Translate Cyber Risk into Boardroom Dollars

In this Help Net Security interview, Nick Nieuwenhuis, Cybersecurity Architect at Nedscaper, argues that decades of cybersecurity investment have not delivered the promised resilience. He contends that spending has skewed too heavily toward technical controls while undervaluing people, processes, and organizational dynamics.

He explores the disconnect between security teams and boards, blaming weak risk communication and an overreliance on qualitative heatmaps instead of evidence-backed data. Nieuwenhuis challenges root cause analysis as a reductionist habit, advocates for treating resilience as a serious organizational capability, and outlines what stronger firms do differently: investing in communication, rehearsed playbooks, and continuous learning across the security function.

Why has cybersecurity not delivered the expected resilience despite decades of investment?

I think we have optimized cybersecurity for control effectiveness, not for system behavior.

Most organizations approach cybersecurity through a mechanistic lens: identify threats, map them to controls, implement those controls, and demonstrate compliance. That model is deeply embedded in frameworks, audits, and even team structures. It has value, but it assumes risk behaves in a relatively linear and predictable way. This is not the case, as cyber risk is dynamic, unpredictable, and ambiguous.

Cyber risk emerges from complex socio-technical systems. Incidents rarely stem from a single missing control; they result from interactions between technology, people, processes, and organizational constraints. Academic work increasingly shows that most cyber resilience frameworks remain overly techno-centric and fail to account for these socio-technical dynamics.

So, what we have done well historically is build controls to mitigate known, predictable risks. What we have not done equally well is ensure that those controls collectively produce resilient behavior under stress. Partially, this is because we forgot to include the human element in security design. This is highlighted by the various methods of multi-factor authentication we have seen over the past 10 years, from SMS codes to passkeys. All these methods work technically well, but adoption lags because security professionals are not good at communicating why security controls are needed and how they work. Our tools should guide secure behavior, but we have failed to implement that adequately.

In this sense, the discipline hasn’t failed due to lack of investment. Rather, that investment has been disproportionately focused on technical controls, while underinvesting in the broader socio-technical conditions that determine and improve resilience.

Where does the disconnect between cybersecurity and executive decision-making originate?

I believe this originates in how we translate cyber risk into something decision-makers can work with. Many security professionals still talk technical to their business leaders. We talk about threats like phishing and ransomware, but we forgot to accentuate the actual risk these threats pose to the business.

Besides that, when we do include a sound risk management process, we usually communicate risks in qualitative manners: “high probability, medium impact.” This is great for internal discussions, but the risk evaluation process is not grounded in evidence. There is a nice book on cyber risk quantification called From Heatmaps to Histograms that highlights this gap fantastically.

Additionally, there is also a capability gap. Many boards recognize cyber as a business risk, but relatively few have deep expertise, and governance structures are not always set up to bridge that gap effectively. CISOs and other security directors need to communicate cyber risk more effectively in terms of business risk, including financial impact in actual dollars, without overstating their confidence in either qualitative or quantitative methods. The beauty of good cyber risk management lies in between and balances both methods to have a good narrative that resonates with boards. So, the current disconnect lies with poor cyber risk management, communication, and reporting capabilities.

What is wrong with focusing on specific failure points after incidents?

The instinct to find a root cause is understandable, but it is fundamentally a reductionist approach to what is often a systemic problem.

Traditional failure analysis assumes linear causality: something went wrong because a component failed, and if we fix that component, we prevent recurrence. This is the classic “Safety-I” perspective described by Hollnagel, where safety is defined as the absence of failure.

In complex systems, that assumption does not hold up. Failures emerge from actions (or lack thereof) by people, failed internal processes, system or technology failures, or external events. But in most cases, it is a combination of the above factors that cascade the risk, so it’s difficult to point to one single failure. There are just too many unknown factors involved. This means that we need to look further than system and technology failures and include people, organizational, cultural, and process factors. This will lead to changes in the security architecture and underlying processes that are more sustainable and systemic, eventually improving resilience.

How do you argue for resilience without sounding like you are lowering the bar?

Everyone needs to understand that resilience implies that something can and will go wrong. This also means that we can’t over-rely on prevention alone. Cyber resilience is about withstanding, recovering from, and adapting to shocks caused by cyber events.

What helps in making that case is moving away from abstract concepts and focusing on tangible organizational capabilities. In practice, more resilient organizations invest in a number of structural and behavioral elements that go well beyond technical controls.

First, they pay deliberate attention to the people side. That includes selecting, training, and retaining individuals who can operate under pressure and deal with ambiguity. Second, they invest in communication. Resilient organizations treat communication as a primary control. Enterprise Architecture is a good mechanism to improve communication. Third, they design and rehearse playbooks. I have seen so many incident response and business continuity plans that look good on paper but break down in real crises. Finally, resilient organizations invest in a culture of continuous learning and feedback loops that feed back into security architecture and strategy. So, lowering the bar and solely focusing on prevention is not an option if you want to be able to navigate the complex world we live in.

Why are human and organizational factors still underfunded?

Technical controls are easier to define, procure, implement, and audit. They map to frameworks and can be somewhat expressed in measurable terms. Organizational dynamics are a lot messier because they are dynamic and you have to deal with perspectives, norms, values, and beliefs of other people. Socio-technical research highlights that vulnerabilities emerge precisely at the intersection of human behavior and system design, not in isolation. I strongly believe that it is very hard, if not impossible, to accurately quantify security investments from a human, organizational, and technological perspective when the cyber landscape is continuously changing and on the move.

Until we treat cybersecurity as a socio-technical system, that gap will persist. This is where the difference lies between cybersecurity and cyber resilience. Cybersecurity is mostly about preventing attacks from happening. Cyber resilience aims to ensure organizations are still able to perform acceptably under pressure. This indirectly implies that we cannot know it all and must be able to adapt under ever-changing circumstances.

Nick Nieuwenhuis is a speaker at Span Cyber Security Arena 2026.