Abhishta: “You wouldn’t build a building with only elevators”
“If IT goes down tomorrow, what does your organisation do?” It’s a question Abhishta asks us and one he believes every organisation should be able to answer. Digital resilience isn’t just a technical ambition, it’s more of a survival condition. Because anyone who can’t answer that question doesn’t have a security strategy, they have an assumption.
Abhishta is trained as an industrial engineer, and views security through an economic lens. For eleven years he has been researching at the University of Twente the question that should really be central to every boardroom: what does poor digital security actually cost us?
The three layers of digital transformation
To understand why digital resilience is more urgent than ever, Abhishta first outlines the road that got us here. “Digitalisation has three stages”, he explains. “Digitisation is the first: everything that existed on paper moves into a computer. That part is largely done. Digitalisation is the second stage: you actually use that digital information in your business processes. In many sectors, that transition has also already been made.
The third layer is creating additional business value with digitalised processes. For example, reducing waiting times by scaling services that were available in limited capacity. When organisations move towards making digitally transformed processes lean, the paper world as a fallback option disappears and parallel processes are dismantled.”
“Digital systems are no longer a support function for the primary process, they are the primary process.”
“There was briefly that dream of the metaverse,” says Abhishta. “Offices at home, everything digital, but that idea also scared me due to current maturity and readiness of our digital assets. Because then the economic activity of an entire country depends on internet availability.”
This shift would have major consequences. When digital systems become the backbone of economic activity, their failure is no longer just a technical problem; it’s a societal one. Measuring that kind of damage requires a different framework entirely. To answer that, Abhishta says, starts with understanding what economics actually studies.
Economics is about wellbeing, not just money
Abhishta is an economist at heart, and he makes a distinction that many people find surprising. “Economics is not the science of just money. Economics is the science of wellbeing. And that difference is more than academic, because if you measure security in euros and compliance checkboxes, you miss half the story. If your heart starts beating faster every time you log into a digital service, while you used to walk into your office without a worry, then digitalisation may well be adding value to the process, but it’s also taking something away from your wellbeing. Mature digital transformation does not have a negative effect on user comfort.”
Measuring wellbeing is difficult, according to Abhishta, but there’s a clever shortcut: measure the lack of misery. “A meaningful indicator for wellbeing can also be if people can use a digital system with greater trust and less anxiety.”
That’s precisely why the goal can’t just be to prevent cyber attacks: it has to be to limit the misery when they happen anyway.
Resilience is not the same as security
Security and resilience are treated as the same thing, but they are not. “Traditionally, security is about preventing successful attacks. Resilience is about the ability to recover when something goes wrong anyway. The second is more realistic, because preventing attacks is a promise no one can keep. An attacker only needs to succeed once, a defender needs to get it right every time.”
“Resilience asks a different question: not whether something goes wrong, but what do you do when it does?”
“Take the ransomware attack on logistics company Maersk via WannaCry or the CrowdStrike outage that grounded flights worldwide. In both cases, it wasn’t the disruption itself that caused the most damage, it was the absence of a plan. You wouldn’t build a building with only elevators. There’s a reason we have fire escapes. That reason exists in digital processes too, but many organisations build their digital ecosystem without an emergency exit.”
Three steps towards digital resilience
Resilience sounds abstract, but Abhishta makes it concrete in three steps any organisation can take.
Step 1: Know your own ecosystem
You can’t protect what you don’t know. Inventorise your digital assets. Which applications are active, which devices are connected, and where are packets heading? The same applies to your supply chain. If all your suppliers use the same IT vendor, one incident there is an incident for your entire chain.
Step 2: Monitor your environment
Track how often you’re targeted, by whom, and how that pattern changes. But counting attacks isn’t enough, you also need to detect successful ones. “An attacker sits in a system for an average of three months before doing anything. If you only look within your systems, you’re already too late.”
Step 3: Practice
Having a plan is not the same as being able to execute one. “Just switch something off occasionally and see what happens. That’s not pessimistic, that’s making a realistic assessment of competence. Digital resilience is not a setting, it’s a practice.”
The economic logic of resilience
Why don’t organisations do this? Abhishta has an answer that is uncomfortable, but recognisable. “Resilience requires a long-term mindset. And that clashes with the way many organisations think about technology: as a cost item with an expiry date.”
“Even when IT is outsourced, it’s like diversifying your investment portfolio. As an economist I say: don’t put everything in one basket. It’s important to build slack in your processes.”
NIS2 is forcing change here. Boards are now liable for providing sufficient resourses for digital security. “That shifts the conversation in the boardroom: from technical to strategic, from an IT matter to a leadership question.”
No guarantee, but a plan
Our focus on secure by design is a good start, but even a perfectly designed system becomes vulnerable within months as new attack methods emerge. The world changes and attackers learn. “You can’t guarantee security, but you can make processes resilient to security incidents. In this world of AI agents where business processes are locked-in with digital assets, strategising for resilience-by-design is the bare minimum.”
That doesn’t start with the latest technology or the thickest compliance report. It starts with an honest answer to one question: “If IT goes down tomorrow, what does your organisation do?”
