Vladimir Cibic: "Our view is more comprehensive than cyber alone"
Vladimir Cibic has worked at KPN for over a quarter of a century in a wide variety of roles, including CIO. He has been the CISO for the past three years and was recently nominated for the 2025 CISO of the Year Award.
CISOs have been under considerable pressure in recent years. Externally, due to the constantly changing threat landscape, and internally, due to the heavy responsibility to keep the organization safe and resilient. What are your experiences?
"I think it depends a lot on the company you work for. It is a fact that the role of the CISO has become crucial. But it is also how your organization deals with it. I work in a company where security is high on the agenda. We are one of the vital companies in the Netherlands; it is obvious that you get the attention and support you need. But if you do bear the security responsibility and the organization is not yet ready, then the situation is, of course, very different." "It also depends on the context in which you act. With the current geopolitical situation, you see that more and more companies are aware that security should be high on the agenda. On the other hand, regulation also forces us to do so." "But I experience a healthy pressure, because our company really pays attention to it."
There are roughly two types of CISOs: those who have their roots in IT, and those who have, above all, a business background. Where are your roots?
"I spent the first part of my career in business, in all sorts of different roles. Operations, processes, product management, and everything that goes with it. And the second part of my life, I was a CIO. The reason why I got the job of CISO afterwards is that they were looking for someone who could combine the business and the technology of the company." "So I am more of a business-driven CISO. But I did study technology and have an IT background. I know the technology of our company very well, which helps me enormously to make the right choices in the field of security."
How do you compensate for any gaps in knowledge and experience?
"First of all, I have the rest of the organization at my disposal; I don't know everything myself. If you put together your management team and your [business] unit, you also have to hire people who have knowledge that you don't have. And it's not just about substantive knowledge, it's about capabilities and soft skills as well."
"Secondly, I firmly believe that you have to collaborate in the field of cybersecurity, also with the outside world. So with other companies, knowledge institutions, and the government. Because I think there is no competition in cybersecurity, we can collaborate differently with each other. By putting together good teams, with the right capabilities and knowledge, and setting up partnerships with other companies. And learning from that."
What technological and/or societal changes do you think are going to make a mark on the role of the CISO in the medium term?
"Let me start with the societal one. The geopolitical situation in the world has a huge impact on the role of CISO. Firstly, because it worsens in terms of the threat landscape. If the Russians want to do something really bad, we as CISOs have a challenge because of all the attack power they have. You saw that in Ukraine."
"On the other hand, the view is also broadening beyond cyber alone: it is not just about cybersecurity. It is about the overall resilience of your company. This is increasingly being seen as the responsibility of the CISO, at least in my case. Physical security is becoming an important part. But the stability and continuity of our networks and services are also included. If something occurs, what measures have you implemented? CISOs are being held responsible, while five years ago, they were there purely for cybersecurity."
"If you look at the technology, there are actually three things. Apart from AI and quantum, there is a huge discussion around cloud, the role of American tech companies in it, and how Europe is positioning itself. How do we want to deal with this? How do CISOs view it? How safe are we now with our data?"
"It's about overall resilience. If something occurs, CISOs are increasingly being held responsible, while five years ago, they were there purely for cybersecurity."
"In the short term, AI plays a major role. You just have to prepare well for it and join the race. However, there is something new that we as CISOs have to be very aware of. It is not just about attacks supported by AI or how we protect ourselves against them using AI. It is also about the use of AI in your own company. You create an attack surface because your AI can be attacked. If you are not careful, everyone in the entire company will use AI models, but that greatly increases the attack surface. If something goes wrong there, you no longer know what precisely is going wrong. So you have to secure your AI and draw up policies about its use."
"Quantum technology plays a long-term role. You have to start changing your entire encryption landscape now. You will certainly need five to ten years to get that in order. That is a difficult conversation because the average board looks a quarter ahead. Data stolen today can be decrypted in ten years, and that will be a problem in the future."
What else do you contribute to society? Are you doing anything to encourage cyber entrepreneurship? "I'm involved in a lot of things. I like that. Not every company in the Netherlands has a department of 200 people with the best cyber specialists in the world. I try to contribute to initiatives that help the Dutch economy move forward." "An example is the Circle of Trust: ten large companies that work together with the government. How can we help smaller companies to be more secure? I am also involved in the Cyclotron initiative, a public-private partnership that should lead to a platform where information can be shared about digital incidents and threats."
"You have to start changing your entire encryption landscape now. You will certainly need five to ten years for that. That is a difficult conversation, because the average board looks a quarter ahead."
"I am also a guest lecturer at TIAS School for Business and Society. I like that because you also want to teach cybersecurity to future leaders. Often, they are people who are not in the security world but who want to have an affinity with it."
"I like talking, so I often am on stage. Then I try to tell a real, practical story, from my perspective. Because theory is fun, but I really believe that if you explain how you do something, you stimulate people."
"With KPN, we organize Kids Cyber Day, where we try to interest children in cybersecurity, because ultimately it is the children of today who have to become cybersecurity specialists in the future."
"And finally, I’m helping our market regulator with the question of how to stimulate companies to get started with NIS2. I believe that if you implement NIS2 well, you create a good basis for the security of your company."
What do you think of the other two candidates?
"I know Florence, I met her when I started as CISO. A super nice lady, very enthusiastic and good at her job. She has also been in the field for a long time. I can imagine that there is a lot of appreciation for her nomination. Martin, the other candidate, I know a little less. I did a bit of reading to see where the candidates stand. And the approach at TU Eindhoven is the approach that I also believe in. As a CISO, you are not solely responsible for safety. We are all responsible for safety in our company."
-----
On May 27, the CISO of the Year Award will be presented at the second CISODAY. Do you have a role in security? If so, you are welcome to attend. Register here or check the event website for more info.
