Security that prepares beats security that reacts - because resilience is built before alarms ever sound.
On Regulated Digital Episode 27, Debbie Janeczek, Chief Information Security Officer at ING, explains how global banks can move from reactive firefighting to intelligence-led resilience.
She leads ING's global information security strategy, strengthening the organisation's ability to anticipate threats, withstand disruption, and maintain customer trust.
From operational resilience and safe AI use to fraud trends and security that supports delivery, the discussion covers what it takes to build a future-ready programme at scale.
Regulation is now pushing that mindset from good practice into measurable obligation.
Operational Resilience As A Regulatory Outcome
What DORA Changes
The EU Digital Operational Resilience Act (DORA) sets expectations across ICT risk management, incident reporting, testing, and third-party oversight.
For groups with EU entities, DORA requires evidence that critical services can withstand disruption and recover within defined impact tolerances.
The regulatory shift is a chance to align controls to business services rather than technology silos to improve customer outcomes.
For scope and timelines, see the official material on DORA.
Testing Readiness, Not Just Defences
Testing should be about assurance - proving that teams, controls, and suppliers can function effectively under pressure, not just executing technical drills.
The most useful insights are operational - how information flows in a crisis, how dependencies behave, and which actions accelerate recovery.
Resilience testing should be proportionate and repeatable, forming part of an organisation's rhythm rather than a one-off compliance event.
AI - Risks, Controls, And Opportunities
Using AI Safely In Financial Services
AI can accelerate detection and response when models and pipelines are engineered and operated securely.
Secure-by-design practices matter here, including data minimisation, segregation of duties, input validation, and defences against prompt injection and data leakage.
Governance becomes effective when risk controls are testable, auditable, and monitored over time.
Practical assurance often combines model cards, targeted red teaming, drift monitoring, human-in-the-loop review, and decision logs mapped to business criticality.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
Fraud patterns continue to evolve across authorised push payments, account takeover, and mule networks using social engineering and misdirection.
Detection performance ties directly to customer trust because faster interdiction and clear communication reduce harm and reputational damage.
Security As An Enabler Of Delivery
Embedding Security Into Change And Product
Security can accelerate delivery when controls are designed as paved roads that teams can adopt quickly.
Design reviews that unblock decisions and secure defaults that remove friction help move risk management into the path of work.
Alignment with resilience guidance such as the UK Cyber Assessment Framework keeps engineering choices tied to measurable service outcomes.
"When boards review operational resilience, they are usually asking whether critical services still work after disruption - not whether the security team detected another event."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Those delivery habits only matter if leaders can see whether the programme is working.
Metrics, Governance, And Culture
What Good Looks Like In Practice
Effective programmes prioritise a small set of outcome metrics that are meaningful to customers and regulators.
Examples include end-to-end service availability, verified recovery times, detection coverage over high-risk techniques, and time to contain suspicious sessions.
Lightweight governance still needs clear risk ownership, regular drills, and trackable decisions backed by evidence.
"You can't automate trust, but you can automate the evidence that earns it."
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.