Share
At Xebia and Hunt & Hackett, we often meet companies that have run into trouble because, for a while, security was not a priority — whether due to a lack of in-house expertise or simply because it didn’t feel urgent. But with 77% of companies experiencing at least one cyber incident in the last two years (1), and billions of personal records seized in the U.S. just a few months ago (2), this worries us.
Cybersecurity is no longer a ‘nice-to-have' feature but a critical component for business continuity and competitive differentiation. And we are here to help.
Today's Most Critical Threats and Regulations
Today, companies face a fierce threat landscape dominated by three trends: the rise of Operational Technology (OT) attacks, the increasing impact of cyberattacks — especially when directed against critical services — and the introduction of stricter regulations like NIS2, DORA, and CRA. These developments underscore the need for organizations to strengthen their cybersecurity frameworks and maximize resilience.
Operational Technology Attacks
As Operational Technology (OT) systems are becoming increasingly connected to IT networks, they drive operational innovation but also introduce significant risks. The growing dependency between OT and IT exposes organizations to vulnerabilities due to legacy systems and hidden dependencies. Since these systems are now easier to access, and provide significant leverage once compromised, OT has become a prime target for malicious actors.
Powerful and Targeted Cyberattacks
Cybercriminals are growing more sophisticated, targeting high-value sectors like healthcare, utilities, and financial institutions to exploit vulnerabilities for data theft, extortion, and control of OT systems. Meanwhile, geopolitical tensions are driving state-sponsored actors to infiltrate critical infrastructure, often with long-term strategic goals. The consequences are severe, with ransomware attacks, supply chain disruptions, and data breaches not only halting operations but also putting public safety at risk.
Cybersecurity Regulations
Regulatory bodies are tightening cybersecurity requirements to protect both businesses and customers. Frameworks like the EU's NIS2 Directive, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA) demand the implementation of strict (proactive and reactive) security measures. Under NIS2, executives even face personal liability if security is not adequately managed through the required risk management frameworks.
Partnering for Protection
NIS2 expects companies to act now and get their defenses in order. This pressure is putting a strain on many companies. To make matters worse, the ongoing 'war on talent' has made it even harder to find skilled professionals — especially those who can bridge the gap between technical teams and the board. To fill this gap, 25% of organizations plan to invest in third-party professional services, while 23% aim to outsource their cybersecurity to managed (security) service providers (1). For example, companies like Xebia offer expert consulting services, customized cybersecurity strategies, and compliance guidance. In addition, specialized security service providers like Hunt & Hackett provide continuous monitoring, threat detection, and incident response capabilities to help mitigate and manage risk, all while you retain the ultimate responsibility and decision-making authority over your risks.
Why Outsource
“Keeping security in-house demands significant time, talent, and technology investments. The key question is: Does this align with your core business, and are you ready to commit? In many cases, outsourcing the work — not the risk — is the better option,” says Francisco Dominguez, Research and Innovation Lead at Hunt & Hackett.
He explains, "Attackers don't stick to office hours. Your security monitoring needs to be up and running 24/7, which means you will need a lot of people who will also need to work shifts. Secondly, to get it right, you will need threat intelligence, detection engineering, response engineering, platform onboarding, support, maintenance, and threat-hunting teams. Finally, you want your team to stay motivated, but monitoring the same systems all the time can become really boring. So, how will your team keep up with industry trends and threats if all they see is your environment?"
What You Need to Know Before Outsourcing
While the reasons to partner up are compelling, successful outsourcing begins with a solid foundation of security knowledge. As Dominguez puts it, "Outsourcing is often harder than people expect. To make informed decisions, you must understand the field and what’s truly important. For example, NIS2 mandates a root cause analysis after an attack — do you know what logs and security telemetry data you will need in that situation?” He adds, "You must understand your business risks and the solutions that align with your needs before engaging with potential partners. Taking this proactive approach solves two critical issues: 1) you will avoid bringing in partners that aren’t the right fit, and 2) you will prevent investing in solutions that don’t meet your requirements or comply with necessary standards."
The Value of Third-Party Security Services
1. Focus on the Threats That Matter
The risk of a cyberattack is undeniable, especially for major players or critical parts of the supply chain — there are plenty of sharks circling the waters. But do you know which specific threats are targeting your business? That’s where a specialized partner like Hunt & Hackett comes in. Identifying these threats is the first step we take.
