Communicating cyber risk in dollars boards understand

In this Help Net Security interview, Nick Nieuwenhuis, Cybersecurity Architect at Nedscaper, explains why cybersecurity has not delivered the resilience that decades of investment have promised. He argues that spending has leaned too heavily on technical controls while neglecting people, processes, and organizational dynamics.

He unpacks the gap between security teams and boards, pointing to weak risk communication and a reliance on qualitative heatmaps over hard evidence. He pushes back on root cause analysis as a reductionist habit, makes the case for treating resilience as a serious capability, and outlines what stronger organizations do differently, including investment in communication, rehearsed playbooks, and continuous learning across the security function.

Why has cybersecurity not delivered the expected resilience despite decades of investment?

I think we have optimised cyber security for control effectiveness, but not for system behaviour.

Most organizations approach cybersecurity through a mechanistic lens: identify threats, map them to controls, implement those controls, and demonstrate compliance. That model is deeply embedded in frameworks, audits, and even how we structure our teams. It has value, but it assumes that risk behaves in a relatively linear and predictable way. This is not the case, as cyber risk is dynamic, unpredictable and ambiguous in nature.

Cyber risk emerges from complex socio-technical systems. Incidents are rarely caused by a single missing control; they result from (missing) interactions between technology, people, processes, and organizational constraints. Academic work increasingly points out that most cyber resilience frameworks are still overly techno-centric and fail to account for these socio-technical dynamics.

So, what we have done well historically is build controls to mitigate known, predictable risks. What we have not done equally well is ensure that those controls collectively produce resilient behaviour under stress. Partially this is because we forgot to include the human element in security design. This is highlighted by the various methods of multi-factor authentication we have seen over the past 10 years, ranging from SMS codes to passkeys. All these methods work technically well, but adoption is lacking because security professionals are not good in communicating why security controls are needed and how they work. Our tools should guide secure behaviour, but we have failed to implement that adequately over the past.

In this sense, the discipline hasn’t failed due to lack of investment. Rather, that investment has been disproportionately focused on technical controls, while underinvesting in the broader socio-technical conditions that determine and improve resilience.

Where does the disconnect between cybersecurity and executive decision-making originate?

I believe this originates in how we translate cyber risk into something decision-makers can work with. Many security professionals still talk technical to their business leaders. We talk about threats like phishing and ransomware, but we forgot to accentuate the actual risk these threats pose to the business.

Besides that, when we do include a sound risk management process, we usually communicate risks in qualitative manners: “high probability, medium impact.” This is great for internal discussions, but the risk evaluation process is not grounded in evidence. There is a nice book on cyber risk quantification called ‘from heatmaps to histograms’ that highlights this gap fantastically.

Additionally, there is also a capability gap. Many boards recognize cyber as a business risk, but relatively few have deep expertise, and governance structures are not always set up to bridge that gap effectively. CISOs and other security directors need to communicate cyber risk more effective in terms of business risk, including financial impact in actual dollars, without overstating their confidence in either qualitative or quantitative methods. The beauty of good cyber risk management lies in between and balances both methods to have good narrative that resonated with boards. So, the current disconnect lies with poor cyber risk management, communication, and reporting capabilities.

What is wrong with focusing on specific failure points after incidents?

The instinct to find a root cause is understandable, but it is fundamentally a reductionist approach to what is often a systemic problem.

Traditional failure analysis assumes linear causality: something went wrong because a component failed, and if we fix that component, we prevent recurrence. This is the classic “Safety-I” perspective described by Hollnagel, where safety is defined as the absence of failure.

In complex systems, that assumption does not hold up. Failures emerge from actions (or lack thereof) by people, failed internal processes, system or technology failures or external events. But in most cases, it is a combination of the above factors that cascade the risk, so it’s difficult to point to one single failure. There are just too many unknown factors involved. This means that we need to look further than system and technology failures and include people, organizational, cultural and process factors. This will lead to changes in the security architecture and underlying processes that are more sustainable and systemic, eventually improving resilience.

How do you argue for resilience without sounding like you are lowering the bar?

Everyone needs to understand that resilience implies that something can and will go wrong. This also means that we can’t over rely on prevention alone. Cyber resilience is about withstanding, recovering from, and adapting to shocks caused by cyber events.

What helps in making that case is moving away from abstract concepts and focusing on tangible organizational capabilities. In practice, more resilient organizations invest in a number of structural and behavioural elements that go well beyond technical controls.

First, they pay deliberate attention to the people side. That includes selecting, training, and retaining individuals who can operate under pressure and deal with ambiguity. Second, they invest in communication. Resilient organizations treat communication as a primary control. Enterprise Architecture is a good mechanism to improve communication. Third, they design and rehearse playbooks. I have seen so many incident response and business continuity plans that look good on paper but break down in real crises. Finally, resilient organizations invest in a culture of continuous learning and feedback loops that feed back into security architecture and strategy. So, lowering the bar and solely focusing on prevention is not an option if you want to be able to navigate the complex world we live in.

Why are human and organizational factors still underfunded?

Technical controls are easier to define, procure, implement, and audit. They map to frameworks and can be somewhat expressed in measurable terms. Organizational dynamics are a lot messier because they are dynamic and you have to deal with perspectives, norms, values, beliefs of other people. Socio-technical research highlights that vulnerabilities emerge precisely at the intersection of human behavior and system design, not in isolation. I strongly believe that it is very hard, if not impossible, to accurately quantify security investments from a human, organizational and technological perspective when the (cyber) landscape is continuously changing and on the move.

Until we treat cybersecurity as a socio-technical system, that gap will persist. This is where the difference lies between cybersecurity and cyber resilience; cybersecurity is mostly about preventing attacks from happening, cyber resilience aims to ensure organizations are still able to perform acceptably under pressure. This indirectly implies that we cannot know it all and must be able to adapt under ever-changing circumstances.

Nick Nieuwenhuis is a speaker at Span Cyber Security Arena 2026.