"I have a great team of smart people who help take the pressure off"

What is your background?

"I studied Computer Science at the University of Erlangen-Nuremberg. I completed my Master's in Computer Science there, specializing in neural networks. After my studies, I was looking for a job in medical informatics. That was very difficult at that time, and I was eventually offered a PhD position at the Max Planck Institute in Nijmegen, after I applied for a different position there. It is the only Max Planck Institute across the German border and specializes in psycholinguistics, i.e., how humans acquire and process language. I conducted research into the acquisition of sounds of the mother tongue by babies and simulated this using a self-learning neural network. It was a great experience, although I never intended to pursue a doctorate in the first instance. I obtained my PhD at the TU Twente, but realized that while I am super interested in continuous learning, I am not a scientist at heart."

"So I returned to my roots, IT. I was a consultant at a small consultancy firm for a number of years, and worked on many security projects. For the government, the Tax and Customs Administration, for the Dutch Police, as well as in “pure” consultancy projects for several companies. In 2005, I took a job at Philips as a security service manager. And a year later, I got the opportunity to fill the CISO position at NXP Semiconductors in Eindhoven. At that time, it was more the role of the IT Security Officer. Very soon, and definitely during my second CISO position at FrieslandCampina, I realized that the role requires solid knowledge of critical business processes. So, I decided to do an MBA, which I did at the Nyenrode Business University."

CISOs have been under considerable pressure in recent years. The threat landscape is not getting any less complex. Of course, you also have a heavy personal responsibility to keep the organization secure. How do you handle that?

"The CISO role is a 24/7 job. I have a great team of smart people who help take the pressure off; that’s how I deal with it. This is crucial to being successful. While the business background is super important nowadays, in my view, it is still necessary to have a solid understanding of IT as well; this helps to understand certain things. In the end, you have to organize things well around you and also make the right agreements with your stakeholders."

"Look, when there is a major incident, the organization turns towards the security team immediately, that is natural. My role as CISO entails stepping in and mitigating the impact on the organization. You do not do this alone. It helps a lot when you have made good agreements up front. I think there is also sufficient understanding that while the CISO is ultimately responsible for information security, the awareness and help of the whole organization are required. For example, the person responsible for the business process also plays a very important role in that area. This level of awareness is super important."
 

"At Genmab, the security team is involved from the very beginning when new projects start."

"You have CISOs who behave in a very advisory role toward the business process owner. Consequently, many security decisions lie with the business owner. At Genmab, the security team is involved from the very beginning when new projects start. Since I started working here, I have focused on building a security organization that becomes part of existing processes. That also means you need a team large enough to handle all the questions that come your way. Or you have to set priorities. Spreading responsibility is, I think, the right answer to your question."

Which technological and societal developments do you think will leave their mark on the role of the CISO in the medium term?

"In recent years, ransomware attacks as a business model for attack groups have had a major impact on the visibility of the role of cybersecurity. And it is not without reason that cybersecurity is nowadays in the top three of enterprise risks. I also constantly emphasize that I view cybersecurity as an enterprise risk, part of enterprise risk management. As such, I regard cybersecurity as part of the enterprise risk landscape within the company."

"That does not alter the fact that our specialization lies primarily in the technological field. Technology is a driving force in terms of innovation in almost all business sectors. The Internet has certainly led to many changes in business models and processes, which are nowadays fully dependent on information technology. As a result, cybersecurity has also found its role."

"When you look to the future, AI will have a great influence on innovations. That development will accelerate very quickly and also requires a different approach – within the security organization and the security processes. In the biotechnology sector, the focus is primarily on making processes more efficient by the usage of AI. Patients are waiting for new treatment options, time is money, and the competition is fierce. And the shorter we can make the development time for a new medication, the sooner we can make it available for patients who are in need of new treatment options."

"AI agents have emerged that are much more powerful in the background [than LLMs] for performing AI tasks. You need governance around that so you "keep the frogs in the wheelbarrow." But I see the necessity that we also have to experiment. I want to see what happens when agents start working with large amounts of data and perform analyses more efficiently. But perhaps also [perform] in a different way, which might lead to new insights as well. That is, of course, very exciting at the moment; I think in every company. The challenge for us is that we are dealing with sensitive personal data of patients, which requires us to take into account a large number of different legal requirements."
 

"I think there is sufficient understanding that while the CISO is ultimately responsible for information security, the awareness and help of the whole organization are required."

"Additionally, on a geopolitical level, digital sovereignty is nowadays an important topic. I do not see this so much as a purely cyber or information security aspect, but rather as a business continuity aspect, and think that it should be covered from an enterprise risk perspective."

"And finally… everyone is waiting to see what the impact of quantum technology will be. It can be an opportunity, but also a threat. It is important to take measures already to be quantum-proof before the first quantum computers hit the market."
 

What else do you contribute to society?

"I used to be very active in [several] ISACs of the Dutch government, but am no longer involved with those. We are an international company with headquarters in Denmark. We also have a network within the medical sector, which is quite large in Denmark. There is such a thing as the 'Med Valley' in Copenhagen, with several Danish companies collaborating, including in the field of cybersecurity."

"Additionally, I am a leading member of an organization that focuses on bringing CIOs and CISOs together. I am one of the co-chairs there, and my role is to provide input on the session agenda and regularly contribute to virtual panel sessions and provide presentations. Next to this, Genmab is a member of the Health-ISAC and the Information Security Forum. It is important to maintain an active network in our domain, not only for the CISO but for everyone in the security team." 
 

What do you think of the other candidates?

"I actually only know Wim Sonnemans well. I worked with him in my consultancy period during a project for the Dutch police. And since we both worked at large multinational organizations, our paths crossed several times. He comes from a security architecture background and is super solid in that area. And what I appreciate about him is that he is very outspoken. While I don't know Walter van Oostrum that well personally, I know, of course, what the CAK does, and I hope to learn more about his work. I am sure he has made a big impact, otherwise he would not have received this nomination. I am honored to be nominated with both of them."