Dominguez explains, “Imagine there are 1,000 potential attackers worldwide. How do we know which ones matter to you? We narrow that number down to the 200 most relevant and then analyze their tactics, motives, and methods. Once we have a clear picture of who they are, why they are targeting you, and how they operate, we can implement the right defenses to match the threat.” He concludes, “While no approach is ever completely watertight, combining a data-driven methodology with expert insight ensures that security recommendations, measures, and investments are not just informed but measurable. Solely relying on one or the other is no longer enough in today’s complex threat landscape."
2. Cyber-Ready Business Continuity
Traditional Business Continuity Plans (BCPs) are not designed to address the full scope of modern cyber threats. At Xebia, we take a more comprehensive approach by developing Cybersecurity Business Continuity Plans (CBCP) that protect critical assets and ensure business as usual, even in a crisis.
Sven de Bruin, Security Consultant at Xebia, explains: “Everything we do is connected to a tangible risk, and linked to a clear goal. This ensures that everyone in the company understands the importance of each action, leading to better awareness and internal support. When we can answer the why for everyone, we know we’re doing our job right.” Filip Chyla, Security Consultant at Xebia, adds: “We focus on the risks that matter to our clients. Doing so means we never need to convince anyone— they immediately see the value of the CBCP and understand its critical role in their operations. We aim for clarity, not just compliance.”
3. IT and OT: Two Birds, One Stone
Dominguez, “While the approach to securing both OT and IT is similar — identifying threats, assessing risks, and implementing defenses — OT demands a more nuanced strategy. OT systems are often isolated, with complex connectivity, making them harder to protect. The key is taking a slow, methodical approach, understanding the environment deeply, and prioritizing availability. With Hunt & Hackett, you get a specialized partner to protect your IT and OT infrastructure, killing two birds with one stone.” De Bruin adds: “At Xebia, we train companies to detect and secure the connections between IT and OT. But we also work with OT manufacturers to ensure they design products with security in mind. For example, one company proposed using an operating system that’s 20 years old. Such outdated systems still carry vulnerabilities we've long since addressed. Relying on an OS like that introduces significant exposure and risk — if the product fails, none of its users can't do their job.”
4. Expert Knowledge and Powerful Tools
Partnering with a trusted cybersecurity provider gives you access to specialized expertise and a comprehensive range of security solutions, like Managed Detection and Response (MDR). What sets MDR apart is its dual approach: proactive threat detection and rapid response to mitigate damage. It also helps meet the compliance requirements of NIS2. Wilfred Vos, Security Expert at Hunt & Hackett, explains, “MDR monitors systems 24/7 and stores logs, providing critical insights into how and where an attack occurred, ensuring regulatory compliance.” He adds, “Like many of our services, MDR can be fully outsourced or integrated into a hybrid model, where we handle detection and your in-house team manages the response — or we can automate the response, always within a strict mandate. This approach not only strengthens security but also reduces internal pressure, eliminates the need to recruit costly cybersecurity talent in a competitive market, and covers the fundamentals without compromise.”
5. Rapid Incident Response & Supply Chain Security
In a cyber crisis, speed is critical. The NIS2 directive mandates breach reporting within 24 hours and a full update within 72 hours. At Xebia and Hunt & Hackett, we create customized incident response plans that enable rapid containment, quick recovery, and thorough post-incident analysis to prevent future breaches. However, cybersecurity isn’t just about protecting your internal systems — it's also about securing your supply chain. Your security is only as strong as your weakest partner, and NIS2 holds you accountable for third-party vulnerabilities. We help you identify and secure risks across your entire supply chain, minimizing potential threats and safeguarding critical operations. By proactively addressing these risks, we ensure that if an incident does occur, you’re well-equipped to limit its impact and reduce associated costs.
In a Nutshell: Why Partner with a Cybersecurity Expert?
- Access specialized knowledge to stay ahead of emerging threats.
- From MDR to incident response, get tailored, end-to-end protection.
- Identify vulnerabilities early, especially across IT and OT systems.
- Ensure NIS2 and other regulations are met, avoiding fines and reputational damage.
______________________________________________________________________
Sources:
1: Kaspersky, https://www.kaspersky.com/about/press-releases/four-in-ten-companies-plan-to-outsource-cybersecurity
2: Bloomberg Law, https://news.bloomberglaw.com/privacy-and-data-security/background-check-data-of-3-billion-stolen-in-breach-suit-says