Would you pay a ransom if your data were held hostage?
Manage the uncertainty!

“Organisations often operate from a mindset of certainty and control, whereas digital security is fundamentally about managing uncertainty.” So says Dennis Pieterse, Chief Information Security Officer (CISO) at Conclusion.

According to Dennis, the question isn’t whether you’ll be affected, but how you ensure your organisation stays up-and-running when it happens. “Technology and policy matter. But true resilience is built through insight, preparation, and collaboration.”

“Digital resilience rests on three core principles: availability, integrity and confidentiality,” Dennis explains. “This ensures that systems stay operational, data remains reliable, and only the right people have access. For that last point, consider the entire chain. Suppliers, partners, and cloud services are all part of your IT landscape.”

Dennis notes: “There’s often confusion during incidents.” “Who takes the lead? Who liaises with Legal? With Communications? Who decides whether to escalate? These are things you should have considered beforehand.”

That’s why it’s essential to define scenarios and assign roles in advance. “You don’t need ten detailed playbooks, as long as you’ve had the conversation ahead of time. People need to know what they’re responsible for.”

For Executives, that means being able to rely on tight coordination between security, operations, and support functions. “Security touches every layer: from operations to HR, from the boardroom to Procurement. The less aligned you are, the more vulnerable you become.”

Dennis believes many organisations take too linear a view of risk. “They want to lock everything down. But that’s neither possible nor necessary. The key is knowing where you’re vulnerable, and handling that mindfully.”

A confrontational example: “What would you do if your data were to be held hostage? Pay the ransom… up to what amount? Is cooperating with extortion even allowed under your company policy? Who makes that decision, and who carries it out? These are board-level issues. If you discuss them now, you’ll avoid panic later.”

That’s why Dennis advocates for more scenario thinking in the boardroom. “Risk management is far more than a compliance exercise. It’s a strategic one,” he says.

His advice to Executives? Stay engaged. “Trust your security team, but at the same time ask the hard questions. Not to check up on them, but to understand what’s at stake. Discuss the trade-offs, the decisions you’d need to make. What you will and won’t do. Seek advice. You don’t need to know everything, but you do need to be able to take the lead.”