerabilities. At “Vilniaus pergalė”, while providing CISO services, we have the strong backing of the IT team and are viewed as trusted advisors and partners who, together with the IT function, ensure the organisation’s information security.”

There are many providers offering CISO services, so the selection process is crucial

There were discussions at “Vilniaus pergalė” about creating a new position responsible for cybersecurity within the organisation, but an assessment of potential costs and risks helped make the decision:

“We didn’t have such a role ourselves and realised we wouldn’t know how to make the most of that position. Also, hiring someone in-house to fill this role turned out to be very expensive, so we decided it would be easier to work with an external provider, which would reduce the risks associated with recruiting and retaining staff. With our external partner, NRD Cyber Security, processes move very quickly, and we get answers to security-related questions very fast,” shares D. Rokas.

A. Judinas states that one of the biggest advantages of an external CISO is a streamlined process:

“Since have been providing the services for a while, we have clear procedures and internal processes; we’ve created the most essential templates, and this significantly speeds up the ‘paperwork’ part of the CISO’s job.”

With the number of organisations offering CISO services growing rapidly in the market, the selection of a suitable provider at “Vilniaus pergalė” took place gradually.

“The selection process involved several stages—there are certainly many organisations that provide CISO services, but their reliability raises questions. Therefore, we considered the scope and capabilities of the supplier’s services—whether it was a one-person operation or a larger team with a clear division of labor and a succession plan. Also, since we wanted this to be more than just a “box-ticking” role, we wanted the provider to act as a partner with the “latest knowledge” in the areas of cybersecurity that matter to us, offering their insights and advice. “We didn’t just want ready-made documents that might not necessarily be effective in the event of a cyber incident,” says D. Rokas.

A. Judinas agrees that clients highly value the company’s specialisation in cybersecurity, the high standards it sets for itself, and its active participation in the activities of the Lithuanian cybersecurity community. This enables the company’s employees to offer a broad spectrum of cybersecurity expertise and the opportunity to provide insights, advice, or observations, thereby creating added value for the services provided.

This customer story is a translation of an article published in a leading Lithuanian business news portal „Verslo žinios“ on 5th May, 2026: https://www.vz.lt/vadyba/2026/05/05/vilniaus-pergale-i-kibernetinio-saugumo-prievoles-ziuri-kaip-i-galimybe-pasitelke-patikimus-partnerius-nrd-cyber-security-584246