Suzanne Janse: ‘Resilience is the art of turning recovery into progress’

“Resilience does not mean you can prevent everything,” says cybersecurity leader Suzanne Janse. “It means knowing what to do when it happens - and practicing that together. It’s like Japanese Kintsugi: when porcelain breaks, the cracks are repaired with gold, making it stronger and even more beautiful.”

Suzanne is an independent strategic advisor and interim CISO, specialising in digital governance, security and GRC transformations. She helps CISOs, risk leaders, and executives strengthen their organisations’ ability to withstand and recover from disruption, not just technically, but operationally and culturally. 

Previously, Suzanne served as Global Cybersecurity Governance & Transformation Lead at ING. Today, she leads research on Highly Resilient Organisations at the Digital Knowledge Institute (DKI), exploring how resilient organisations manage digital risk, strengthen incident response, build cyber capabilities, and prepare for upcoming AI and cryptographic threats.

From technical defense to organisational capability

Two decades ago, cybersecurity wasn’t high on the priority list: it was just one of many operational risks considered in organisations. Today, digital risks dominate boardroom agendas, as they can threaten the very continuity of an organisation. Yet, Suzanne observes, many companies still frame resilience too narrowly. “Resilience is often viewed as a technical problem that sits with IT or security,” Suzanne explains. “But it’s an organisational capability. It’s about governance, communication, leadership and people, not only technology.”

She sees this confusion play out in many sectors, from financial services to energy. Regulations such as NIS2 and the Digital Operational Resilience Act (DORA) are forcing boards to take accountability for resilience. Still, the shift from compliance to capability can be quicker. “Executives are aware of their responsibilities,” Suzanne says, “but awareness isn’t enough. You need structure, ownership, and a culture that supports continuous preparation.”

Measuring the unmeasurable

One of the greatest challenges for CISOs and digital leaders is proving the value of resilience. “How do you quantify the fact that you prevented a ransomware attack?” Suzanne asks. “It’s a paradox: success in security often looks like nothing happening.”

She believes progress comes from turning incidents into data. Some organisations have begun quantifying the financial impact of security events to make the conversation more tangible. “If a single incident costs €600,000, it becomes easier to justify a €400,000 investment in prevention or response,” she says.

DKI’s research is exploring frameworks for resilience metrics: ways to assess not just technical readiness but also decision-making, communication speed, the ability to recover core operations, and learn from it. “It’s not only about uptime or backup frequency,” Suzanne explains. “It’s also about how well teams cooperate, how fast information flows, and whether leadership can make the right calls under pressure.”

The power of practice

Suzanne’s core message to CISOs is simple: practice is everything. Real resilience cannot be built through policies or playbooks alone. It must be seriously tested and refined through simulation and experience. She encourages organisations to conduct various scenario-based exercises that include executives and business leaders, rather than only working with the IT teams. “When you simulate a ransomware attack or a cloud outage, people realise how dependent they are on each other,” she says. “You discover who takes initiative, who freezes, and where the communication gaps are. That’s when learning happens and renewal comes in.”

In her experience, these exercises also help bridge the gap between the CISO and the board. “Boards often underestimate the chaos of a real incident,” she explains. “When they experience that pressure in a controlled setting, they start to understand why investment in resilience matters.”

Building a culture of learning

Resilience depends as much on mindset as on process. Suzanne emphasises the importance of a safe culture where mistakes are acknowledged and analysed rather than hidden. “People make errors: that’s inevitable. What matters is how you respond and what you learn from them,” she says. She often points to the medical field as a model. “In hospitals, they conduct after-action reviews to understand what went wrong and why. We need the same approach in cybersecurity. Don’t punish people for incidents: use them to improve.”

At DKI, she promotes open knowledge sharing across sectors. She applauds organisations that are transparent about their experiences, such as the TU Eindhoven case, which published a detailed report after a major ransomware incident. “It was a brave move,” Suzanne says. “By being open, they helped the entire community learn, and learned a lot themselves too.” 

Leadership and the role of the CISO

For Suzanne, the CISO’s role is evolving rapidly, from guardian of systems to architect of resilience. “CISOs must position themselves strategically,” she says. “That means engaging directly with boards, shaping governance and translating technical risk into business language.”

She uses a simple but powerful metaphor to describe the balance between control and flexibility: an orchestra. “Security and compliance are like the sheet music and the instruments,” she explains. “They provide structure. But resilience is the conductor: it ensures that even if one instrument fails, the music continues, especially when you practise a lot.”

True resilience, she says, is about autonomy and shared responsibility. Teams should be trusted to make decisions during a crisis. “You can’t centralise every action in a high-stress situation,” she says. “Empower people to act: that’s what creates agility and speed when it matters most.”

Moving from awareness to action

Suzanne’s work with DKI shows that many organisations already understand the why of resilience. The challenge now is the how. She advises CISOs to start with three priorities: establish clear governance and safe leadership, measure what matters, and practise continuously.

“Resilience isn’t something you declare; it’s something you demonstrate,” she says. “You prove it through practice, through the ability to recover and improve when things go wrong.”

In the end, Suzanne believes resilience will define the next generation of security leadership. “Prevention will always matter,” she says, “but preparation will determine who gets stronger from disruption. The organisations that learn, adapt, and rehearse: those are the ones that will recover and renew. Remember the gold cracks of Kintsugi.”