Skip to main content
5 min

From Reactive to Proactive: Building a Future-Ready Security Programme

Posted by Picture of Sam Kendall Sam Kendall

Security that prepares beats security that reacts - because resilience is built before alarms ever sound.

On Regulated Digital Episode 27, Debbie Janeczek, Chief Information Security Officer at ING, explains how global banks can move from reactive firefighting to intelligence-led resilience.

She leads ING's global information security strategy, strengthening the organisation's ability to anticipate threats, withstand disruption, and maintain customer trust.

From operational resilience and safe AI use to fraud trends and security that supports delivery, the discussion covers what it takes to build a future-ready programme at scale.

Watch the full episode above, or on YouTube, Spotify, and Apple Podcasts.

Created from episode transcript

From Reactive To Proactive

Why "Left Of Boom" Thinking Matters

Security functions have traditionally optimised for time to detect and time to respond to incidents.

A useful shift is to move earlier in the chain by anticipating failure modes, hardening critical services, and rehearsing disruption before it lands.

This approach aligns with UK resilience guidance and the EU regulatory direction, which emphasise demonstrable outcomes over tick-box activity.

Intelligence-Led Detection And Reduced Dwell Time

Proactive programmes begin with threat modelling that reflects current adversary techniques and feeds control design and testing.

That means integrating telemetry, automating triage, and isolating suspicious activity quickly to compress dwell time.

Industry reporting on incident response reinforces the link between earlier detection, shorter containment cycles, and reduced business impact.

"Resilience means you can take a hit and keep serving customers, not just detect that a hit happened."

Debbie Janeczek, Chief Information Security Officer, ING

Regulation is now pushing that mindset from good practice into measurable obligation.

Operational Resilience As A Regulatory Outcome

What DORA Changes 

The EU Digital Operational Resilience Act (DORA) sets expectations across ICT risk management, incident reporting, testing, and third-party oversight.

For groups with EU entities, DORA requires evidence that critical services can withstand disruption and recover within defined impact tolerances.

The regulatory shift is a chance to align controls to business services rather than technology silos to improve customer outcomes.

For scope and timelines, see the official material on DORA.

Testing Readiness, Not Just Defences

Testing should be about assurance - proving that teams, controls, and suppliers can function effectively under pressure, not just executing technical drills.

The most useful insights are operational - how information flows in a crisis, how dependencies behave, and which actions accelerate recovery.

Resilience testing should be proportionate and repeatable, forming part of an organisation's rhythm rather than a one-off compliance event.

AI - Risks, Controls, And Opportunities

Using AI Safely In Financial Services

AI can accelerate detection and response when models and pipelines are engineered and operated securely.

Secure-by-design practices matter here, including data minimisation, segregation of duties, input validation, and defences against prompt injection and data leakage.

UK guidance sets clear expectations in the secure AI development guidelines and the regulator's material on AI and data protection.

Practical AI Assurance For Security Teams

Governance becomes effective when risk controls are testable, auditable, and monitored over time.

Practical assurance often combines model cards, targeted red teaming, drift monitoring, human-in-the-loop review, and decision logs mapped to business criticality.

Need A Safer Way To Send Sensitive Email?

Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.

Learn more about Mailock

Useful starting points include the UK government's introduction to AI assurance and the portfolio of techniques alongside awareness of the EU AI Act compliance horizon.

Fraud, Financial Crime, And Customer Trust

Trends Security Leaders Need To Watch

Fraud patterns continue to evolve across authorised push payments, account takeover, and mule networks using social engineering and misdirection.

Detection performance ties directly to customer trust because faster interdiction and clear communication reduce harm and reputational damage.

Security As An Enabler Of Delivery

Embedding Security Into Change And Product

Security can accelerate delivery when controls are designed as paved roads that teams can adopt quickly.

Design reviews that unblock decisions and secure defaults that remove friction help move risk management into the path of work.

Alignment with resilience guidance such as the UK Cyber Assessment Framework keeps engineering choices tied to measurable service outcomes.

"When boards review operational resilience, they are usually asking whether critical services still work after disruption - not whether the security team detected another event."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

Those delivery habits only matter if leaders can see whether the programme is working.

Metrics, Governance, And Culture

What Good Looks Like In Practice

Effective programmes prioritise a small set of outcome metrics that are meaningful to customers and regulators.

Examples include end-to-end service availability, verified recovery times, detection coverage over high-risk techniques, and time to contain suspicious sessions.

Lightweight governance still needs clear risk ownership, regular drills, and trackable decisions backed by evidence.

"You can't automate trust, but you can automate the evidence that earns it."

Debbie Janeczek, Chief Information Security Officer, ING

 

FAQs

What Does Left-Of-Boom Thinking Mean?

It means reducing risk before an incident through intelligence, testing, controls, and early intervention.

Why Does Operational Resilience Matter to Security Teams?

Regulation increasingly expects firms to understand impact, test readiness, and recover important services.

How Should Firms Approach AI in Security Programmes?

Treat AI as a controlled capability: define use cases, check risks, monitor outputs, and keep human accountability.

 

References

From Reactive to Proactive: Building a Future-Ready Security Programme, Regulated Digital, 2025

Debbie Janeczek, LinkedIn

ING, ING Group

Digital Operational Resilience Act (DORA), EIOPA, 2025

What Is TIBER-EU?, European Central Bank, 2023

TIBER-EU Framework Updated To Align With DORA, European Central Bank, 2025

CBEST Threat Intelligence-Led Assessments: Implementation Guide, Bank of England, 2024

Annual Fraud Report, UK Finance, 2024

M-Trends: View From The Frontlines, Mandiant (Google Cloud), 2024

Guidance On AI And Data Protection, UK ICO, 2024

Introduction To AI Assurance, UK Government, 2024

Portfolio Of AI Assurance Techniques, UK Government (CDEI), 2023

Guidelines For Secure AI System Development, UK NCSC, 2023

Cyber Assessment Framework - B5: Resilient Networks And Systems, UK NCSC, 2024

EU AI Act: First Regulation On Artificial Intelligence, European Parliament, 2025

From Reactive to Proactive: Building a Future Ready Security Programme, Debbie Janeczek, ING (#27), Apple Podcasts, 2025

Reviewed by

Sam Kendall, 31.05.26

This content is for general information only and is not legal advice.

 

Originally posted on 18 11 25
Last updated on June 5, 2026

Posted by:  Sam Kendall

Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.

Return to listing