RESILIENCE COMES FROM WITHIN Security at Conclusion:

Most organisations still view cybersecurity as a technical issue—something that can be solved with the right tools, budgets and procedures. But true resilience doesn’t come from top-down control; it stems from awareness on the work floor, says Roel Gloudemans, Director IT Risk & Compliance at Conclusion. “Fortunately, our culture of ownership also protects us against emerging threats.”  

In most large organisations, security follows a familiar pattern: a central team defines the required measures, translates them into obligations, and checks whether everyone complies. The result? Employees who see security as a hurdle, process owners who tick boxes, and security officers who constantly have to push to get things done. 

Conclusion operates as an ecosystem of specialised companies, which adds an extra layer of complexity to security challenges. That’s precisely why Conclusion flips the traditional approach on its head, explains Gloudemans, who took on his role in May this year. “Instead of imposing obligations from the top down, we actively engage with process owners across our organisation. Where do you see the weak spots in your process? And what would the impact be if something were to go wrong? Together, we arrive at a set of potential security measures. If you decide not to implement a particular measure because you assess the risk as low, you’ll generally have my support.” 

Ultimately, only the process owner truly understands what’s at stake, Gloudemans clarifies. “A security officer always assumes the worst-case scenario—but for most processes, that’s simply not realistic. If the risk is limited, there’s no need to enforce a measure at all costs. The security officer’s role is to help you gain that insight and ensure that a small risk in one process doesn’t cause unintended consequences elsewhere.” 

By systematically assessing risks, a clear list of priorities naturally emerges, Gloudemans continues. “You simply can’t mitigate every potential risk—that wouldn’t be financially responsible. By making conscious choices, you can allocate resources where they’ll have the greatest impact.” 

Gloudemans now sees this philosophy of ownership and responsibility reflected throughout the organisation. “Where many large companies issue fully locked-down laptops, we believe employees should have some control over their own devices and how they’re configured. But what’s on that device is then also your responsibility. That makes people more alert to unusual situations. If you’re responsible for updates, you’ll notice more quickly when something’s off. And if you’re accountable for the consequences, you’ll think twice before downloading something unfamiliar.” 

And if something does go wrong? “A colleague who clicks a phishing link or accidentally installs malware—these things can happen. In such cases, we don’t focus on who made the mistake, but on what we can learn from it. The key is to prevent others from making the same mistake.” 

Gloudemans says he borrowed this ‘no-blame’ culture from the aviation industry, where the focus after an incident is on uncovering the facts—not assigning blame. “In almost every incident, there were multiple moments where someone could have acted differently. The goal is to identify those moments and learn from them as an organisation—not to point fingers, but to strengthen the entire security framework.” 

That mindset is more important than ever, as the threat landscape evolves rapidly. Artificial intelligence is making phishing emails indistinguishably professional, deepfakes of executives on Teams are becoming a reality, and employees are experimenting en masse with new cloud services and AI tools. Cybercriminals, meanwhile, are operating more like professional businesses, Gloudemans notes. “Malware gangs are now highly organised. When one group learns something new, others quickly follow. The dark side has essentially become a mirror image of the light side—just as professional, just as structured, but with very different goals.” 

All of this makes it increasingly difficult for employees to recognise when they’re under attack, Gloudemans warns. “Fortunately, our culture of ownership helps us counter these new threats. I see that colleagues are experimenting with AI tools, but they’re also thinking carefully about what they share. The awareness we’ve built up over the years is now paying off.” 

One emerging risk Gloudemans highlights is the so-called ‘insider threat’: invisible subversion, where employees are systematically influenced via social media by malicious actors, with the aim of extracting information or manipulating systems. “You can’t detect this kind of threat with technology. What does work is having real contact with your people—sensing when something’s off and starting a conversation.” 

He recalls a moment at the coffee machine when several colleagues mentioned receiving attractive job offers from a recruiter. “It turned out to be fake recruitment ads, designed to manipulate them and gain their trust. Because we talked about it, we were able to intervene before any damage was done.” 

What does the (near) future look like? Gloudemans is confident: by 2030, many more organisations will operate the way Conclusion does. “More and more organisations are realising that true resilience comes from within—by placing ownership at the heart of the organisation and fostering trust instead of enforcing control.” 

Resilience arises when people ask the right questions, Gloudemans concludes. “And you only ask those questions if you truly feel responsible—not because you’re told to, but because you understand what’s at stake: for yourself, your colleagues, and the organisation you’re part of.” 

At Conclusion, we help organisations manage risks and safeguard continuity. From strategy and governance to 24/7 monitoring and incident response, we ensure security isn’t a barrier but a driver for your business.