From Reactive to Proactive: Building a Future-Ready Security Programme

Security that prepares beats security that reacts - because resilience is built before alarms ever sound.

Debbie Janeczek is Chief Information Security Officer at ING.

Debbie leads ING’s global information security strategy, strengthening the organisation’s ability to anticipate threats, withstand disruption, and maintain customer trust.

In this episode, Debbie shares how to shift from reactive firefighting to intelligence-led resilience, how to use AI responsibly, and how to embed security into delivery so it becomes a value enabler rather than a blocker.

Listen now if you want to hear how one of Europe’s leading banks is turning security into a driver of trust and innovation.

From Reactive To Proactive

Why “Left Of Boom” Thinking Matters

Security functions have traditionally optimised for time to detect and time to respond to incidents.

Debbie describes the value of moving earlier in the chain by anticipating failure modes, hardening critical services, and rehearsing disruption before it lands.

This approach aligns with UK resilience guidance and the EU regulatory direction, which emphasise demonstrable outcomes over tick-box activity.

Intelligence-Led Detection And Reduced Dwell Time

Proactive programmes begin with threat modelling that reflects current adversary techniques and feeds control design and testing.

Debbie highlights the need to integrate telemetry, automate triage, and isolate suspicious activity quickly to compress dwell time.

Industry reporting on incident response reinforces the link between earlier detection, shorter containment cycles, and reduced business impact.

"Resilience means you can take a hit and keep serving customers, not just detect that a hit happened."

Debbie Janeczek, Chief Information Security Officer, ING

Operational Resilience As A Regulatory Outcome

What DORA Changes 

The EU Digital Operational Resilience Act (DORA) sets expectations across ICT risk management, incident reporting, testing, and third-party oversight.

For groups with EU entities, DORA requires evidence that critical services can withstand disruption and recover within defined impact tolerances.

Debbie frames this as a chance to align controls to business services rather than technology silos to improve customer outcomes.

For scope and timelines, see the official material on DORA.

Testing Readiness, Not Just Defences

For Debbie, testing is about assurance - proving that teams, controls, and suppliers can function effectively under pressure, not just executing technical drills.

The most useful insights, she says, are operational - how information flows in a crisis, how dependencies behave, and which actions accelerate recovery.

Resilience testing, Debbie adds, should be proportionate and repeatable, forming part of an organisation’s rhythm rather than a one-off compliance event.

AI - Risks, Controls, And Opportunities

Using AI Safely In Financial Services

AI can accelerate detection and response when models and pipelines are engineered and operated securely.

Debbie emphasises secure-by-design practices including data minimisation, segregation of duties, input validation, and defences against prompt injection and data leakage.

UK guidance sets clear expectations in the secure AI development guidelines and the regulator’s material on AI and data protection.

Practical AI Assurance For Security Teams

Governance becomes effective when risk controls are testable, auditable, and monitored over time.

Debbie recommends model cards, targeted red teaming, drift monitoring, human-in-the-loop review, and decision logs mapped to business criticality.

Useful starting points include the UK government’s introduction to AI assurance and the portfolio of techniques alongside awareness of the EU AI Act compliance horizon.

Fraud, Financial Crime, And Customer Trust

Trends Security Leaders Need To Watch

Fraud patterns continue to evolve across authorised push payments, account takeover, and mule networks using social engineering and misdirection.

Debbie links detection performance to customer trust because faster interdiction and clear communication reduce harm and reputational damage.

Security As An Enabler Of Delivery

Embedding Security Into Change And Product

Security can accelerate delivery when controls are designed as paved roads that teams can adopt quickly.

Design reviews that unblock decisions and secure defaults that remove friction help move risk management into the path of work.

Alignment with resilience guidance such as the UK Cyber Assessment Framework keeps engineering choices tied to measurable service outcomes.

Metrics, Governance, And Culture

What Good Looks Like In Practice

Effective programmes prioritise a small set of outcome metrics that are meaningful to customers and regulators.

Examples include end-to-end service availability, verified recovery times, detection coverage over high-risk techniques, and time to contain suspicious sessions.

Debbie also stresses governance that is lightweight and evidenced with clear risk ownership, regular drills, and trackable decisions.

"You can’t automate trust, but you can automate the evidence that earns it."

Debbie Janeczek, Chief Information Security Officer, ING

FAQs

How is proactive security different from compliance?

Compliance checks policies and controls on paper while proactive security demonstrates that critical services withstand disruption in practice.

What is the value of readiness testing?

It validates that people, processes, and systems can perform under stress and produces actionable data to strengthen resilience programmes.

References

Digital Operational Resilience Act (DORA), EIOPA, 2025

What Is TIBER-EU?, European Central Bank, 2023

TIBER-EU Framework Updated To Align With DORA, European Central Bank, 2025

CBEST Threat Intelligence-Led Assessments: Implementation Guide, Bank of England, 2024

Annual Fraud Report, UK Finance, 2024

M-Trends: View From The Frontlines, Mandiant (Google Cloud), 2024

Guidance On AI And Data Protection, UK ICO, 2024

Introduction To AI Assurance, UK Government, 2024

Portfolio Of AI Assurance Techniques, UK Government (CDEI), 2023

Guidelines For Secure AI System Development, UK NCSC, 2023

Cyber Assessment Framework - B5: Resilient Networks And Systems, UK NCSC, 2024

EU AI Act: First Regulation On Artificial Intelligence, European Parliament, 2025

Reviewed by

Sam Kendall, 03.11.2025