When we think about security, we tend to imagine police, armies, borders or surveillance systems. However, one of the most striking features of our time is that security is no longer purely physical, because there is also digital security. More precisely: in reality there are no two distinct securities anymore. There is a single security, deeply conditioned by technology, what the ESYS Foundation calls the security of the twenty-first century.
That was one of the most relevant conclusions we drew from the digital wellbeing meeting organized by ING in Madrid, in which institutional representatives, regulatory experts, leaders of the financial sector and cybersecurity professionals took part. This is the first element we want to highlight: the existence of a heterogeneous group of people from different backgrounds with diverse opinions and, above all, a dialogue among those who have to make decisions, the politicians and administrations, and the companies, recipients of their decisions. We also want to highlight that the coincidences and common perspectives were much greater than the differences.
The debate led us to the idea that cybersecurity can no longer be understood as a technical problem reserved for specialists in technology, in security or in both. It has become a social, economic, political and geopolitical challenge that affects everyone.
“We had never enjoyed so many technological possibilities and we had never been so vulnerable”
The expression “cybersecurity” is even starting to feel small. In the past, it was useful to describe protecting computer systems against external attacks. Today, however, technology permeates every aspect of human activity. It affects banks, hospitals, power grids, public administrations, the media, supply chains and personal relationships.
We had never enjoyed so many technological possibilities and we had never been so vulnerable. It is paradoxical. Digitalization has multiplied productivity, innovation and access to knowledge. It has transformed entire industries and changed the way we work, consume and communicate. But at the same time it has created new dependencies and new surfaces of attack.
During the meeting we recalled that digital fraud no longer only affects those who lose money in a banking scam. The problem goes beyond, because it compromises citizens’ trust, the operational continuity of companies, the provision of essential public services and even the economic stability of countries. In this sense, digital security is a collective problem, which also obeys a new reality: technology today requires connectivity and, with higher connectivity, greater vulnerability and larger attack surface. And this challenge will only grow as AI develops, as shown by the recent Mythos case.
The financial sector provides a good example: the relationship between citizens and banking institutions is increasingly conducted through digital channels. Banking has been able to offer faster, more efficient and more accessible services than ever. However, that very convenience has widened opportunities for fraud, and that has made the financial sector subject to European legislation, the Regulatory DORA, more restrictive and interventionist. As we recalled at the meeting, paraphrasing an old television series, “the rich also cry.”
“Technological progress does not eliminate the need to manage risk; on the contrary, it makes it much more complex”
Instant transfers serve as a good example. They allow a person to have their money in seconds and constitute an extraordinary advance. Yet, from a security standpoint, they create a new challenge: when a fraudulent transfer can be executed instantly, the time available to detect and block it also shrinks.
We are not proposing a false dichotomy between innovation and security here. That would be absurd. But we do believe it forces us to reflect on a reality: every technological innovation generates simultaneously new opportunities and new risks. Technological progress does not eliminate the need to manage risk; on the contrary, it makes it much more complex in an always interconnected technological world and, therefore, more vulnerable.
Carlos López Blanco during the meeting ‘Mission social contract: Toward a safer digital world’. Photo: beBartlet
The Digital Revolution and the New Geopolitical Playing Field
These trends are driven by the current historical context, marked by a deep digital revolution. For years there has been debate about whether we are truly undergoing a transformation comparable to the Industrial Revolution. Our answer seems increasingly clear: not only are productive processes being transformed, but politics, social organization, wealth distribution, and international relations are also changing. In any case, the fact that Pope Leo XIV chose this name in parallel with Leo XIII and his Rerum novarum on the challenges of the Industrial Revolution allows us to lean on the classical Roma locuta, causa finita of Saint Augustine.
Digitalization has introduced disintermediation phenomena that affect virtually every aspect of collective life. The direct relationship between citizens and digital platforms has altered the role of traditional intermediaries. It has done so in commerce, information, politics and social communication. However, this technological revolution does not develop in a vacuum, since it is deeply conditioned by geopolitics.
“Today the battlefield between the two contemporary powers, China and the United States, is technology and technological supremacy”
The rivalry between the United States and China for leadership in artificial intelligence, quantum computing and advanced technologies probably constitutes the great strategic conflict of our time. Technology remains an economic instrument, but it is also a major tool of power: compared to the nineteenth-century great game in which powers vied for colonial dominance, and a twentieth century in which the two superpowers of the Cold War competed for military supremacy, today the battlefield between the two contemporary powers, China and the United States, is technology and technological supremacy, particularly artificial intelligence and quantum computing.
In this scenario, Europe has chosen a different strategy. Against the open Silicon Valley model and the authoritarian Chinese model, the European Union has built a model based on regulation: DSA, DMA, GDPR, NIS2, DORA, the Artificial Intelligence Regulation and other initiatives form part of a vast regulatory effort, a genuine regulatory tsunami, aimed at protecting rights, ensuring security, enhancing resilience and, at the same time, turning Europe into the rule setter of the digital world, leveraging the Brussels Effect seen in the GDPR case and which is a direct consequence of one of the key elements of the digital century economy: access to economies of scale.
