News item
Print news item

Florence Mottay: "CISOs are going to have to wear many hats"

Having started as an ethical hacker some 25 years ago, Florence Mottay ended up working in business roles and, eventually, became CISO at Ahold Delhaize, followed by Zalando in 2022. She was recently nominated for the 2025 CISO of the Year Award.

Felix Speulman
17 May 2025 | 5 minutes read

CISOs have been under considerable pressure in recent years. Externally, because of the constantly changing threat landscape, and internally, because of the heavy responsibility to keep the organization secure and resilient. What are your experiences? 

"I've been in security for roughly 25 years. And it has been quite a transformation. We've moved from being a side function, more in the back room, to being a critical part of the strategic discussion at the top. And what I've also seen is that the CISO role has become more demanding over the past decade." 

"You need to be versatile, you need to wear many hats. You mentioned two things: externally and internally. On the outside, things are moving incredibly fast. I mean, it's no surprise. Cyber threats are not just more complex, but they're also faster, they're more sophisticated, especially now, with AI in the mix."

 "It’s enabling quicker, more targeted, harder to detect attacks. And what that means for us is that we have to stay constantly on alert, we have to be adaptable, and we really need to invest in threat intelligence, and proactive as well as reactive defenses." 

"Internally is the other side of the coin. We also have a dual challenge because, yes, we need to protect the organization, but ultimately our goal as a security team is to enable the business. That's how we justify and present our security investments. How can we enable the business further? And we do that while cultivating a security-conscious culture without slowing down innovation." 

 

There are roughly two types of CISOs: those who have their roots in IT, and those who have, above all, a business background. Where are your roots, and how do you compensate for (any) gaps in knowledge and experience? 

"That's a good question because we see all types of profiles becoming CISOs. I have degrees in mathematics and software engineering, and I began my career in the US as an ethical hacker, specializing in exploit writing. I worked for a company named SI Gov that did government-related work." 

"After a few years, I was asked to open the European branch of the company, which had become for-profit and rebranded as Security Innovation. Overnight, I went from a techie living in the US to a P&L owner living in the Netherlands. That was quite a big change, but it worked well. I ended up running branches of information security companies for Europe and the Middle East for 10 years after that. And then I decided to get a ‘grown-up’ job and become a CISO."
 

"I surround myself with people who bring all sorts of skills of backgrounds to the table. That allows us to have that well-rounded view. Because otherwise it's just not possible."


"So I have roots in both worlds, the technical and the business side, but honestly, I don't think it matters because what I've learned over the years is that what's important is to build strong, diverse teams. And that's what I do. I surround myself with people who bring all sorts of skills of backgrounds, and expertise to the table." 

"And that allows us to have that well-rounded view. Because otherwise it's just not possible. I also keep up in different ways; I'm part of diverse communities, I speak a lot with peers, I go to conferences, and I just keep myself aware of industry developments". 
 

What technological and/or societal changes do you think are going to make a mark on the role of the CISO in the medium term? 

"I think AI and quantum computing are key topics that will impact the role. And as much as we've seen it evolve, we talked about that before, I think it's going to continue evolving more significantly and become even more strategic. If we take AI today, CISOs already have to defend against AI-driven threats, but also leverage AI-based security tools and governance, and it has been a big learning curve for security teams and CISOs. And it’s likely to go beyond that. I believe there’s already pressure, and there will be even more, for explainable security, from both boards and regulators. And with AI in the mix, that becomes even more challenging." 

"And so there's a moment where CISOs are going to have to become AI governance officers, to a certain extent. And since we’re talking about AI… it's something we've been talking and thinking about a lot. At Zalando, we already created our AI security framework a couple of years ago and have been improving it since. So for us, it's important to be able to have that in place to enable our teams to innovate and do so securely. But of course, it's only a first step, there is more to do."

 "There’s quantum computing as well. There are two things about quantum. First, the sensitive data of today is already at risk because a lot of attackers are practicing "harvest now and decrypt later" types of attacks, mostly for very sensitive documentation. Health records, trade secrets, or government secrets. And second, it's still a few years off, but we do need to start preparing to shift to quantum-safe cryptography. We've been looking at that already, and we're working with partners who are already doing some work [in this field]. We're also watching what's going on with regulations very closely – and we are starting to see good progress."

