Can you truly prove your organisation is cyber resilient?

Under DORA and NIS2, the board holds explicit ultimate responsibility for the organisation’s digital resilience. Not as an item on the agenda, but as a legal obligation. At the same time, the sense of urgency is increasing in light of the current geopolitical landscape.

Our latest CEO Survey reveals that 31 per cent of CEOs worldwide see cyber risks as the greatest threat to their organisation, higher than any other operational risk. The urgency is widely recognised, but there's a gap between that recognition and actual control over the risk. The question many board members still can't answer with certainty is: do our measures actually work?

This isn't an exception. PwC's Digital Trust Insights 2026 confirms it: only eight per cent of Dutch organisations are investing significantly more in proactive measures, compared with 24 per cent globally. The majority still operate from a reactive cycle while a modern approach enables organisations to proactively identify and address cybersecurity risks.

Why compliance gives you a false sense of security

The traditional approach to cybersecurity is compliance-driven. You work with standard frameworks, tick off requirements and conduct periodic audits. That's not worthless, but it's insufficient. Compliance tells you whether you meet the rules. It doesn't tell you whether your defence can withstand the attackers currently targeting your sector.

That distinction isn't theoretical. A recent cyber incident at a major European manufacturer led to core systems being taken offline as a precaution. The result: weeks of disruption to production and operations, with direct impact on deliveries, dealers and the entire supply chain. The company undoubtedly had a security policy. It probably passed audits too. But in practice, the defence couldn't withstand the type of attack that occurred.

It's no coincidence that PwC's Digital Trust Insights shows that previous experiences with cyber breaches are one of the most defining factors for many Dutch organisations when reconsidering investment priorities. A painful confirmation that the sector still waits for the blow instead of anticipating it.

Translating cyber threats into euros

As a board member, you don't need to be a technical expert. But you do need to be able to weigh cyber risks against other business risks. That's only possible if threats are expressed in language you already speak: probability, impact, a sense of urgency and actionable direction.

The FAIR model (Factor Analysis of Information Risk) makes that translation possible. Instead of an abstract threat level, you get answers to concrete questions: what's the likelihood of this specific scenario occurring? What's the expected damage? Which parts of the business are affected?

Take ransomware. Instead of only discussing vulnerabilities, you look at consequences: what does it cost if core systems fail, deliveries stop or customer data becomes unavailable? By calculating that scenario and linking it to realistic attack paths, you can make choices based on actual exposure. Where's the greatest risk, and which measure demonstrably reduces that risk?

From tool portfolio to coverage map

Many organisations have dozens of security solutions. They were purchased to address specific risks, but over time, the overview has become blurred. Tools overlap, are under-configured, or in practice cover different techniques than the vendor promises. The question 'what do our tools actually do?' is harder for most organisations to answer than they expect.

Yet that insight is essential. Before you can test whether your defence works, you need to know what that defence should theoretically cover. By mapping your security solutions to standardised threat frameworks, such as MITRE ATT&CK and the NIST Cybersecurity Framework, and contextualising that mapping to the threat profile of your sector and geography, a coverage map emerges. That map provides an objective picture of which attack behaviours your tools can stop or detect, and which they can't. Vendor claims are tested against standardised criteria, not marketing material.

The coverage map reveals three things simultaneously:

• attack techniques not covered by any tool,
• tools that cover the same techniques without adding protection, and
• features you're paying for but not activating.

That combination enables targeted investment decisions, including what-if analyses when replacing or retiring tools.

This is a recognised bottleneck, as the research shows: consolidation of the security tool portfolio is high on the agenda for Dutch organisations as a response to the tight labour market. The desire to consolidate exists, but without insight into what existing tools cover, consolidation remains blind cost-cutting.

This is the tactical link between strategic risk quantification and operational testing. Without this intermediate layer, you test blindly and invest on intuition. With this mapping, you know where the weakest points are in your defence, so you can test and adjust accordingly. Because threat landscapes and tool configurations constantly change, the value isn't in a one-off exercise, but in a living picture that's continuously maintained.

Testing against reality, not against a checklist

A coverage map tells you what should work in theory. But whether it works is another question, and that's precisely what you answer with the Threat Informed Defence strategy: you structurally test your measures against current attack techniques, instead of relying on generic controls.

A concrete example: it's known that many attackers use 'living off the land' techniques, where they deploy existing IT tools in deceptive ways. The question then isn't whether you have a policy against this type of attack, but whether your detection systems recognise it, your employees are trained on these signals, and whether your security provider responds to it.

With structured testing methods, based on the MITRE ATT&CK framework, a globally recognised overview of how cybercriminals operate, you can test this structurally and repeatably. Not once every three years during a red team exercise, but continuously. This creates a continuous learning process where your defence adapts to reality, rather than to the schedule.  

How this works in practice

An organisation conducted a joint exercise with the defending security team and external ethical hackers, based on a current threat profile. The outcome: certain attack techniques weren't being detected by the existing monitoring system. This was a concrete, demonstrable gap in the defence.

To understand the size of that gap, the existing security stack was then mapped to the MITRE ATT&CK framework. That didn't reveal one blind spot, but a pattern: multiple attack techniques from the sector's threat profile weren't covered by any tool in the stack, whilst two other tools largely covered the same techniques. The coverage map made it visible at a glance where the defence was failing and where budget was being duplicated.

The FAIR model was then deployed to express the potential damage from this blind spot in euros. The result wasn't a technical report that disappeared into a drawer, but a substantiated investment proposal that convinced the board to invest in additional monitoring.

That's the point. Not technology for technology's sake, but measurable insight that leads to informed decisions.

From obligation to evidence

Cybersecurity is no longer an IT topic. It's a boardroom responsibility with legal consequences. The combination of Threat Informed Defence and FAIR gives board members what they need: not more dashboards and reports, but proof that the defence works and a common language that enables CISOs, security teams and the board to weigh risks together.

Organisations that can demonstrate this stand stronger. Not just against regulators, but against customers, partners and employees. Because in a world where cyber threat is constant, demonstrable resilience isn't a compliance exercise. It's a strategic advantage.