CISODAY in the rear view
The first CISODAY was kicked off by moderator Joost Hoebink, who called the two CISO community founders and CISO Platform board members on stage. Founder Dimitri van Zantvliet commemorated Steve Katz, who became the world's first CISO at Citibank thirty years ago. A lot has happened since: the attack surface exploded, making the CISO role crucial. Modern CISOs must know all about the relevant legislation: there's a tsunami of cyber laws. Cybersecurity has become the business of business leaders and boards, so a CISO must deal with leadership, too.
The new CISO community is there first and foremost to connect CISOs, and to build trust among each other. "You need to have your peers on speed dial," said Dimitri. Asked about the plans for the future, founder Rob Beijleveld said, "We need to build a rich environment where people can share information", and Dimitri added that the community needs to build an event agenda together.
Board member Mahdi Abdulrazak, tasked with stakeholder management, was asked about cooperation with third parties. "We want to cooperate with all parties involved in cybersecurity: government, semi-government, and corporations." Board member Justin Broeders, who leads the experience groups, said that the focus was now on European laws and regulations, and helping people with the practical impact these have on their operations.
Lastly, Luisella ten Pierik, who sits on the jury for the CISO of the Year Award, told the audience that the award process was interesting but intense for the nominees, who were assessed on different aspects of their roles and interviewed several times, had to write an essay and to pitch for themselves. She found it inspiring to hear the stories of the nominees. For her, it is confirmation that there is no such thing as the CISO. Every CISO role is different, depending on the type and maturity of the organization and the personality of the CISO.
Mimoent Haddouti: "CISOs are superheroes"
Former CISO at one of the big Dutch banks, currently a partner at PwC, Mimoent Haddouti explained that CISOs have evolved considerably over time: thirty years ago, the role was mostly technology-focused. From the year 2000 on, the role expanded to management and became more focused on compliance. Ten years later, the role became even more strategic, helping business leaders understand security. CISOs became leaders in developing security strategies. Nowadays, CISOs need to help their organizations become more cyber-resilient and foster a security-aware culture. Their role shifted from internally focused to more externally and globally focused because of our digital, interconnected world.
Digital evolution, emerging technologies, the evolving threat landscape, increasing regulation, and pressure on resilience and compliance have pushed CISO into a front-row seat. Therefore, "CISOs need to align with management and internal and external stakeholders," Mimoent said.
The position of the CISO impacts his or her influence and mandate. Often, CISOs report to the CIO or the CTO. But it is changing, some CISOs are reporting to the chair of the board; they are closer to the business. Cybersecurity is becoming more of a regular boardroom topic. At the same time, there is always pressure on costs, while there are new capabilities needed.
All in all, there is a strategic shift visible. CISOs need to speak the language of the business and take them along. But they also need to adapt and align with people in the business. Most CISOs are doing a great job. However: mostly behind the scenes, they are only visible at times of a crisis. We should see the CISO also under normal circumstances: time to step out of the shadows!
Laura Koetzle: Six CISO types
Thinking about your next career move? According to Laura Koetzle, VP and Group Director at Forrester Research, it’s important to consider what kind of CISO a company needs – and what kind of CISO you want to be. She explained that there are six basic modes of CISOs: the transformational CISO, the post-breach CISO, the tactical/operational expert, the compliance guru, the steady state, and the customer-facing evangelist CISO.
<span style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" data-mce-type="bookmark" class="mce_SELRES_start"></span>
This doesn’t mean that you can only pick one of these six types: you could be either of them. However, it’s good to think about which role would work for you. Are you good with lots of media attention and do you have experience with breaches? You might be great as a post-breach CISO. Do you excel at implementing information security in pitches and convincing customers that what you do is right? You should find a company that is looking for a customer-facing evangelist.
See Laura Koetzle's slides here
Bibi van den Berg: "Cybersecurity is unquantifiable"
People in business love numbers. It is easy and efficient to base strategic decisions on data and quantifications. Many cybersecurity approaches today align with this perspective, said Bibi van den Berg, Professor of Cybersecurity Governance at Leiden University. Risk management has a long history and roots in the aviation industry. There is lots of data available on potential causes of incidents and near misses and engineers can act adequately on this type of information. Simulations create safe environments for endless testing.
But, according to Bibi, airplanes aren’t much more than pipes with wings, many instruments, and buttons. Very few variables play a role in keeping it in the sky. In comparison, the cybersecurity industry has much less data, which is much harder to read and understand. And cyber simulations are more complex, too, while reality is also more complex.
Yet, we use the same methodology, borrowed from the aviation industry with some adjustments, to assess risks. On top of that, there is a great degree of intentionality in cyberspace: a vast majority of incidents are caused by people who willfully want to do bad things. Besides, they act to surprise their victims, otherwise attacks wouldn’t be successful.
The question is: "Shouldn’t we have different conversations with our boards? How can we make decisions without relying on numbers? An alternative is value-driven decision-making: boards decide which key values drive their organization, including but not limited to security. For instance, an organization that places great emphasis on security may become less open and more partitioned," said Bibi.
Hans de Vries: "'Europe' is important for cybersecurity"
Hans de Vries, Chief Cybersecurity and Operational Officer at the European Union Agency for Cybersecurity (ENISA), brings an international perspective to the discussion. In the last few years, we have focused on threats such as ransomware and supply chain attacks. However, Hans highlighted, "There is a range of new threats we should be aware of – and should prepare for. Among others, these threats include skills shortages and supply chain shortages, but also the recent acts of aggression by state actors."
