As CISOs, we have a responsibility to drive collaboration and technological innovation within the Netherlands, says Mahdi Abdulrazak, Group Information Security and Risk Officer at SHV Energy, a leading global distributor of off-grid energy. Mahdi covers Strategy & Governance on the board of the CISO Platform.

Starting as an ethical hacker at just 15 years old, Mahdi has spent his entire career focusing on cybersecurity, risks, and resilience. With more than twenty years of experience in the cybersecurity sector, Mahdi is now responsible for protecting the IT and Operational Technology (OT) assets of the company in more than 25 countries on four continents.

“Safety used to be the number one risk at SHV Energy. Those times have changed: security now stands at the top. These days, companies do not only have a lot of assets that need protection, but they also need to address the ever-increasing supply chain risks – for example, those caused by cyber wars between state actors. At SHV Energy, we use a lot of external IT services. If they get attacked, we indirectly become victims too.”

“We are aware that we cannot protect everything. We focus on our crown jewels first and make sure the rest of the company is as secure as possible.”

Over the last six years, Mahdi has set up a strong security strategy. Pillars of this strategy include building and improving governance and reporting, security by design, a comprehensive IT and OT security framework, and compliance with security laws and regulations. “We are aware that we cannot protect everything. We must make choices, which we do from a risk perspective. We focus on our crown jewels first and make sure the rest of the company is as secure as possible.”

Offensive security strategy

Over the last year, Mahdi and his team have made a shift in their strategy. “You can secure everything, but if you don’t know how hackers work or how they look at your digital environment, you have a big problem. That’s why we now combine our defensive security with offensive actions.”

“You can secure everything, but if you don’t know how hackers work, you have a big problem.”

“We use AI-powered tools, together with our in-house offensive security engineers, to identify risks and technical vulnerabilities. We prioritize based on hackability, by getting into the heads of threat actors. What tactics and techniques do they use? By trying to imitate them, we can strengthen our security.”

The CISO as an enabling business leader

The CISO role is an enabling one, Mahdi notes. “The CISO is not the person in the organization that sits behind a screen all day and tries to secure everything – the CISO is a person that understands what the business does, what its drivers are. Since everything is increasingly digitalized, the role of CISO becomes increasingly more important too.”

“Security isn’t sexy, and there can be pushback from different sides in the organization. You have to learn how to prioritize and engage various stakeholders.”

This makes the CISO position a stressful one. “Over the last twenty years, I have built a lot of resilience and experience, which makes it easier for me to deal with stress. However, with less experience, I can imagine there’s a lot of pressure on the person. Security isn’t sexy, and there can be pushback from different sides in the organization. You have to learn how to prioritize and engage various stakeholders.”

In addition to knowing how to communicate with various stakeholders, Mahdi also points out the importance of building a strong team. “It’s so important to invest in talent and allow people the opportunity to grow. You must lead by example: by showing strong leadership, you build strong leaders.”

Driving collaboration & innovation

“As CISO, it’s my responsibility to make the Netherlands more secure – not just my organization. But we need a lot more collaboration to accomplish this. The academic sector, the business sector, and the government should all be engaging in discussions, connecting with each other, and finding solutions together. Investing in collaboration between all stakeholders in the Dutch security ecosystem is key to protecting our country.”

“It would be a mistake to become solely dependent on international tech companies.”

One of the ways to do so is to invest in Dutch technology, Mahdi says. “The CISO community must ensure we support and facilitate the development of new technology within the Netherlands. This is important to make our country secure – it would be a mistake to become solely dependent on international tech companies. Investing in Dutch security startups will have a strengthening effect in the labor market as well: by giving these new companies a chance to develop technology, we will also attract more talent to the field of security in the Netherlands.”