While the threat landscape is continuously evolving, our attack surface is growing too, says Dimitri van Zantvliet, Director Cybersecurity & CISO at NS and one of the initiators of the CISO community. CISOs have a vital role in convincing boards to act now.
In today’s world, three drivers define the role of the modern CISO, van Zantvliet says. The first driver is the ongoing digital transition. “While this is not a new process, the transition to a digital world continues undiminished today. The world is changing in front of us, and an increasing number of processes is being moved to a digital version.”
“This could pose a threat to our society,” van Zantvliet notes. “With more processes being online, the attack surface increases too. Companies’ software and infrastructure might have functionalities that can lead to vulnerabilities, which attackers can then use to infiltrate into those companies’ networks.”
“The digital transition could pose a threat to our society. With more processes being online, our attack surface increases too.”
Evolving threat landscape
Controlling the attack surface must, therefore, be a main point of attention for CISOs. Yet, this can be made more difficult by the second driver: the evolving threat landscape. “The threat landscape is changing continuously,” van Zantvliet says. “At the moment, there’s a huge asymmetric digital warfare going on. We can see that attackers have enormous resources, money, and intelligence. To keep protecting ourselves against these attacks, we must also keep evolving. We can’t change everything all at once, but just a one percent improvement each day is a good start.”
Personal liability
In case companies aren’t yet convinced about the urgency of the issue, at least the third driver, which concerns the upcoming cybersecurity laws and regulations, will force them to act faster, van Zantvliet says. “Companies will have to start preparing for the EU’s NIS2 directive, which will be transposed into national law by the end of 2024. An important point in NIS2 is the extension of the duty of care to natural persons. Going forward, not just the legal person, but the organizations’ directors can also be held liable.”
This might force the board of directors to think differently about improving their cybersecurity, van Zantvliet notes.
“If you don’t have your things in order, you as a board member can be held liable.”
“Yet, I still see companies that don’t even have their basic security in order. Just fixing those basic things, such as implementing multi-factor authentication, enforcing complex passwords, segmenting networks, would mean an 80 percent resilience improvement.”
Advocating for better cybersecurity
There is a significant role for CISOs to advocate for better cybersecurity, van Zantvliet believes. But to convince the board, you need to stand strong and be confident. “These are skills that we should help each other with. We as more experienced CISOs should initiate a dialogue in which we teach younger, less experienced CISOs how to make their point without coming across as intimidating or unpleasant.”
“For me, this CISO community will be a success if we can bring together the best CISOs in the field if we build a platform where CISOs can have open dialogues, and better protect our society against the ongoing digital warfare.”