Kantyra Kantyra

← All articles

Detect

What you cannot see, you cannot protect

Alain Rees · 07-07-2026 · 2 min read

Every security strategy rests on a simple question: what do we actually have, and who touches it? As long as that question remains unanswered, every risk register is guesswork and every control a gamble. Detect, the first phase of the model, therefore revolves around three registers that together form the foundation: your assets, your suppliers and your incidents.

Start with assets and processes

A useful inventory does not have to be complete; it has to be honest. Start with the systems and processes the organisation genuinely depends on, and give each of them an owner, a classification and a rating for confidentiality, integrity and availability. That rating will feel rough at first, and that is fine: a rough rating that exists steers better than a refined one that is still to come. Do not forget the processes; a business process such as order handling or invoicing is precisely what your continuity analysis will start from later.

Know your chain before the chain knows you

NIS2, implemented in the Netherlands as the Cyberbeveiligingswet, places responsibility for the supply chain firmly with you. In practice, however, the first question rarely comes from the regulator: it is your biggest client sending a supplier assessment, or an insurer asking for an overview. So register your critical suppliers with the service they provide, their criticality and the agreements that exist on paper, and give every supplier a review cycle. Whoever knows their chain answers such requests within a day instead of within a month.

Incidents are signals, not stains

The third register captures what goes wrong. An organisation that makes it easy to report incidents sees sooner where things pinch; an organisation that discourages reporting discovers its weak spots only when an outsider finds them. Record per incident which assets were affected and which risk it relates to. That last link is essential: an incident is proof that a risk materialises in practice, and should therefore influence the assessment of that risk.

What this phase delivers

After this phase you know what exists, who is responsible for it and what actually happens. That sounds modest, and it is decisive: every phase that follows, from risk assessment to audit evidence, refers back to what you recorded here. Detection is not administration; it is the senses of your management system.

Want to see how this works in Kantyra?

In a 30-minute demo we walk through the model based on your situation.

Book a demo