Chantal Vergouw, Chief Business Market and member of the Board of Directors at KPN: 'The research reveals a striking difference: IT and security professionals, who keep our systems running daily, consistently rate the maturity of their organization lower than management. They see where the issues lie: governance, security monitoring, and crisis planning. Cyber resilience depends on clearly assigned ownership and decision-making. If this is lacking, vulnerabilities remain and incidents are resolved ad-hoc. This confirms what we all feel: there is work to be done.'
Top 5 strategic priorities
- Complying with stricter laws and regulations (43%)
- Ensuring safe AI use within the organization (37%)
- Raising employee awareness of risks and promoting safe behavior (27%)
- Safely configuring and managing cloud environments (22%)
- Properly managing and controlling identities and access (21%)
Compliance with stricter European laws and regulations is most frequently mentioned as a priority. The research also shows that organizations are already experimenting with AI, while governance around responsibilities, monitoring, and decision-making is not always in place. Threats such as phishing, ransomware, and social engineering lead to increased awareness among employees receiving much attention. Additionally, the emphasis on cloud security and access management underscores that organizations want to maintain control over their digital environment.
Read also: The future of detection engineering
Greatest risks according to professionals in practice
In addition to strategic priorities, professionals identify several risks in daily practice. Human behavior is often cited: clicking behavior, limited awareness, and optimism bias frequently lead to incidents, partly because training and follow-up are not always structured. The use of AI also brings new points of attention, such as uncontrolled use of tools, risks around data, deception, and AI attacks. Furthermore, many organizations have limited visibility into suppliers and SaaS services, leaving supply chain risks underexposed. Outdated systems, unauthorized tools, and lack of ownership increase the attack surface, while unclear role distribution and insufficiently secured governance complicate the structural management of risks.
In strengthening digital resilience, detection and preparation play an important role. One-third of organizations monitor digital threats insufficiently or only at a basic level, causing incidents to often be discovered late. Additionally, 30 percent never or hardly practice with cyber incidents, while 67 percent indicate they feel prepared.
Read also: Future-proof security: from hype to hard necessity
Recommendations for structural resilience
The research results show that further strengthening of cyber resilience mainly lies in concretely organizing the basics and daily actions. Organizations that make progress ensure control over access management, updates, and monitoring, and involve suppliers and chain partners structurally. Clearly assigned ownership and governance involvement also prove important: when risks are explicitly discussed and weighed at the board level, responsibilities can be assigned more clearly and followed up more quickly.
Moreover, regularly practicing with realistic incident scenarios makes a difference, as plans only gain value when tested in practice. Finally, the increasing use of AI calls for clear guidelines and conscious use, so employees can work safely without introducing new vulnerabilities.
Structural cyber resilience requires an investment in time, effort, and budget. Of the respondents, 38 percent indicate that the current security budget is insufficient, while two-thirds expect that the budget will increase in the coming period. In the next twelve months, organizations expect to invest particularly in security monitoring and detection (35 percent), identity & access management (26 percent), and developing a security roadmap and strategic formation (24 percent).
Read also: Trend Micro implements Trend Vision One on the AWS European Sovereign Cloud
