Cybersecurity is high on the agenda in almost every organisation. Yet many companies remain vulnerable because information security is not always deeply embedded in business operations. Often, measures are only taken after the fact, for instance in case of incidents or under pressure of new laws and regulations. At the same time, we see that organisations that do take a proactive, holistic approach are less likely to experience serious problems. In this article, we show why an integral vision on cybersecurity is so important, where things often go wrong in practice and how companies can raise their security level sustainably.

A telling example of the risks of ad-hoc security is the data breach at Equifax in 2017. This US credit bureau lost the personal data of millions of customers because a known software vulnerability was not fixed in time. Although technological measures were in place (firewalls, intrusion detection systems), investigations revealed that patch management and risk analysis were insufficiently integrated into business processes. The organisation did not know exactly where vulnerable systems were running and who was responsible for them.

The incident showed that a few loose technical solutions do not provide guarantees when there is no integrated policy. The lack of ownership, poor communication between departments and insufficient insight into critical data all contributed to the impact of this data breach. The cost to Equifax ran into the hundreds of millions of dollars and the reputational damage was enormous.

Holilstic security thinking

One lesson from such incidents is that security requires more than technical ‘solutions’ such as antivirus software, firewalls or a one-off penetration test. Of course, those technologies are useful, but they need to be embedded in a system in which people, process and policy are seamlessly aligned.

  • Human factor. Many incidents occur due to human error: an inattentive click on a phishing link, misconfiguration in the cloud or unauthorised access to accounts. Awareness and continuous training are therefore indispensable. This goes beyond a one-off awareness programme; it requires a culture in which employees dare to report incidents and near-incidents without fear of sanctions.
  • Process-based assurance. Safety should be a recurring agenda item: from product development and supplier selection to the daily use of systems. For example, integrate risk management in change processes, so that it is not something to be regulated ‘after the fact’.
  • Governance and ownership. Without clear responsibilities and clear division of tasks, cybersecurity often remains stuck in good intentions. Therefore, appoint a CISO or security officer with a clear mandate and reporting structure. This way, risks and incidents get the attention at board level. By bringing all this together in one framework, security is not a closing item but an integral part of the strategy and operation.

The role of legislation

In Europe, the legal focus on digital security is growing significantly. Some key developments:

  • EU Cyber Security Act. This regulation introduced a European framework for certification of ICT products and services. Organisations can have their solutions assessed for security, creating a more transparent market.
  • Cyber Resilience Act. This law enshrines the principle of ‘security by design’ throughout the life cycle of hardware and software. Manufacturers and vendors remain obliged to fix vulnerabilities and inform users accordingly.
  • NIS2 (Network and Information Security Directive). The strengthened NIS directive extends the scope to more sectors (including energy, healthcare, transport and critical digital services) and sets higher requirements for incident reporting and managerial accountability, among others.

These regulations not only give organisations additional duties, but also more guidance. However, those who limit themselves to ’ticking off’ legal requirements will find that the bar is getting higher and higher. An organisation that does invest in an integrated security strategy will find it easier to adapt to new requirements and will also enjoy the trust of customers, suppliers and regulators.

AI and data: the next wave of risks Artificial Intelligence (AI) and large-scale data analytics bring new opportunities, but also new threats and ethical dilemmas.

  1. Bias in AI. AI models are only as good as the data they are trained on. When datasets for face recognition consist mainly of images of certain populations, it can lead to a model that hardly recognises other groups well. This is not only detrimental to the individuals affected, but can also lead to reputational damage and legal consequences for the organisation deploying the AI.
  2. Deepfakes. Sophisticated AI models can generate realistic videos, audio or images that make individuals seemingly say or do things that never took place. This phenomenon can be used for fraud, blackmail or politically motivated disinformation. Organisations would do well to invest in detection tools and employee awareness so that they can recognise deepfake content early.
  3. Adversarial attacks. Malicious actors can manipulate AI models by feeding them with subtly manipulated data. For example, self-driving cars can be ‘confused’ if a stop sign with small stickers is recognised as another sign. Such attacks require additional checks on input data and periodic validation of the model.
  4. Privacy and data breaches. AI often relies on huge amounts of (personal) data. If these are insufficiently anonymised or incorrectly stored, a hack or misconfiguration can lead to serious privacy breaches. The emphasis therefore lies on data classification, strict access control and encryption. A solid data governance structure is thus essential: define what data you collect, where it is stored, who has access to it and what security measures needed. Organisations that want to deploy AI without adapting their security model risk facing new forms of attack. Moreover, legislation such as the (upcoming) AI Act requires to transparency, explainability and documentation of AI systems. A holistic view of security is then not a luxury, but a dire necessity.

