06 Feb 2026
Q&A: NIS2 in plain language. All your questions answered
Through my work, I see a lot of the cybersecurity market and its need for security personnel and services. Companies are desperately looking for employees and consultants who can do “something with security”. The reason for this is the desire to get a better grip on this subject, which, without them asking for it, has come to play an enormous role in their business. The issue with these cyber people, these heroes in distress, is that they generally specialise in a number of topics and often cannot do everything. Just like anyone else, in other words. Yet we often see a whole list of requirements for security management roles in applications and job vacancies that actually cover all areas in terms of content.
Although it is quite realistic to look for someone who understands both technology and policy and can thus bridge the gap between IT and the business, it is somewhat less realistic to ask that person to be thoroughly specialised in both areas. This is for the simple reason that it is only one person who has a limited amount of time to become good at something. And it may sound cliché, but someone who has made technology their hobby often prefers to be found behind a computer and is less comfortable explaining strategic issues in cybersecurity and business continuity to a CEO. Conversely, someone who is very good at governance issues is often unable to keep up with technical knowledge because managing stakeholders is simply time-consuming. In addition, you also have to be comfortable with something. There is a lot to learn and many people can definitely improve their weaknesses. But the question is whether it is fair to ask a passionate hacker to spend all day talking to managers, or to ask a security officer to do a code review (spoiler: they usually can't). Unless, of course, you are dealing with a five-legged sheep, but those are rare.
What could be the reason why people quickly assume that cybersecurity involves superhumans who are good at everything? Is it because most companies find it too difficult to understand the differences, or do they want to tick all the security boxes with as little budget as possible? I think it's a combination of the two. The times I have discussed this, it became clear that people did realise that security encompasses multiple topics and specialisms, but they did not know exactly how to divide it up, let alone see it in different roles. Moreover, only one FTE was budgeted for. Fortunately, we are slowly seeing a change in this. Some larger companies and government agencies already have much clearer security departments with different roles specified, but there is still a lot to be gained in many companies and institutions. Especially if you look further into the work behind the job descriptions (“everything related to security”).
