.png)
What happens when you put 40 security and technology leaders in a room and ask them to stop presenting and start problem-solving? You get the kind of insights that don't make it into vendor whitepapers.
At CIONET's "Defending for Continuity" event on February 12th at 3DMZ in Haarlem, CIOs and CISOs shared hard-won lessons on building resilience in an era of AI-driven threats and expanding digital estates. Here's what emerged.
Gerben van Dijke, CISO of ProRail, opened the event with a clear message: the traditional image of a CISO as a technical expert who grew up as a network architect is outdated.
ProRail manages 7,000 kilometers of track and about 400 stations. It's not just an IT organization, it's a massive OT environment where physical and digital security intersect. When sabotage during last June's NATO summit caused a cable fire in Amsterdam that brought North Holland rail to a standstill, the threat became impossible to ignore.
A CISO today is responsible for an organizational change challenge, Gerben argued. Security operations are only one piece of the puzzle. Without clear governance, knowing who is responsible for what, how security is embedded in processes, how it reaches the boardroom – the task becomes nearly impossible. That means operating on multiple levels simultaneously, while regulatory pressure is mounting and the threat level isn't diminishing.
Miranda Ritchie, CISO of Orbia, cut to the heart of AI as the fastest-growing cyber threat. "I don't know any CISO out there that's not trying to strike the right balance between enabling the business through innovation, but also pumping the brakes a little bit," she said.
She pointed to OpenClaw as a case study. OpenClaw allows anybody to create AI agents, and those agents can learn skills. But most people building with it aren't cyber professionals. "Then reports started circulating that as many as 900 of those skills were actually just malware embedded in an add-on file," Miranda explained. "This is a great example of where security needs to make fast decisions. At Orbia, we judged that the risk outweighs the potential benefit. So we blocked it corporate-wide."
The lesson: when AI tools are being adopted across the business faster than security can evaluate them, CISOs need frameworks for rapid risk decisions – not six-month review cycles.
Bart Kerkhofs, CIO of Tata Steel, offered a reframing that shifted the entire conversation.
"At a certain point in time, it needs to stop being a technology conversation," Bart said. "You need to start having your conversation about risk. And one of the key questions is: what is it that you're trying to protect? That is something you need to bring from a business perspective. If you purely look at it from a technology point of view, and it's not clear what you're trying to protect, just shut everything down."
Then came the analogy that landed in the room: "The way I look at information security is like brakes on a car. If you ask somebody why a car has brakes, often their response will be 'because you need to stop your car.' But I think it's interesting to look at it the other way around: the fact that you have brakes gives you the confidence to drive fast."
Security isn't about slowing down a business. It's about enabling speed with confidence. When you have a mature first line and strong governance, those brakes actually let you accelerate. Security becomes business-enabling, not business-blocking.
The afternoon's special session on digital sovereignty brought a complexity that many events avoid. Sietse Bruinsma, CTO of Vandebron, Simon Janssen, CIO of HappyNurse, and Wladimir Mufty from SURF didn't offer easy answers, because there aren't any.
Simon cut to what he sees as a fundamental problem: funding. Pension funds in the Netherlands don't fund European startups – they fund American ones. Tech companies start in Europe, then move to America for capital. "If we fund our own technology companies in the Netherlands or in Europe, then there will be more money for data centres, more requests for managed services here," he argued.
Sietse brought the conversation back to practical architecture. Vandebron has designed for sovereignty from the start, with one core principle: design for exit. "This means using open standards on the critical parts. The open standard makes it possible to migrate. Portability is what we mean by 'design for exit,'" he explained.
But the decision wasn't just technical. After tier-one outages, Vandebron wanted infrastructure more aligned with their values as a sustainable energy company. "We didn't just want to say goodbye to fossil fuels, but also to digital dependence from outside Europe. The energy transition is also a digital transformation, and you want your infrastructure to align with your vision."
Wladimir reframed the debate around values rather than nationalism. When you look at price and functionality, the Dutch do well. "But if you look at the values part – if you peel it down, it's about freedom of choice, transparency, autonomy, privacy, social coherence. That's not one of our strongest points."
The path forward? Open standards, not protectionism. "Go open source, go open standard: open is the magic word. That doesn't mean it's free, that doesn't mean people can't earn money. But if you go the open way, then it doesn't matter if it's from the United States or Asia."
What set this event apart wasn't the agenda – it was the quality of conversation. These were peers exchanging real tactical wisdom: the kind of practical knowledge you won't find in analyst reports. It exists in the hard-won experience of leaders who are building resilience in real organizations with real constraints.
Questions were specific. Answers were honest. The CISOs and professionals who stayed until the end weren't there for the free drinks. They were there because this is where you can ask the question you've been afraid to ask your board. Where someone else has already failed at the thing you're about to try and can save you six months of effort.
Security resilience isn't a destination. It's a practice built through constant learning from peers who face the same challenges. And this community is just getting started.
Special thanks to our partners
NetWitness - Edwin Rombeek
Fsas Technologies – a Fujitsu company - Paul Broekhuizen
AvePoint - Michel W.R. van der Meulen
CyberArk - Josh Kirkwood