Learning from highly regulated sectors

In industries where safety is literally a matter of life and death - such as aviation and pharmaceuticals - an integrated approach has been central for decades.

  • Aerospace. From preflight checklists to incident reporting, every step is procedurally recorded. Checklists here are not just formal tick lists, but tools with which crucial step- pens are made visible and controllable. Errors are quickly detected and can be addressed systemically.
  • Pharmaceuticals. The pharmaceutical sector has strict validation requirements for equipment and processes (‘Quality by Design’). Every link in the chain (from research to production) is documented and monitored. This builds a culture where continuous improvement and thorough risk analysis are a matter of course.

These sectors show that tightly regulated regulations and checklists are not necessarily prohibitive. On the contrary: provided they are used properly, they help minimise risks and errors at an early stage detect. The key is to really work with it in practice and learn from it, rather than just ‘officially’ complying with the rules. That principle - embedding security in all layers of the organisation - is also applicable within IT and information security.

From compliance to intrinsic safety Now how do you make the move from ‘minimal ‘compliance’ to an intrinsic safety culture? A few points of interest:

  1. Managementcommitment. If management sees security primarily as a cost item or precondition, employees will perceive it that way too. Only when the management makes it clear that security is a strategic priority and allocates resources (budget, people, time) to this end, will the organisation have the opportunity to make real strides.
  2. Risk-based working. Start by asking: ‘Where are our real crown jewels?’ Focus security on the data, processes and systems that cause the greatest damage when lost or misused. This way, you avoid investing haphazardly in ‘random’ solutions.
  3. Use checklists properly. Standards like ISO 27001 and frameworks like NIST CSF provide a thorough structure and help you not overlook anything important. The crux is that you understand why you tick off certain items and how it makes your organisation safer. See checklists as a tool, not an end in itself. In industries where safety is literally a matter of life and death - such as aviation - an integrated approach has been central for decades. From preflight checklists to incident reporting, every step is procedurally defined. Here, checklists are not just formal tick lists, but tools that make crucial steps visible and verifiable. Errors are quickly detected and can be addressed systematically.
  4. Break through insularity Cybersecurity is not just about IT. Legal aspects (contracts, compliance), HR (hiring procedures, training), facilities (physical security) and procurement (supplier management) all play a role. Set up a multidisciplinary working group or steering committee with broad responsibility for the integrated approach.
  5. Continuous improvement Cybersecurity is never ‘finished’. Create a regular cycle of monitoring, evaluating, reporting and adjusting. Make incident and trend analyses to recognise patterns. Such a Plan-Do-Check-Act cycle ties in with quality assurance methods and ensures that you are not caught off guard by new threats or changing regulations.

The way forward

Many organisations intend to improve their security, but struggle to translate it into daily practice. In incidents - such as the Equifax data breach or countless ransomware attacks - they see each time, we found that one or more crucial facets were missing: ownership, insight into the valuable data, process discipline or employee awareness.

Meanwhile, pressure is growing from laws and regulations, but also from customers and cooperation partners who demand that confidentiality and continuity be guaranteed. Yet there is also a positive side: those who take an integrated approach and invest in people, process and technology will find that compliance requirements are easier to meet. Moreover, you will reap the benefits of greater reliability and a better image.

‘Holistic cybersecurity’ can be seen as a continuous improvement process, in which you constantly learn from mistakes, new threats and sector-wide insights. By looking at the lessons learned in aviation and pharma, for example, or the additional risks introduced by AI, you can strengthen the backbone of your own organisation. That way, you avoid security being something you only manage ‘after the fact’ or ‘on paper’ and make it a real success factor.

This article previously appeared in Quality in Business (pdf)