Compliant yet vulnerable
An audit full of green checkmarks provides peace of mind. But false security lurks. Because when a targeted cyberattack brings your organization to its knees, compliance rarely equals actual resilience. In this blog, I share a personal conviction: true digital security doesn’t arise from paper standards, but from a culture of risk awareness and practice. And that’s not a technical story, but a governance choice.
The new Digital Security Agenda 2028 from the VNG puts it aptly: “Practicing and learning from incidents is essential to increase the resilience of municipalities.” What applies to municipalities applies to every organization. We cannot exclude attacks, but we can prepare for them. And that preparation starts with executives.
The comfort zone of compliance: the pitfall of checkboxes
Standards frameworks like ISO 27001, BIO, or NIS2 legislation provide a valuable foundation. They ensure structure, standardization, and verifiability. But those who see these frameworks as an end goal get entangled in documentation instead of effectiveness. Compliance then becomes a paper reality where procedures shine, but detection, logging, and recovery processes remain underexposed.
Take the example of a Dutch municipality that fell victim to a ransomware attack. Everything was certified and in order on paper. Yet one compromised administrator account disabled all defenses. Backups proved unusable, damages ran into the millions.
And that’s not an exception. The annual Data Breach Investigations Report from Verizon shows that more than 80% of successful data breaches occur at organizations that comply with formal standards. Compliance is an excellent foundation, but doesn’t guarantee an effective line of defense.
Threat-driven security: from technology to governance
Real security starts with a different mindset: threat-driven security. That doesn’t start with firewalls, but with the business. Who are the relevant threat actors? What data is interesting to attackers? Is there an interest for attackers to digitally sabotage? Or is your business possibly sensitive to hacktivism?
These questions bring the conversation to where it belongs: the boardroom. Because without a shared understanding of threats, vulnerabilities, and impact, security remains a technical exercise. Only when executives explicitly state how much damage is acceptable can investments in detection, response, and recovery be meaningfully weighed.
Crisis exercises as a catalyst for resilience
No plan survives first contact with the enemy. That’s why crisis exercises aren’t a luxury, but a necessity. They don’t help prevent attacks, but make their impact manageable. Because in the chaos of a real incident, only one thing counts: preparation.
Crisis exercises come in multiple forms:
- Tabletop exercise: this clarifies whether roles, mandates, and communication lines are clear. Think of a scenario where a ransomware outbreak occurs. Duration is between 1 and 3 hours;
- Crisis simulation: a realistic, time-pressure-driven scenario where governance, communication, and operations practice together. Often custom-made, with input from external stakeholders. Duration is between 2 and 4 hours;
- Purple teaming: a collaboration between the red team (attackers) and the blue team (defenders, often the Security Operations Center) to test and improve technical detection capability;
- Red teaming according to the TIBER model: An external party simulates a threat actor as realistically as possible to assess an organization’s resilience against various attack techniques. Both social and physical attack methods can be applied.
Why is that important? Because practicing is painfully honest. It exposes what a real attack would ruthlessly exploit. It forces the organization to think about the degree of resilience for a specific and relevant attack. Organizations that practice every quarter demonstrably reduce the impact of incidents.
Practicing is strategic leadership
We live in a time when cyber threats are no longer hypothetical, but daily reality. Every executive knows that 100% security is unattainable. But not every executive acts accordingly.
Compliance provides reassurance, but not necessarily resilience. Those who dare to take the step toward threat-driven security and structural crisis exercises invest in the only strategy that is sustainable in the long term: demonstrable resilience.
And that choice starts at the top. If you as an executive truly take responsibility for digital security, then it’s time to look beyond audits and certificates. Then it’s time to practice.
Kelvin Rorive is co-initiator of the CCRC foundation (Cyber Chain Resilience Consortium) and Chief Information Security Officer at ICT Group.