However, regulation alone is not enough and Europe also needs to build a model for digitizing its economy that allows it not to be irrelevant compared to China and the United States.
One of the most interesting aspects of the meeting was the agreement on the idea of shared responsibility. Security cannot rest exclusively on citizens, nor exclusively on companies, nor exclusively on governments. Vulnerability is a transversal and collective challenge, and the answer must be as well.
“SMEs form part of increasingly complex supply chains and can become the entry point for targeted attacks against larger organizations”
Public administrations face growing challenges. Small towns manage sensitive information and provide essential services, but often lack sufficient resources or specialized knowledge. SMEs form part of increasingly complex supply chains and can become the entry point for targeted attacks against larger organizations. Citizens use digital services daily without always understanding the risks involved.
All participate in the same ecosystem, but not everyone has access to the tools needed to survive these risks, unlike governments and large companies, so we believe it should be a political and social priority to provide them, not only for their own benefit, but because the entry point for increasingly wealthy, innovative and sophisticated cybercriminals into a major attack is often the supply chain.
The President of the Foundation for Enterprise, Security and Digital Society led the Madrid event’s presentation. Photo: beBartlet
The Human Factor and Resilience to Digital Risk
What particularly caught our attention was a figure: 95% of vulnerabilities originate from the human factor. This percentage forces us to rethink some preconceived notions. We tend to imagine cybersecurity as a technological issue, when in reality, many times it is a matter of discipline in adhering to simple, basic norms.
The majority of incidents do not occur because an attacker has uncovered a sophisticated unknown vulnerability. They happen because someone opens a fraudulent email, reuses passwords, shares sensitive information or acts without proper training. Often, the greatest damages are caused not by attacks, but by negligence.
That is why digital literacy and cyber-hygiene have become strategic priorities. This goes beyond teaching how to use technological tools. It is about developing behavioral habits. Just as a society learns basic hygiene or road safety norms, it also needs to learn basic digital hygiene norms.
But it would not be fair to shift all responsibility onto citizens. Organizations have an obligation to design safer systems and more resistant to human error. Good security warns of danger, but also builds environments that minimize the consequences of inevitable mistakes.
“In a hyperconnected world, organizations are aware that they will suffer incidents”
In this line, it is worth addressing the concept of resilience. A few years ago, many organizations built their security strategy on the idea of absolute protection. The goal was to prevent any intrusion. Today we know that goal is unrealistic. In a hyperconnected world, organizations are aware that they will suffer incidents, and the question remaining is when they will occur.
Resilience starts precisely from that premise. It consists in developing the ability to anticipate threats, withstand attacks, respond quickly, recover and learn from experience and, above all, to provide an appropriate response immediately.
The Jaguar Land Rover case, which we mentioned during the meeting, is the ideal example to understand this reality. A cybersecurity incident can extend its effects far beyond the company directly affected. It can paralyze suppliers, affect thousands of workers and generate multimillion-dollar losses and, in this case, substantial public subsidies. In an interdependent economy, one party’s vulnerability quickly becomes everyone’s vulnerability.
For this reason, cybersecurity can no longer be considered a technical issue confined to a specialized department or to a brilliant CISO (Chief Information Security Officer or director of information security). It must be part of the strategic leadership of organizations.
It affects business continuity. It affects reputation. It affects regulatory compliance. It affects the trust of customers and investors. And it also affects the responsibility of governing bodies and boards of directors.
The most recent European regulations clearly reflect this evolution. The new cybersecurity obligations are no longer directed at technical managers, but directly at boards and governance bodies, and they require active involvement in risk oversight. All this leads us to a broader conclusion.
“The digital revolution is giving rise to new agents with importance that previously only governments had: the large digital platforms”
The digital revolution is forcing a redefinition of the relationship between citizens, companies and public authorities. Just as the Industrial Revolution gave rise to new social rights, new institutions and new forms of economic organization, the digital revolution demands a new framework of shared responsibilities. And it is also giving rise to new agents with importance that previously only governments had: the large digital platforms, which bear responsibilities only comparable to those of public authorities, and this explains the need to regulate them. In other words, a new digital social contract is necessary.
That contract must recognize that security is a common good. It must assume that protecting the digital environment requires cooperation between the public and private sectors. It must promote education and awareness. It must drive effective information-sharing mechanisms about threats. And it must ensure that technological innovation advances hand in hand with trust.
Security can no longer rest solely on user prudence, nor on the response capability of a single company, nor on the isolated action of authorities. The digital society is an interdependent ecosystem. Its risks are shared. Its protection must be too.
Because, ultimately, the issue is no longer only technological. It is about preserving the trust on which the digital economy rests, the provision of essential services and the functioning of our democracies.
Cybersecurity, understood in this broad sense, is not merely a defensive tool; it is a necessary condition for prosperity, freedom and social cohesion in the twenty-first century.
In partnership with:
