In the boardroom, cybersecurity is still often seen as a matter of tooling, compliance, and investment. But in practice, the reality is different: many organizations lack sufficient visibility into what is actually happening within their own IT environments. And it is precisely that lack of visibility that makes attacks successful.
This is not an isolated issue, but a structural problem. Our 2026 Trend Report shows that in around 86% of the incidents examined, detection is hampered because relevant logging is missing, monitoring is limited, and systems fall outside the security scope. The risks this creates are fundamental: organizations believe they are protected, while parts of their environment in fact remain out of sight. We see this pattern recur consistently in our incident response cases.
Investing without insightOver the past few years, many organizations have invested heavily in a wide range of security tools, from EDR and SIEM to cloud security solutions. The common assumption is that more tooling leads to better visibility. In practice, the opposite is often true. Detection does not depend on the number of tools, but on the quality, coverage, and coherence of the underlying data. If logging is incomplete, systems fall outside monitoring, or data sources do not align, the result is a fragmented picture. Attackers are quick to exploit this. They do not even need to use advanced techniques; it is often enough for them to operate in parts of the infrastructure where visibility is limited or nonexistent.
In many organizations, the focus is still primarily on blocking initial access to systems and endpoints. That focus is understandable, but modern attacks are rarely defined by that first moment alone. The real impact often comes afterwards: when an attacker expands their access, explores the environment, moves laterally, and reaches sensitive systems or data.
It is precisely this phase that is underexposed in practice. The signals are often there, but scattered across multiple sources and therefore difficult to recognize in context. An attack can thus be visible without truly being seen. It is like having a camera only on the front door while the attacker is already moving through the building.
The recent cyberattack on Odido, which was disclosed publicly on 12 February 2026, underscores that the real impact of an incident is often tied not just to the initial access, but above all to what an attacker is able to do inside an environment afterwards. Odido reported that unauthorized individuals had gained access to a customer contact system and had stolen customer data.
The causes of this lack of visibility are often very concrete: audit logs are missing, log retention is limited, systems are not being monitored, and dependencies have been mapped only in part. These are not exceptions. In incident response cases, we consistently see attackers exploiting them. They operate within existing accounts, use legitimate administrative mechanisms, and remain unnoticed as long as there is no complete picture of their behaviour. The result is that an attack often becomes visible only after the damage has already been done.
That also makes the direction of the solution clear: not necessarily more tooling, but a security operation that gives organizations a coherent and verifiable view of the attack chain. This means a shift from alert-driven detection to an enterprise-grade approach in which the entire security chain, from beginning to end, is independently verifiable and controllable. This is becoming especially relevant for organizations subject to DORA and NIS2, as demonstrable control, logging, monitoring, and internal oversight are required under those frameworks.
In modern IT environments, however, that is easier said than done. Cloud platforms, legacy systems, external suppliers, and interdependencies all contribute to fragmentation. Logging differs from one system to another, responsibilities are divided, and security data is locked away across different platforms and processes. The result is an environment in which no one has a complete overview. And that is exactly where the risk lies. The more complex the environment, the greater the chance that parts of it remain out of sight. And that is exactly what makes it attractive to attackers.
The biggest problem is not a lack of tooling, but the confidence organizations place in that tooling. Many organizations base their view of security on dashboards, alerts, and standard detections. But these show only what is being measured within the boundaries of the chosen platform; the rest often remains out of view. This creates a false sense of control: the belief that the environment is protected when crucial parts are not being monitored, or not monitored sufficiently.
We see this reflected, among other things, in attackers’ increased focus on edge devices such as firewalls, routers, and VPN gateways. These systems are especially attractive because they occupy a strategic position in the infrastructure, are exposed to the internet, and often provide deep visibility into, or access to, the traffic and administration of an environment. Once an attacker gains access, there is a strong chance that their presence will remain unnoticed for a long time, especially if the telemetry from such systems is limited or not analyzed independently. The U.S. CISA explicitly warns that edge devices are being exploited by attackers to gain access, maintain long-term persistence, and compromise sensitive data. For the boardroom, this is a fundamental problem because decisions are being made based on incomplete insight. In that context, control is not the same as having dashboards. Real control means that an organization has end-to-end control of its telemetry, so that security is not only visible, but also independently verifiable.
This is where digital sovereignty touches the core of resilience. The question is not just where data resides, but above all whether security is independently verifiable. Can an organization itself determine what is happening, why it is visible, which detections have been applied, and whether the right conclusions are being drawn?
That requires a telemetry chain that does not fully depend on a single cloud platform, supplier, or closed security stack. Not because the cloud is inherently insecure, but because real control only has value if it is itself controllable. When logging, detection, correlation, and response are fully absorbed into a single ecosystem, dependency increases and it becomes harder to assess security outcomes independently.
That is why control begins with the independent processing of telemetry data. The ability to collect, process, and analyse telemetry independently of any single platform is a prerequisite for validating detections, applying alternative analytical methods, and ensuring that response decisions rest on a factual foundation free from vendor dependency. That makes security not only more effective, but also more credible.
This requirement for verifiability is becoming even more relevant as major technology platforms continue to enrich security operations with AI-driven prioritization, detection, and decision-making. Explainability and transparency are therefore essential conditions for trustworthy AI, and security is no exception. The U.S. NIST explicitly identifies explainability as a core element of trustworthy AI.
As long as organizations do not have a complete picture of their own environment, effective detection will remain limited. In that context, the amount of tooling is irrelevant. Cybersecurity is therefore not just a technical issue, but a governance risk. Without visibility, there is no control. And without control, your organization is not protected against cybercrime. Nothing more, nothing less.