 "And this contributes to new hats that the CISO is going to have to wear. We still need to continue adapting to the business language and speaking that business language. The CISO of the future is going to be part cyber defender, part strategy diplomat, governance officer, and still very much a core leader in the business. I always say that a CISO is a business executive specialized in security, and I think that's going to continue, just with more hats." 


What else do you contribute to society? Are you doing anything to encourage cyber entrepreneurship? 

"For me, cybersecurity has always been a societal problem. I started 25 years ago, and yes, it's evolved, but it's never been the responsibility of a single company; it can't be because it's much broader. And so we each need to do our part." 

"At Zalando, since I joined, we've engaged in several things. I'm very proud of the cybersecurity awareness campaign we put in place – it's called Cyber Fabric. And we make sure that we touch upon every topic that we can through every different means of education, so that we can educate and provide the tools necessary to all of our employees to defend themselves. And we do that to protect Zalando, but also because, this way, individuals can protect themselves and their loved ones."
 

"I believe there’s already pressure for explainable security from both boards and regulators. And with AI in the mix, that becomes even more challenging."


"We’re part of Deutschland sicher im Netz (DSiN), a nonprofit under the Federal Ministry of the Interior, designed to help consumers and small businesses navigate the digital world safely. We collaborate at the organizational level, but we also participate with Zalando employees by volunteering. One of the things we do is we help older populations understand how to safely buy online, how to safely do things online." 

"So we promote safety, but it's also great because it allows older folks to remain independent longer. We're also working with government agencies, not just in Germany, but also in other European countries, to support the public sector."

"It takes a village, and in this case, it takes everyone around to protect our communities. In parallel and more to the aspect of entrepreneurship that you mentioned, I'm also an advisor to the Paladin Capital Group, an investment company that funds early-stage cybersecurity firms with innovative ideas. Again, with the idea of continuing to protect cyber, the public sector, and commercial companies." 


What do you think of the other two candidates? 

"The competition is really strong. Both candidates have been in the Dutch security community for over 15 years. We're actually in industry groups together and have definitely crossed paths a number of times. They're incredibly active and well-respected. For me, it's a real honor to be considered alongside them, and I wish them both luck as well."

-----

On May 27, the CISO of the Year Award will be presented at the second CISODAY. Do you have a role in security? If so, you are welcome to attend. Register here or check the event website for more info.

