Martin de Vries: "No competition on security"

CISOs have been under considerable pressure in recent years. Externally, because of the constantly changing threat landscape, and internally, because of the heavy responsibility to keep the organization secure and resilient. What are your experiences?
“You notice that security, information security, and cybersecurity are becoming increasingly important, even at the board level. My experiences have been positive. I don't have the idea that there is a very strong pressure from the organization on me. There is a lot of support from the board and senior management."

"It definitely has their attention. There are regular reports to the board, and then they really want to know how things stand with the maturity, with the risks. They really want to know the ins and outs.”

Could that be because of the organization type? Isn’t there quite a bit of IP to protect at a technical university? Is the acknowledgement widespread that this needs to be very well protected?
“Well, it’s not so prevalent. A university is ultimately there for education and research. A researcher or a research group obviously decides what and how they research. Perhaps not during the research, but afterward, the intention is to publish the results. Actually, there is much more emphasis on sharing information and knowledge than on protecting it."

"Of course, we also do research with partners, like ASML and others, whose technology we have to protect. And of course, the government has set some rules for knowledge sharing with other countries. There is a growing awareness of what you can and cannot share, also in terms of knowledge security. But we are dealing with a culture that basically likes to share things. So there is a tension in that regard."
 

At a university, there is much more emphasis on sharing information and knowledge than on protecting it.

"Ultimately, there are agreements, including in the area of security, that researchers make with an external partner as part of a research assignment. My colleagues and I help with that. What type of research is it about? What data is involved, and how will it be classified? That's where we can take the appropriate technical measures, or at least raise awareness.”

There are roughly two types of CISOs: those who have their roots in IT, and those who have a business background above all else. Where do your roots lie, and how do you compensate for possible gaps in knowledge and experience?
“I graduated in Industrial Engineering with a focus on Information Technology, so I have always been on the dividing line between technology and business. That has always been my field of work. I have enough knowledge of the technology to be able to translate it to the business and vice versa. If I lack knowledge, I consult experts. But I also seek advice from the business, to gain exact insights into what they do, and to find out how I can get my message across better.”

How do you ensure the right mix of knowledge and experience in your team?
“I don't have direct hierarchical leadership of a team, because the security team is in the IT department and reports there. But being a big stakeholder, you do look at it with the relevant manager. So, you consider what knowledge and skills are needed within that team and other teams. It involves expertise as well as personal competencies.”

What technological or societal changes do you think will make a mark on the role of the CISO in the medium term?
“AI and quantum computing, of course. These are both technologies that are going to have an impact, either directly or because they facilitate processes and things that affect security. With AI, you can write much better phishing emails, to take one example. Or you can do code analysis to see where a weakness is. In that way, it's going to help everybody get things out faster or make something useful, both on the good side and the bad side of the spectrum."

"The same thing applies to quantum computing, where, of course, the immediate threat is already here. If you lose encrypted data now, at some point it will get decrypted, and it gets out in the open or can be read by people who shouldn't have access. When that time comes, I estimate we will also use quantum technology for better security."

"These are both technologies that are going to have an impact at both ends of the spectrum, but are going to fundamentally, I think, change the way we do things."
 

I have always bridged the divide between two worlds, having enough knowledge of the technology to translate it to the business and vice versa.

"In addition, of course, we are also in a changing geopolitical situation. That's where I do see a greater threat emerging, where you are faced with the facts the hard way."

"All these developments will certainly leave their mark on the role of the CISO – it's ultimately about risk management. You have to interpret those risks. And you have to advise on how the organization should deal with them. Internally, I work with a number of colleagues from different disciplines. For example, I have peers for knowledge security, physical security, and privacy. So there’s a whole team that you work with."

"But at some point, it transcends the organization. That's also why we work together with other universities and the educational sector. As a CISO, that’s what you see in other organizations, and within the CISO community as well. Because together, you can keep an eye on the developments. That way, you can support each other and learn from each other. When I worked at Rabobank, I learned that one doesn't compete on security. You help each other, looking for connections, sharing knowledge.”

What do you contribute to society? Are you doing anything to encourage cyber entrepreneurship?
“I think it is very important that we share the information we have, that there are communities in which you can spar with each other, exchange knowledge, and the like. I already did that at Rabobank. My focus included innovation, both security innovation and secure innovation: innovation in the information security field, and how to innovate securely. From Rabobank, I entered into conversations with startups to guide them."

"When I started working for the university, I became part of the university CISO network. I have been their chair since last January. I am also a member and co-chair of a group of CISOs in the Brainport region - the Eindhoven Cyber Security Group. I try to do my part as much as possible.”

What do you think of the other two candidates?
“I don't really know them personally or substantively. I did see Vladimir's presentations a few times – good content. From Florence, I know that she came from Ahold and now works at Zalando. I have little substantive knowledge about either of them. But if you look purely at their track records, they are very good CISOs.”

-----

On May 27, the CISO of the Year Award will be presented at the second CISODAY. Do you have a role in security? If so, you are welcome to attend. Register here or check the event website for more info.

Photo: Vincent van den Hoogen