“NIS2 challenges us CISOs to concretize our work”

Daphne Frik

24 June 2024

By making security concrete and tangible, the implementation of NIS2 will create more understanding of the CISO role, says Justin Broeders, concern-level CISO at the Ministry of Finance and participant of the Central Government CISO Council. As a board member of the CISO Platform, Justin oversees the CISO Experience Groups.

As an experienced cybersecurity leader, Justin Broeders has developed his career through specialist as well as management roles with a focus on second-line control and monitoring. Prior to joining the Ministry of Finance, Justin served as CISO and headed the CIO Office at Eneco, where he was able to contribute to an international playing field within an organization appointed as a provider of critical infrastructure.

“What drew me to my current role was the opportunity for me to play the connector. As CISO, you can end up in a place where everything is set in stone already, but that’s not what motivates me. In this role, I work with proven technology but with enough space to experiment, figure things out, and create policy together with my colleagues. I enjoy working together with both the central and the departmental government to translate security into reality.”

“The power of the public sector lies in our collaboration.”

“For me, this is where the power of the public sector lies: in the collaboration. Of course, there’s collaboration within the private sector as well, but in the public sector, it feels more natural. We don’t have any conflicting interests; we can work together in every area.”

In addition, there’s a lot of willingness to help each other out, Justin says. “For example, we can find a lot of overlap between the data domain and the security domain. Keeping data safe isn’t an isolated problem. At the same time, both domains are continuously changing. When we combine our strengths, we can fill in those gaps and give them the attention they deserve. By deploying security strategically, in support of organizational goals, new opportunities and possibilities will arise.”

Security as part of strategy

“Yes, security has proved its existence, and people know how necessary it is. However, there’s still a step up to be made: we now need to convince people that security should be part of the organization’s strategy. Often, we still have to explain the link between security and strategy – but it’s so much easier to meet your targets when your security is up to speed.”

“It’s so much easier to meet your targets when your security is up to speed.”

“This goes for other domains such as privacy and compliance as well. It’s not about checking off lists: it’s about actively hunting for risks, finding the weak spots that need extra measures, and putting energy into covering those risks. In essence, our roles are a lot more creative than people might initially think.”

Building a new security framework with NIS2

From his previous role in vital infrastructure, Justin was used to implementing NIS. For the government, however, the NIS2 Directive (the EU-wide legislation on cybersecurity) is completely new. Therefore, it’s not just about making the correct changes in the policy, it’s about making a culture change in the organization as well, he says. “We won’t be implementing NIS2 on the fly. We want to do it in a pragmatic manner, by monitoring coherence across the ministries. There might be some changes between ministries, but we should be building a general framework.”

He is not worried about the delays in the Dutch NIS2 legislation. “Legislation moves at the pace you have. Fortunately, in the government, we’re less affected by the international changes in speed than some companies might be. And there’s a lot to prepare already: while the details must still be filled in, the NIS2 regulation provides a generic picture. Right now, it’s especially about determining what’s now in scope. What have we already done, what do we still need to do? And what will be the impact on our capacity?”

“NIS2 will bring in different dynamics, and we need to think about this: are we sufficiently equipped for the changes?”

What’s new in NIS2 is the formal supervision, Justin highlights. “Of course, we’ve always had to demonstrate that we’ve taken measures, but now this will be externally controlled. The incident-reporting obligation is important to look at too. We’ve had the GDPR, in which we have to report privacy-related issues, but NIS2 extends this to the reporting of cyber-related incidents, including outage of critical systems or hacking of systems without data leakage. Another core part of NIS2 is the supply chain: external links cause vulnerabilities, and we need to include those elements in our risk management. NIS2 will bring in different dynamics, and we need to think about this: are we sufficiently equipped for that?”

“NIS2 challenges us to demonstrate our work.”

Yes, NIS2 might come with a lot of regulatory pressure, Justin adds. “But at the end of the day, this is what validates our existence. Without this kind of necessary legislation, security may still end up on the board’s table, but NIS2 makes a security strategy concrete and tangible. It also challenges us to demonstrate things. What do we think of our maturity, where should we stand? Where are we now and where should we go? This will lead to constructive discussions – internally and externally – and, eventually, more recognition for the role of CISO. You’re not just doing random stuff; you can explain to the board and management why you make certain choices in your security strategy.”

Stepping out of your comfort zone

As a board member, Justin will oversee the CISO Experience Groups. “The power of the CISO community lies in the fact that it isn’t focused on one sector: it combines all industries and private and public organizations. There’s so much to learn from each other. As soon as you step out of your own work bubble, insights can arise that make you wonder: why didn’t I think of this earlier? It’s so helpful to think outside of your own borders and gain new insights. In the past, we have missed a lot of opportunities to work together as a security community, but we can make up for this now.

Of course, it’s not possible to share everything with each other: as CISOs we often deal with sensitive or classified information. But instead of focusing on what we can’t share, let’s look at what is possible.”