New European regulations such NIS2, DORA, the amendment to the EU Cybersecurity Act, and eIDAS 2.0 are trying to diminish these risks. ENISA plays a big role here contributing to the policy, helping Europe prepare for tomorrow's cyber challenges, and accommodating the differences between sectors.
"However, collaboration is needed within the EU," Hans added. "We need to make advancements in vulnerability databases and notification systems, cybersecurity baseline measures, incident reporting, stress testing training, and crisis management."
See Hans de Vries' slides here
Aart Jochem: Recognition for the CISO
A CISO and his or her people must fend off ransomware, outwit hackers from state actors, and fix vulnerabilities in software. A CISO must also have people skills and managerial skills. He or she must know how to negotiate with the CEO and strike a balance between facilitating operations and adequate security, according to Aart Jochem, CISO for the Dutch Government at the Ministry of Internal Affairs.
At the same time, a CISO must know a lot about the latest technological developments to assess risks. He or she must have relevant knowledge of AI and data analytics, and of course the latest threat intelligence. Above all, a CISO must respond quickly to incidents. Furthermore, a CISO must keep track of relevant laws and regulations and supervise their implementation.
All of this is something only a few people are capable of. The CISO of the Year Award is therefore also a recognition of the crucial position that the CISO occupies – or should occupy – in organizations. The winner acts as an ambassador for the profession: we hope to make the position of the CISO and his or her field more widely known. "This is why the award is so important," Aart said. "It speaks of pure recognition for the profession."
Eddy Boot: "Security by design and by default"
It’s time for a new transition, dcypher’s Director Eddy Boot argued. The role of cybersecurity has to change: it cannot be seen as an organizational problem anymore. Organizations must shift to building cyber resilience, rather than creating patch after patch.
"We need to be serious about security by design and security by default," Eddy added. We cannot start thinking about this after creating products and services. This shift to left in software development will lead to autonomous cybersecurity, rather than cybersecurity interventions.
Think about autonomous systems in transport, such as the autopilots in planes or Teslas: this is what we need to have in the digital sector as well. Eddy therefore called for organizations to participate in increasing innovation in the Netherlands. We need to create new tools, work against adversaries together, and help researchers and government officials set up programs to keep the Netherlands safe.
Sándor Incze: "Do more with less, work smarter, not harder"
At CM.com they like to keep cybersecurity simple. Their CISO Sandór Incze however wears a confusingly amount of hats in daily life, all somehow related to security in its broadest sense: he is a researcher, out in the field, a police officer in his spare time, a deputy prosecutor, and an investigator of cyber incidents for the police. As the CISO for CM.com, he has the national police, the national government, and many financial institutions as customers.
Sandór presented a case. Data was stolen from a customer, they wanted to find out what happened. For a considerable part, security is about the question, “Who has access to what? Therefore, user access management begins and ends at HR," said Sándor. They found that HR used email to send messages about access rights to IT. Since email is not instant – they are being dealt with when there is capacity – there was a problem with rights that should have been retracted. Now they work with a solution that automatically assigns and retracts user roles and rights in a no-network, zero-trust environment.
"We reduced the risk – although it’s not quantifiable – we have real-time monitoring, cost insights, and we reduced the IT workload," said Sándor. His company has shifted the focus from compliance and procedures to practical effectiveness.
See Sándor Incze's slides here
Peter Sandkuijl: "Not everything should be in the cloud"
The role of the CISO is changing, said Peter Sandkuijl, VP Sales Engineering for EMEA at Check Point. Like Laura Koetzle, he distinguishes the CISO into different personas. According to Peter, there are currently three types of CISOs: the tactical/operational one, the compliance & risk one, and the transformational one.
Additionally, he identifies four areas of interest for the CISO of today: the growing post-breach litigation burden, the rise of the fake with AI, the growing crime economy, and the tightening of regulations.
Now more than ever, CISOs should focus on building resilience. "Start thinking about how you build security in your fabric," Peter said, and make sure all building blocks of the organization have security elements built in. For example, organizations should start hosting data in their own data centers: not everything should be in the cloud.
See Peter Sandkuijl's slides here
Cybersecurity Achievement Award: Hans de Vries
At the evening VIP dinner, between courses, Hans de Vries, Chief Cybersecurity Officer at ENISA and former Director of the National Cyber Security Centre (NCSC), was presented the Cybersecurity Achievement Award for his long-standing commitment to strengthening cybersecurity in the Netherlands. "Hans has made a significant contribution to the cybersecurity ecosystem in the Netherlands", says Dimitri van Zantvliet. "He is a visionary leader. His personality, even more than his extensive experience, enabled him to forge lasting connections between the public, private, and academic sectors."
CISO of the Year: Jeroen Schipper
Toward the end of the event, Jeroen Schipper, CISO at the Municipality of The Hague, received the CISO of the Year 2024 Award from Aart Jochem, chairman of the jury. He owes the award to his transformational role and holistic and inclusive cybersecurity approach. According to the jury, his contributions to the professionalization of the CISO profession and his role as an active representative of the city of The Hague in cybersecurity matters were also considered.
"His vision for the role, his ability to plan, influence, and adapt to changing situations were tested and discussed by the jury and proved to be the best of the nominees. I am convinced he is and will be a role model for the profession," Aart Jochem concluded.