New Publication: The Knowing-Doing Gap in Digital Security – The Silent Risks of Unvalidated Security Controls

Cybersecurity experts Yuri Bobbert and Dr. Barry Derksen have co-authored a compelling new article in the ISACA Journal, titled “Certified but Vulnerable: The Silent Risks of Unvalidated Security Controls.”

The article sheds light on the often-overlooked vulnerabilities that persist in organizations, even those with recognized security certifications. Bobbert and Derksen argue that a disconnect between what organizations know and what they effectively implement—the Knowing–Doing Gap—can lead to severe security failures, including so-called black swan events.

Key insights from the article include:

• How cognitive biases create blind spots in digital security strategies

• Why formal certification does not guarantee operational security

• The need for continuous validation of controls, not just documentation

• Practical guidance on how to close the Knowing–Doing Gap

This publication is a call to action for CISOs, security auditors, risk managers, and business leaders to rethink how assurance and effectiveness are measured within their digital resilience programs.

 

The full article is available via ISACA Netherlands:

https://isaca.nl/the-knowing-doing-gap-in-digital-security/

About the Authors:

Yuri Bobbert is a cybersecurity strategist and professor of Digital Transformation at Antwerp Management School.

Dr. Barry Derksen is a researcher in IT governance and assurance with extensive experience advising global enterprises.