In control with Threat Protection
Organizations are investing more and more in cybersecurity. But how do you actually know if you are really in control? And perhaps more importantly: can you also demonstrate this when an auditor, supervisor or director asks for it?
We discuss this with Gerard Bruijgoms, Service Delivery Manager at Wortell Enterprise Security. In his role, he is involved in the MxDR services for clients on a daily basis. He supervises service reviews, discusses incidents and translates operational security data into clear administrative reports. From this practice, he sees what organizations encounter when it comes to Threat Protection, governance and demonstrable control.
Organizations are investing seriously in cybersecurity, says Gerard. This includes prevention, detection, firewalls, EDR, SIEM and AI-driven analytics. And yet, at the first real incident, or sometimes at the first serious threat, the same question always arises:
"Are we actually really in control and can we demonstrate that if someone asks about it?"
Threat Protection only matures when solutions don't work alone. They must also be understandable, demonstrably effective and manageable . That's where it gets to the heart of ISO27001: monitoring, measuring, analyzing, evaluating and above all demonstrating.
At the same time, the threat landscape is changing. Cybersecurity is less and less an individual problem and more and more of a chain problem. Attacks come through vendors, cloud services, APIs, integrations, software components, or managed services. The question is therefore no longer "Am I safe?", but: "Is my entire chain controlled and can I demonstrate this to regulators, customers and partners?"
NIS2 therefore makes supply chain security completely explicit. It is no longer a precondition, but a mandatory part of cyber risk management.
Acting on mandate: speed when minutes count
When things go wrong, indecision is often more damaging than the attack itself. That is why we work with a pre-agreed mandate: which containment actions do we carry out independently, when do we escalate and which choices remain with the customer.
That speed is essential, especially under NIS2, with its tight deadlines:
-
An early warning within 24 hours
-
An incident report within 72 hours
-
A final report within one month
Proactive action only works when there is trust. And trust is not created by promises, but by transparency: what have we observed, what considerations have been made, what actions have been carried out under mandate and what effect did they have?
The importance of reporting
A report is therefore never just a document, it is a conversation starter. The real added value arises when we go through the findings together with the customer. In that conversation, something is added that no dashboard or table can fill in: context. Figures are given meaning, events are given interpretation and decisions are supported.
During these conversations, we dive into questions such as:
- What does this trend mean for our specific organization?
An increase in incident volume can seem worrying, but sometimes it turns out that detection has actually become more sophisticated. Conversely, a quiet period can indicate blind spots. You only see that when you talk about it together. -
Where is the real priority?
A CISO looks at risks differently than an IT Operations Manager, and a director looks at risks differently than both. By discussing reports together, a shared picture is created. -
What do we take with us to the roadmap?
A report describes what has happened, but the translation into structural improvements, in processes, tooling, awareness or supplier management, arises in the conversation. -
How do we ensure that decisions are well documented?
In the context of ISO27001, NEN7510, NIS2, DORA and the Cyber Resilience Act, demonstrability is essential. By explicitly discussing and recording findings and choices made, governance certainty is created.
This prevents a report from ending up as a PDF in a mailbox. Instead, it becomes a tool for guidance, improvement and accountability.
Managed eXtended Detection and Response
Cybersecurity as next-level protection against all internal and external threats.
One truth, three perspectives
Within Threat Protection, we work from one source of facts, but with three different perspectives. Each organizational level receives exactly the information needed to fulfill its role, in line with ISO27001, which is strongly committed to measurability and evaluation.
| Level | Primary Audience | Key Questions | Output |
|---|---|---|---|
| Operational | SOC, IT Operations | What's going on? What is the impact now? What do we do within the mandate? | Real-time alerts, incident timelines, containment actions, IOCs, tickets |
| Tactical | CISO, security management | What does this say about our resilience? Where are structural weaknesses? Will we meet our controls? | KPI/KRI dashboards, trend analyses, root cause themes, improvement backlog |
| Strategic | Board of Directors, Executive Board | What is the business risk? What is equipment? What does this mean for continuity and reputation? | Board reporting with risk impact, decision points, investment options and assurance |
For example, CISO and Board of Directors look at the same reality, but through a different lens.
Security in the chain: reporting as a calmer and control measure
Where an incident used to be mainly an internal problem, nowadays it is often a chain event. That is why NIS2 emphasizes not only incident handling, but also:
-
Insight into dependencies;
-
Requirements towards suppliers;
-
Third-party monitoring;
-
Testing and mitigations in the chain.
In addition, NIS2 requires organizations to inform customers in the event of significant incidents or threats. Reporting thus becomes not only an internal tool, but also a means of communication towards partners.
Partners want to know:
-
What the scope of the incident is.
-
Whether there is an impact on their services or data.
-
What measures have been taken.
-
What they may have to do themselves.
A clear partner update prevents panic, rumors and reputational damage.
For organizations that supply digital products or are part of a product chain, transparency becomes even more important. The Cyber Resilience Act introduces reporting obligations for exploited vulnerabilities and serious incidents via the Single Reporting Platform: 24 hours for an early warning, 72 hours for a full notification and additional final reports.
Reporting is therefore no longer an administrative burden, but an essential part of responsible product management. The trick is therefore to set up Threat Protection in such a way that it not only works, but is also explainable, verifiable and demonstrably effective .
This requires a clear mandate, operational discipline, tactical management and strategic interpretation. Everything comes together in one reporting chain with three perspectives. For example, IT Manager, CISO and Board of Directors look at the same story, but each from their own responsibility.