Digital resilience in three steps
The days when organizations could hide behind digital walls are definitely over. Instead of chasing the illusion of absolute security, executives are faced with a fundamentally different question: not whether their company will fall victim to a cyberattack, but how quickly they can get back up and running after it happens.
This shift from prevention to resilience marks a crucial tipping point in how we think about digital security. Traditional security thinking was based on the castle model: a strong outer wall with firewalls that separated the ‘good’ from the ‘bad.’ This approach was appropriate in a world where employees worked in offices, systems were centralized, and the digital perimeter was clearly defined.
But that world no longer exists. In today's reality, people work in hybrid environments, run applications in the cloud, and networks extend across geographical borders. The perimeter is no longer static but constantly expanding to suppliers, their suppliers, and the locations where employees operate - on any given day, one colleague might be working from Zeeland, Netherlands, while another logs in from Spain. This constant expansion exponentially increases the complexity of cybersecurity. The new reality calls for a layered security approach that extends from the perimeter to the crown jewels of the organization. Trust is being replaced by control: every access attempt, every connection, and every device must be verified. This zero-trust principle is not just a technical shift, but also requires changes in governance, policy, and behavior.
Resilience as strategic weapon
The good news is that organizations that embrace this shift are reaping strategic benefit. Digital resilience is increasingly becoming a differentiator in the market. Customers, citizens, and partners entrust their data and processes only to organizations that can demonstrate that they can operate with care and security. Investors and regulators are also increasingly looking for signs of digital maturity.
Take the example of regulations such as NIS2. Companies can differentiate themselves by declaring that they are NIS2 compliant. This means not only that the organization itself complies with the regulations, but also that the entire supply chain has been verified. Even if a company is not part of the critical infrastructure, the voluntary decision to become NIS2 compliant can provide a significant competitive advantage.
Another vital concept is security by design. This principle means that security is built into products and systems from the very beginning, during the design process. While this requires investment, it ultimately provides a strategic advantage over competitors. This applies not only to companies that market products directly, but to virtually every modern company. Although their primary services lie elsewhere, organizations such as ABN AMRO and Albert Heijn are also IT companies, with DevOps teams that must integrate security by design.
From reactive to proactive
The shift to resilience also means a fundamental shift in mindset. Whereas organizations used to mainly respond to incidents, they now need to think proactively about scenarios and their response to them. This means regularly running crisis simulations, testing backup systems, and developing clear communication protocols.
Resilience also requires security to become a structural part of policymaking and risk management. It is no longer a stand-alone IT project but must be interwoven with the strategic direction of the organization. This requires insight into digital vulnerabilities, not only within the organization itself, but also in the supply chain and among partners.
European legislation such as NIS2 and DORA already requires organizations to adopt this more proactive attitude. They must display demonstrable responsibility for cybersecurity and demonstrate that they have control over their risks and have organized their security in an integrated manner. This is not only because it is required, but because the expectations of customers, partners, and society are shifting.
The executive challenge
This presents an important challenge for managers. Cybersecurity is no longer a technical matter that can be delegated to the IT department. Fortunately, most organizations recognize this. At the same time, they often struggle to translate technical complexity into executive decision-making. How can they increase their digital resilience?
1) Cybersecurity must be integrated into strategic planning, not as a cost item but as an investment in future-proofing. This means that security considerations must be taken into account in all major business decisions, from new product launches to acquisitions.
2) It is essential to invest in people who can bridge the gap between technology and business operations. Communication between technical experts and management often leaves much to be desired. When security professionals discuss firewalls and ports, cybersecurity is often not considered a management issue, even though the risks and concerns are serious enough to warrant that status. This has direct consequences for governance: cybersecurity is pushed back to lower levels in the organization, leaving executives with insufficient control over strategic risks and making the organization vulnerable to misplaced priorities and ill-considered decisions.
Executives must therefore ensure that there are people in security roles who can translate both the technical and business aspects. A chief information security officer (CISO) must not only have technical expertise but also sharp strategic and business insight. It is a two-way street: the CISO must be able to translate technical reality into management language, while executives must have sufficient understanding to ask the right questions.
Of course, executives can also call in external advisors to help the organization navigate the complexity. Or they can opt for a combination of in-house and outsourcing: a hybrid model in which they keep a small portion of the security activities in-house and outsource the majority to specialized partners. Given the speed at which technology is evolving, such a hybrid model is often the best solution. Security teams within organizations may struggle to keep up with all the developments. Thanks to their specialization and scale, external partners are often better able to respond to new threats. However, such a partnership can only be successful if the risk owners within the company (CIO, CFO, and/or CRO) understand the underlying risks and know what actions need to be taken. It is not about completely outsourcing responsibility, but about a well-considered division of roles, whereby strategic management remains internal, and implementation is professionally supported.
3) Structural investment in testing and improving resilience is required. This means not only technical tests but also exercises in which the entire organization learns how to respond to different scenarios. It is also crucial that cybersecurity becomes a permanent item on the agenda of board meetings. Only when board members are regularly and systematically informed about the dynamic situation can they make the right strategic decisions and effectively protect their organization against digital threats.
Digital leadership in action
The future belongs to organizations that invest in digital resilience now. This requires a new form of leadership that strikes a balance between caution and innovation, between security and agility. Executives must not only protect their organizations from threats but also position them to take advantage of the opportunities offered by digitization. Cybersecurity has thus evolved from a defensive necessity into a strategic differentiator. Organizations that have their digital security in order can innovate faster, collaborate more reliably, and respond more flexibly to changing circumstances. They are not only building protection, but also legitimacy and continuity. For executives who embrace the shift to digital resilience, a world of strategic opportunities unfolds in which digital security is no longer an obstacle but a driver of success.