In this Help Net Security interview, Nick Nieuwenhuis, Cybersecurity Architect at Nedscaper, explains why cybersecurity has not delivered the resilience that decades of investment have promised. He argues that spending has leaned too heavily on technical controls while neglecting people, processes, and organizational dynamics.
He unpacks the gap between security teams and boards, pointing to weak risk communication and a reliance on qualitative heatmaps over hard evidence. He pushes back on root cause analysis as a reductionist habit, makes the case for treating resilience as a serious capability, and outlines what stronger organizations do differently, including investment in communication, rehearsed playbooks, and continuous learning across the security function.
Why has cybersecurity not delivered the expected resilience despite decades of investment?
I think we have optimised cyber security for control effectiveness, but not for system behaviour.
Most organizations approach cybersecurity through a mechanistic lens: identify threats, map them to controls, implement those controls, and demonstrate compliance. That model is deeply embedded in frameworks, audits, and…
