"Not all new developments are revolutionary"

What is your background?"

I studied law and graduated with a focus on cryptography legislation and cybercrime: an emerging field in the late 1990s. Through a professor at Tilburg University, I came into contact with the Central Criminal Investigation Information Service (Centrale Recherche Informatiedienst), where I interned. That led to an interview at an independent administrative body under the Ministry of the Interior for the position of policy officer for crypto regulation. Unfortunately, that regulation was ultimately not implemented at the EU level."

"Coincidentally, they were also looking for someone there to handle information security. I took that on and never let it go. The job was at an IT organization for the police, fire department, and ambulance services. As a recent law school graduate, I suddenly found myself among IT professionals. That caused some adjustment issues at first, because I didn’t know much about IT at the time. But because you’re right in the middle of it every day, you learn quickly. It also gave me a unique perspective. For me, IT is just a tool. I look at it more from the functional side, and therefore, I see it often differently than many IT specialists.”

"I’m good at translating that into business terms. Even though I know a lot about IT now, I still see it as Lego blocks forming a whole. Technology, processes, and people must come together optimally. That perspective has helped me throughout my entire career. Especially in information security, where there are so many angles, it’s easy to get lost in details and side issues, while the big picture and the main issues are essential. You get lost in technology and treating symptoms, and forget to structurally integrate information security into the business process and the organization."

CISOs have been under significant pressure in recent years. The threat landscape isn’t getting any less complex. Of course, you also have a heavy responsibility to keep the organization secure. How do you handle that?

"Change is the norm and is happening at an ever-increasing pace. Still, it’s important to see every change for what it really is. Often, it turns out not to be fundamental, but a variation on something we already know and know how to secure. That means your team can work on structural improvements that can also accommodate new developments. This prevents you from rushing from one new tool to the next, and allows you, your team, and the entire organization to work with multi-year roadmaps and plans.”
 

“The quality of information security is closely linked to the quality of IT management”

“Ultimately, information security is simply hard work. It requires attention and discipline to ensure the availability, integrity, and confidentiality of data and systems. The quality of information security is closely linked to the quality of IT management. That is why we devote a great deal of attention to aligning with the business as well as with the IT management organization, in addition to implementing core security measures.”

"The pressure is part of the job. You’re a watchdog, but not always the one who implements things yourself. However, you’re expected to ensure that measures are implemented by different parts of the organization. That requires identifying issues, communicating, and persuading — and sometimes exercising authority. Often, the business can very clearly articulate the impact if something goes wrong, but needs help determining which measures are necessary in a specific situation. It’s continuous risk management: scanning the landscape, knowing your own environment, and determining where improvement is needed together with the business.”

In your opinion, which technological or societal developments will shape the role of the CISO in the medium term?

“The new kid on the block is, of course, AI. Here, too, it’s important to clearly distinguish what’s truly new and what’s essentially more of the same. In a sense, LLMs and agents are simply new components in your landscape that need to be managed, configured, patched, and protected against, for example, input manipulation and information exfiltration.”

“At the same time, there are fundamental differences. Agents are given tasks without any predefined possible solutions. They work not in a task-oriented but in a goal-oriented manner. This is referred to, using a technical term, as non-deterministic. This characteristic makes it complex to assign the correct permissions to such an agent. What permissions do you grant an agent to explore a problem without allowing it to perform undesirable actions or arrive at undesirable solutions? If you grant it too few permissions, you limit what it can do; if you grant it too many, it can do more than necessary to achieve its goal. This is a revolution and is currently a subject of research.”
 

“In a sense, LLMs and agents are simply new components in your landscape that need to be managed, configured, patched, and protected”

“Another area of focus is agent identity. In fact, an agent is a new member of your organization who joins, receives accounts and permissions, and eventually leaves. This is an example where the change is less substantial than expected. After all, we already have identity and access management for people. We can largely reuse the same principles and tools. Not all new developments are revolutionary; they simply mean a lot of work.”

What else do you contribute to society?

“I am secretary of the CISO Circle of Trust, a Dutch foundation established by Philips, among others, together with companies such as ASML and ABN AMRO. We come together with various multinationals to learn from one another, but also with the intention of making the Netherlands safer. We are very active in public-private partnerships with the Dutch government.”

“We hold regular sessions where we invite the business community and government agencies to discuss current information security topics. We’ll be hosting one soon where we’ll also invite CISOs from other companies. This is how we try to initiate and maintain a dialogue on how we can improve information security for the whole of society.”

What do you think of the other candidates?

“Kay Behnke has worked at Philips as well. I’ve known him for a long time, and we regularly run into each other at all kinds of conferences and meetings. He is very thoughtful, competent, and highly experienced: just a very good colleague. To be honest, I can’t say much about Walter van Oostrum; we haven’t crossed paths often enough.”