In the latest episode of The Sentyron Standard, Willemijn Rodenburg sits down with Frank Breedijk, CISO at Schuberg Philis and one of the most recognisable voices in Dutch cybersecurity. What follows is not a conversation about hype, fear or abstract frameworks. It is a grounded look at what security actually demands from organisations in 2026.
Frank’s perspective is shaped by decades in the field, from programming and vulnerability management to critical infrastructure, public-private collaboration and his work with DIVD. Across the conversation, one theme returns again and again: resilience is not built through slogans or compliance theatre. It is built through hard choices, real accountability and systems that are designed to hold up when people and technology inevitably fail.
Cybersecurity is still being treated like paperwork
One of Frank’s observations is that many organisations still confuse compliance with security. “They measure patching rates, build dashboards and report progress in percentages, while missing the harder truth underneath: attackers only need one mistake. Security doesn’t run the business, business runs the business.”
That line, passed on to him years ago by a mentor, has stayed with him ever since. It captures a central tension in modern cybersecurity. “Security teams do not exist to dominate the organisation. They exist to help the organisation operate safely. But that can only work if leadership stops treating security as a reporting obligation and starts treating it as a business condition. If you ask for 98% security, you will get 98% security and therefore also 2% vulnerability. The problem is not that metrics are useless. The problem is that they can become a substitute for intent. If the goal is only to show that enough has been done, rather than to ensure the environment is genuinely defensible, organisations end up looking healthy on paper and remaining exposed in practice.”
Frank is therefore direct about the gap between executive awareness and operational reality: “Too many leaders still underestimate how professionalised cybercrime has become. The idea that an organisation is too small, too local or too uninteresting to become a target is no longer just naive. It is dangerous.”
“Everyone is an interesting target.”
He points to the shrinking window between vulnerability disclosure and exploitation. What once took weeks can now take hours, or even minutes. In some cases, vulnerabilities are effectively discovered through their exploitation. That changes the game completely. It means response speed, prioritisation and operational readiness matter far more than broad policy statements. For boards, this has consequences. Regulatory frameworks such as NIS2 and the Cyberbeveiligingswet push responsibility upward, which Frank sees as necessary progress. For years, the security industry insisted cybersecurity had to become a board-level issue. Now it is. But that responsibility only matters if boards understand the difference between legal defensibility and actual resilience.
“If I can prove my organisation is compliant, that does not automatically mean the organisation is secure. That is the uncomfortable message. Compliance may reduce liability. It does not stop attackers.”
Stop blaming users for behaving like humans
Frank is clear on a subject many security professionals still mishandle: human error. He rejects the reflex to shame employees who click a phishing link or make an avoidable mistake. In his view, that instinct reveals a failure of understanding: “I will never accept one of my colleagues calling a user a stupid user.”
The point is not that awareness no longer matters. It does. But users are not the root cause of cybercrime. They are often the final point of failure in systems that were never realistic about human limitations in the first place. Frank speaks from experience here. He recalls infecting his own laptop years into his career and treating that moment as a hard lesson in humility.
“If I can fall for it, how can we expect someone without six or seven years in the field not to?”
That matters even more now that phishing, impersonation and fraud have become harder to recognise. The old clues are disappearing. Poor spelling, awkward grammar and obvious formatting mistakes are no longer reliable signals in a world shaped by generative AI. Which means organisations cannot build their security strategy around the fantasy of flawless user behaviour.
Post-quantum is not a future problem
Frank treats cryptography with the seriousness it deserves, but also with restraint. He does not frame cryptography as a silver bullet. In his view, it is part of the answer, not the whole answer. “Cryptography is part of the solution, but it can never be the solution by itself. That is a crucial distinction. Encryption is powerful when you must operate in environments that cannot be trusted.” But Frank pushes one step further: “If you have to layer on extreme complexity just to function in an environment you fundamentally do not trust, perhaps the smarter move is to stop depending on that environment where possible.”