More information about related topics? Also check out:
AI
AI Act
AI-powered tools
AIVD
AMD
APT
Agro Energy
Alphabet
Amrop
AmropRemove term Checkpoint
Android
Automation
Award
AwardRemove term CISODAY
Awareness
BEC
BYOVD
Best_Practices
Bezos
Blue Teaming
Board_collaboration
Boardroom
Breaches
Business enabler
Business_Continuity
Business_Operations
C-Suite
CER
CHIPS Act
CIODAY
CISA
CISO
CISO Platform Nederland
CISO Rijk
CISO community
CISO the Year
CISODAY
CISODAY24
CISODAYRemove term PwC
CISO_Of_the_Year
CISO_The_Evolving_Role
CM.com
CSBN
CSIRT-DSP
CTEM framework
CVE
Check Point Software
Checkpoint
CheckpointRemove term CISO
China
Christmas
Chrome
CoffeeLoader
Communication_Skills
Community Portal
Competencies
Copilot
Cribl
Critical Cybersecurity Challenges
Critical_Infrastructure
Cy-X
Cyber
Cyber Compliance
Cyber Considerations
Cyber Resilience
Cyber Resilience Act
Cyber_Security_Strategy
Cybercrimebeeld Nederland
Cybermeister
Cybersecurity
Cybersecurity and Infrastructure
Cybersecurity_Skills
DBIR
DDos
DNB
DOJ
DORA
DPIA
Data
Data Protection
Data breach
DeepSeek
Digital Trust
Digitalization State Secretary
Dimiti Zantvliet
Dutch Ministry Finance
Dutch Railways
Dutch cybersecurity strategy
EC
ECSO
EDR
ENISA
EU
Embedded Security
Emerging_Technolgies
Employee_retention
Entrust
European Cyber Security
Evilproxy
Evolving role the
Expertise
Exposure Assessment Platform
Forrester
Fortinet
Funding
Future_of_Cybersecurity
Future_ready_teams
Gartner
GartnerRemove term GenAI
Gemeente Den Haag
GenAI
GenAIRemove term zero-tolerance-for-failure
Go
Google
Google Chrome
Governance
Greymatter
Guy Fawkes
HEINEKEN
Hadrian
IAM
IBM
ICS
ICT Media
IIoT
ISC2 2023
IT
IT_Security
Industrial_Cybersecurity
Information_Security
Insights
IoT and OT
JOBS
KPMG
KPN
Kaspersky
Key Management
LLMs
LOLBins
Leadership
LinkedIn
MFA
MIVD
Management Game
Microsoft
Mobile Security
Municipality the Hague
Musk
NCSC
NCTV
NIS2
NN
NN Group
NS
Netherlands
Netskope
Network Security
Noesis
Nvidia
OM
OT
OT Security
Okta
Operational_Technology
Orange Cyberdefense
Organisation
PAM
Palo Alto
Personal_Development
Phishing
Picus Labs
Pinewood
Politie
Positioning
Privacy
Privileged Access Management
Proofpoint
Public Prosecution Service
PwC
PwCRemove term Stater
QR codes
RaaS
Radial Inc.
Rapid7
Recovery_Strategy
Red Teaming
ReliaQuest
Reliaquest
Remove term Amrop
Remove term Gartner
Report
Risk_Mitigation
Root Trust
Russia
SANS
SASE
SBCP
SBOM
SHV
SHV Energy
SIEM
SOC
Salt Typhoon
Security
Security Agency
Security Awareness
Security Operations Center
Security_Architecture
Security_Vendor
Skills
Skills_development
Soft_Skills
Solutions
Splunk
Stater
Stedin
Supply Chain
Survey
TU Eindhoven
TU/e
Table Top Excercise
Talent
Talent_Development
Talent_Management
Team_Empowerment
Technical_Expertise
Technologies
Test
Thales
The Great Reset
Third-party access
Threat detection
Threats
Training
Trends
Trump
Trump administration
Trust
U.S.
US Department Justice
Unosecur
Verizon
Verizon Business
Vision
Wiv 2017
Workshop
World_Economic_Forum
XDR
XZ Utils
Xalient
Zalando
Zsolt Szabo
Zuckerberg
advanced persistent threat
artificial intelligence
asset discovery
attack
attacks
audit
automated malware
backdoor
balance
big tech
biometrics
board
botnet
budo
burnout
certificates
chat-gpt
cloud
cloud migration
cloud security
complete
compliance
compliance reporting
compromised credentials
consolidated cybersecurity architecture
continuous threat monitoring
costs
crime
critical infrastructure
cryptography
cyber defense
cyber extorsion
cyber operations
cyber risk management
cyber risks
cyber threats
cyber vigilance
cyberattacks
cybercrime
cybercriminality
cybercriminals
cyberresilience
cybersecurity
cybersecurity policies
cybersecurity policy
cybersecurity risk assessment
cybersecurity week
damage
data center
data privacy
deepfake
digital identity
digital security
digital trust center
downtime
downturn
election meddling
elections
enabler
energy
enterprise cybersecurity
essential infrastructures
ethics
facial ID
facial ID farming
false positives
fbi
flaw
gender gap
government
hack The Hague
hacking
hacks
hacktivism
hardware
hostile state actors
human behavior
iProov
identification
identity
identity security
identity wallet
incident response
inclusivity
innovation
job market
karate
law
layoffs
legislation
liability
lockbit
machine identities
malware
managed detection
managed detection and
managed threat
melissa
mental overload
misuse
national security threats
observability
offensive
online services
open-source
open-source software
openai
phishing
post-quantum encryption
protect
quantum
quick scan
quishing
ransomware
ransomware attack
real-time monitoring
regulation
regulatory compliance
remote working
renewable energy
response
risk management
risk remediation tools
search engine monopoly
security
security strategy
security system
skills gap
soar
soar tools
soc
soc-as-a-service
social engineering
software bill materials
solar panels
source
state actors
storytelling
supervision
tag
talent
targets
the Year Award
threat
threat detection
threat intelligence
tools
unified identity fabric
victims
vital sector
vulnerability
vulnerability management
wbni
wdbwb
zero trust
zero-people SOC
zero-tolerance-for-failure