The reality of compliance vs. resilience
The debate opens with a shared acknowledgement that cyber threats respect neither borders nor regulatory checkboxes. Compliance may establish a baseline, but it does not guarantee protection against sophisticated attackers. Moderator Loraine Phillips set the tone by arguing that compliance, while essential, is simply not enough. “If, however, you get resilience right, I strongly believe that it can bring a competitive and human advantage,” she noted, framing the conversation around how organisations can move from technical language to real-world action and the sharing of knowledge.
For Joanna Harding, the goal is being able to demonstrate that the organisation does what it says it does. This takes time, and boundaries must be upheld even when they are unpopular. “If people can repeat their processes, they will feel less pain the next time around and they will indeed also feel more resilient,” she explained.
Risk Management and the financial lens
A core theme of the discussion was the challenge of translating technical cyber risks into the financial and operational language understood by business leaders.
Xavier Paulus observed that the move toward NIS2 is making risk management more concrete, not least because organisations have finite resources. He cautioned against relying solely on financial metrics, noting that while impacts on insurance or budgets are relatively easy to quantify, the broader effects on society and company reputation are sometimes overlooked. “We are using risk management every day to take decisions in our business,” he stated, stressing that the conversation must centre on the value of investment rather than simply ticking boxes.
Iwona Muchin agreed that checklists are merely a starting point. She noted that, unlike traditional operational risk, where ample data exists to support quantification’s simulations, the cyber world still lacks a robust database for predicting financial losses. She expressed hope, however, that new reporting requirements under DORA and NIS2 would eventually generate the data needed to present cyber risks to boards with greater precision.
Building partnerships with the business
Turning to more positive developments, the panel explored how security teams can shift from being seen as “blockers” to becoming genuine business partners.
Success, according to Joanna Harding, comes from learning from and interacting with the business: “We often have to listen to hard truths from the business about our lack of a collaborative mindset, but if we keep the collaboration going and present ourselves as a partner, we can turn this around. You need to show up with your best will and intent.”
Xavier Paulus described a positive shift in which business teams now proactively seek security advice. He saw this as a sign of genuine leadership: the business is taking ownership of security, rather than having rules imposed on it.
The challenge of supply chain and third-party risk
A recurring challenge in NIS2 implementation is how organisations engage their suppliers, particularly when the majority are SMEs. Reaching these companies in a meaningful way remains an open question for many compliance teams.
Xavier Paulus confirmed that sending questionnaires is common practice, but one that does not always deliver meaningful value, particularly with large vendors. For IT vendors, he argued: “if we want to manage the risk, we need to understand what is in the contract. With SMEs we need to map upstream and downstream supply chain dependencies and assess the specific risks of each relationship.”
Iwona Muchin acknowledged that NIS2 and DORA have contributed to a proliferation of overlapping third-party assessments, with suppliers now receiving multiple questionnaires from different customers. A more standardised approach, she suggested, would be welcome. On a more positive note, she observed that security and privacy are increasingly being embedded into business processes from the outset, with business units raising questions earlier and teams adopting a more proactive stance.
Making the case to leadership
The panellists concluded by exploring how to engage senior leadership and boards effectively, moving away from technical jargon and toward strategic risk discussions.
Xavier Paulus noted the growing interest and knowledge among board members. When presenting to a board, he advised, it is vital to be concise and solution oriented. “If the dial is red, explain why, but also come with a plan and solutions,” he recommended, adding that boards exist to help make decisions, not simply to hear complaints.
Joanna Harding acknowledged that the purpose of the law itself is to assess risk. “If you show that you looked at the company priorities and then show the risk assessment in the context of those priorities, the conversation will be better.” she said.
To capture a board’s attention, Iwona Muchin advises using tangible examples, such as the sheer volume of malicious emails blocked daily. “While being very concrete, at the same time you show that there is no 100% safeguard”, she added. She noted as well that board members who sit on multiple boards are becoming better educated, as they see frameworks such as DORA and NIS2 increasingly intersect. This cross-legislative exposure is helping leadership develop a more nuanced understanding of cyber risk.
Moderator Loraine Phillips added that resilience ultimately still requires a “Plan B” and the organisational readiness to respond when something does go wrong. This includes the ability, at leadership level, to communicate clearly with the press and public, contain panic, and share lessons learned so that others can benefit.
Concluding insights
After the panel debate, moderator Loraine Phillips sparked an engaged Q&A that highlighted some of the challenges organisations are actively wrestling with today. Key themes included the strategic tension between technology consolidation and diversification, as well as the evolving complexity of third-party risk management and the potential for industry-wide audit standards.
Across this captivating debate, one thread ran consistently: the engagement and ownership between the CISO’s, the C-Suite and the Board is essential to embedding cyber resilience deep into an organisation’s risk management strategy. This has become a defining leadership priority — one that calls on boards and senior executives to build genuine knowledge and learning, engage closely with their CISO and IT experts, and drive resilience as a competitive differentiator.
Picture 1: Loraine Phillips and Iwona Muchin
Picture 2: Xavier Paulus
