Bert Hubert on the Paper Reality vs. the Real World
Digital resilience starts with being honest about our dependencies, having control over execution, and being willing to take responsibility. So says Bert Hubert, entrepreneur, speaker, and former supervisory board member at the Dutch General Intelligence and Security Service (AIVD).
Ahead of his keynote at Cybersec NL, he spoke with us about system outages, blind spots, boardrooms, and the role of the CISO. His analysis is sharp, but also points the way forward:
“I see how fragile our IT is. And it’s already collapsing on its own.”
Systems That Collapse by Themselves
Most disruptions in our digital infrastructure aren’t caused by external attackers, but by systems that are inherently unstable.
“We have bridges that don’t open because, well, the software isn’t working. Or we suddenly can’t use debit cards for half a day.”
Such incidents occur regularly and, according to him, clearly illustrate how vulnerable we are. As a self-proclaimed “big nerd,” he knows what he’s talking about. He still runs his own IT servers. So of course he knows what’s running and how it works — but that’s not the case everywhere. More and more organizations outsource their IT and systems, which ultimately leaves no one fully aware of what’s running where.
“Stuff that collapses on its own is obviously very vulnerable to someone giving it a little nudge from outside.”
— Bert Hubert
When a Platform Goes Down, No One Knows What Still Works
Many organizations claim to manage their critical systems internally. But if you dig deeper, you often find no one really knows for sure. Part is in the cloud, part is outsourced, and something is still running on internal servers. Do organizations really have a clear view of this? It’s also important to know what is truly essential and what isn’t — yet these dependencies are rarely tested.
As long as everything functions, nothing seems wrong. But what happens when it doesn’t? For instance, if a major platform fails? The consequences are usually unclear.
“What still works then? The funny thing is, nobody really knows,” says Bert.
Compliance tells us little about what’s actually going wrong.
The Paper Looks Great, but What Happens on the Ground?
Many organizations have their compliance neatly arranged, with procedures, audits, and reports. On paper, it all looks well-managed — but that says little about how systems behave under failure or attack.
Audits and compliance are not the shop floor. Under all that paperwork lies a digital reality where outdated systems, mysterious access management, and unresolved vulnerabilities are common. The real issues become visible only on the work floor: old systems, forgotten configurations, overdue patches — often just outside the scope of official checks.
To see this clearly, you need real contact with the people working with those systems every day. Not via reports, but through conversations that leave room for what’s not in the checklists.
“As a director, you shouldn’t just show up in your suit and ask, ‘Is there anything I don’t know?’ That’s the wrong question. But you do need to be in contact to catch the signals.”
Only then will you hear things like: “By the way, we’re twelve weeks behind on patching.”
The CISO Between Policy and Practice
The CISO’s position illustrates the tension between formal responsibility and actual control.
“They’re expected to develop policy and be involved, but ultimately aren’t responsible for execution.”
Many CISOs can keep their board satisfied by following procedures, but according to Bert, that doesn’t necessarily contribute to true digital security.
“There’s room to pioneer by gaining more bite. By moving away from policy — and closer to execution.”
— Bert Hubert
A CISO who only manages compliance loses sight of what’s really happening. Risks often lie in systems and processes not included in the policies, but crucial in day-to-day operations. That’s where the real strength lies: understanding how things truly work. By being curious and understanding what’s running where and who has access, you prevent security from becoming a paper reality.
“You get hacked in the real world — not in that beautiful paper-compliance world.”
Defend Together: Alone, You’re Nowhere
During disruptions, the technical community switches gears incredibly fast:
“You’ll hear everyone asking: is this my outage, your outage, or our outage?”
Because formal chains are often too slow, your network, short lines, and trust matter most. You need to know who to call — if you can still call. This way of collaborating demands more than technical alignment. It’s about actively building relationships, knowing how to find each other in a crisis, and being open about errors or vulnerabilities. Bert calls it Defend Together.
It’s no coincidence that Defend Together is also the topic of his keynote at Cybersec Netherlands. He hopes to meet people there who understand that without collaboration, you’re going nowhere.
“The opposite of Defend Together would obviously be Defend Alone. And you already hear how absurd that is.”
— Bert Hubert
About Bert Hubert
Bert Hubert is an entrepreneur, former supervisory board member at the AIVD, and speaker at the upcoming Cybersec Netherlands on 10 and 11 September at Jaarbeurs Utrecht. In conversation with Security Innovation Stories, he shares his concerns about the digital infrastructure on which our society runs.
Please note: the podcast is in Dutch.
Register for free for Cybersec Netherlands 2025
As cyber attacks continue to threaten today’s tech landscape, this event is the premier platform for seasoned cyber security professionals and innovative start-ups to exchange knowledge and tackle cybersecurity challenges together. Organizations across all sectors will discover strategies to boost cyber resilience and safeguard critical assets. Don’t miss this chance to strengthen your cyber defenses—register for free now!