Cryptography matters enormously, especially in hostile or high-risk settings. But resilience is not only about protecting data in transit or at rest. It is also about reducing unnecessary dependency on systems, providers or architectures that create structural exposure.
On post-quantum cryptography, Frank says: “Is the market ready? No. Should the market be ready? Yes.” He describes the coming transition not as a niche cryptographic issue, but as a major organisational and infrastructural challenge. Algorithms will need to change. Systems will need to adapt. Some underlying technologies may need to be redesigned. And most importantly, organisations need crypto-agility. Not just stronger cryptography, but the ability to replace and rotate cryptographic mechanisms quickly as reality shifts. Frank also raises the longer-term risk that even quantum-resistant algorithms may prove less durable than currently hoped. That means the transition is unlikely to be a one-time migration. It may become an ongoing capability.
“We need crypto-agility because we may have to switch again. And again.”
For many organisations, post-quantum still feels distant. Something for nation states, defence, intelligence or critical infrastructure. Frank does not deny that those sectors face the highest risk first. But he is clear that the issue will not stay there: “Capabilities spread. What begins at the geopolitical edge eventually moves into the criminal mainstream. The message is uncomfortable because it disrupts the common instinct to delay. Yet this is exactly where many organisations get caught. They treat strategic risk as tomorrow’s problem until it arrives as today’s operational crisis.”
Collaboration must deliver, and AI changes the rules
Frank’s work with DIVD shapes another important theme in the conversation: collaboration. He sees cybersecurity as a societal issue, not just a technical or organisational one. That means no single player can solve it alone. Not government. Not business. Not the security sector itself. “Cybersecurity is a societal problem.” But Frank is not interested in symbolic cooperation. He is critical of partnerships that amount to little more than alignment meetings and public language about shared goals. For him, collaboration has to produce action.
“Collaboration is work. It is not just agreeing with each other around a table.”
In cybersecurity, real progress often requires uncomfortable role clarity. Civil society groups can do things governments cannot. Private firms can move faster in some areas and slower in others. Public institutions bring legitimacy, scale and continuity. Effective cooperation depends on recognising those differences and using them, rather than flattening them into generic partnership language. “The threat is growing faster than any single institution’s ability to respond. If cooperation does not result in shared execution, then it is mostly theatre.”
If post-quantum represents a massive technical shift, Frank believes AI represents something even deeper. It will not just add new risk. It will change the logic of control itself. “I think artificial intelligence is going to turn the whole field upside down.” What concerns him most is not only offensive AI or deepfakes or automated attacks. “It is the way AI agents and generative systems undermine soft controls. Much of enterprise security still depends on influencing human behaviour through guidance, awareness and norms. But AI systems do not internalise norms in the same way. They optimise for outcomes, often without understanding why certain boundaries exist.”
That is why Frank argues for harder controls. Sandboxing, technical restrictions and structural boundaries matter more in an AI environment precisely because persuasive governance has less force. “This is not a minor operational update. It challenges years of security thinking built around awareness, soft influence and user education. In other words, AI does not just create new attack surfaces. It weakens some of the assumptions modern security programmes were built on.”
The real risk is outdated thinking
Frank offers something that is still surprisingly rare in cybersecurity: clarity without theatrics. He does not minimise the scale of the challenge. If anything, he sharpens it. But he refuses the lazy framing that security is mainly about fear, blame or bureaucratic control.
Across the conversation, his position is consistent. Security starts with realism. People make mistakes. Boards often misunderstand the problem. Compliance is necessary but insufficient. Dependency matters. Portability matters. Cryptographic transitions matter. Collaboration matters. And AI is about to test whether organisations are serious about control or merely serious about appearing in control. The real risk Frank identifies is not simply that attackers are getting better. It is that organisations are still attached to models of governance, technology and responsibility that no longer match the threat landscape they actually operate in.
Listen to Frank’s podcast (in Dutch) via Spotify or watch the podcast on YouTube.