Research question and guiding principles<\/h3>\n\n The central question was how organisations have structured their digital resilience, and which choices are made in practice. This includes not only technical measures, but organisational ones as well. After all, cyber resilience is just as much about governance, prioritisation and exercising as it is about tooling.<\/p>\n\n
That is why we chose a maturity model encompassing multiple dimensions. Ranging from identity & access management and monitoring to crisis preparedness, supplier management and executive-level governance. This model forms the backbone of both the interviews and the survey.<\/p>\n\n
Combining interviews and survey research<\/h3>\n\n The research combines a quantitative survey among more than 250 IT and security professionals with 19 in-depth interviews. These interviews were not added afterwards as illustration, but were an essential part of the research design.<\/p>\n\n
In conversations with professionals, we explored what they see as indicators of mature cyber resilience. When do they believe an organisation truly has its foundations in order? And where do they observe things breaking down in practice, even in organisations that rate themselves highly?<\/p>\n\n
Based on these insights, the maturity model was refined and used to design the survey. The survey then tested to what extent these practical observations are recognised more broadly.<\/p>\n\n
A realistic picture of the current state of play<\/h3>\n\n The results show how organisations assess their own level of cyber resilience. On average, they rate themselves at 7.1. In addition, 67 percent say they feel prepared for a cyber incident.<\/p>\n\n
At the same time, the same measurement shows that practical implementation often lags behind this sense of preparedness. Only 28 percent of organisations conduct crisis exercises on a structural basis. This means that plans and procedures exist, but are rarely tested under realistic conditions.<\/p>\n\n
We see the same pattern across other domains. Only 23 percent of organisations have supplier and supply-chain security set up at a mature level. 33 percent <\/strong>lack continuous, organisation-wide monitoring and detection. And just 16 percent<\/strong> have a security roadmap at board level.<\/p>\n\nBetween a sense of control and actual embedding<\/h3>\n\n These findings do not point to unwillingness or negligence. Many organisations have taken clear steps in recent years. Security has moved higher up the agenda, budgets are growing, and board members are more aware of risks.<\/p>\n\n
However, cyber resilience proves difficult to organise structurally in practice. Measures are often implemented in isolation, without clear coherence. Exercising and long-term embedding tend to fall by the wayside, even though these are precisely the elements that make the difference when things go wrong.<\/p>\n\n
Want to read the full report? <\/h3>\n\n On Security Innovation Stories, we explore the results and their underlying context in greater depth. We highlight patterns that cut across sectors and roles, and raise key questions about how organisations can further strengthen their cyber resilience.<\/p>\n\n
Read it here <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"KPN wanted insight into how cyber resilience is organised in practice within Dutch organisations with a critical societal role. Interviews and a survey among 250+ professionals expose the gaps.<\/p>\n","protected":false},"featured_media":5145,"template":"","meta":{"inline_featured_image":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kadence_starter_templates_imported_post":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":""},"categories":[],"class_list":["post-5139","cases","type-cases","status-publish","has-post-thumbnail","hentry"],"taxonomy_info":[],"featured_image_src_large":["https:\/\/www.beyondproducts.io\/wp-content\/uploads\/2026\/01\/KPN-case.jpg",458,304,false],"author_info":[],"comment_info":"","_links":{"self":[{"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/cases\/5139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/cases"}],"about":[{"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/types\/cases"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/media\/5145"}],"wp:attachment":[{"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/media?parent=5139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.beyondproducts.io\/en\/wp-json\/wp\/v2\/categories?post=5139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/www.beyondproducts.io\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_hnmzfnhnmzfnhnmz-1200x670.png\")
<\/figure>\n\n