Powered by: CIONET and Splunk, a Cisco Company

The CIONET roundtable, in partnership with Splunk, concluded that the industry must urgently shift from passive prevention to Active Cyber Defence and Digital Resilience. Key strategic mandates emerged:

• The New Battlefronts: Security is no longer an IT-only issue; it requires a 10–20% time commitment from non-CISOs. The primary risk has shifted to Operational Technology (OT), demanding segregated, life-critical security measures.
• Compliance vs. Agility: While growing regulation (like NIS2) mandates extensive logging and monitoring, leaders struggle with contradictory national laws and client-driven audits. The strategic focus must move from pure Escalation to Return on Risk (ROR).
• Innovation Mandate: Security must transition from being an innovation blocker (as experienced by a major international airline) to an accelerator by embedding optimized DevSecOps processes.
• The Intelligence Gap: Despite the potential of AI (currently favoring adversaries), a critical technical need is a dedicated, vendor-supported solution for post-incident forensics and digital footprint capture to support law enforcement and collective intelligence sharing.

The geopolitical landscape is shifting, compliance demands are rising, and the threat surface is constantly expanding. In a recent executive dinner discussion hosted by CIONET Partner Jeroen Kleinhoven in partnership with Splunk, Maarten Dragtstra, Ronald Beiboer and Martijn ten Kate, a select group of CISOs and tech leaders gathered to discuss the need for a fundamental change: moving from passive defense to Active Cyber Defense.

The discussion went beyond the standard playbook, exploring real-world strategies and revealing the practical complexities of this shift. Here are the key takeaways and insights from the executive roundtable.

1. The Strategy: Moving to Digital Resilience and Active Defense

As the co-host of the event, Splunk provided crucial context for the discussion, stressing that prevention alone is no longer adequate for modern business resilience.

• Proactive Resilience is Key: Splunk, which plays a key role in proactively defending enterprises and critical infrastructure, argues that total reliance on preventative measures is insufficient. To maintain digital resilience, organizations must operate proactively to prevent extensive outages, ransomware payments, and data leakage. It is crucial to differentiate here between the leakage of sensitive PII or PHI data and the compromise of Intellectual Property (IP) which undermines competitive advantage.
• Targeted Defence: This proactive approach requires a holistic view, using awareness of specific adversaries to counter threats with targeted defence. This entails leveraging threat intelligence, continuous environment testing, and implementing honeypots and deception networks as tripwires—points directly aligning with the roundtable agenda.

2. Security is Embedded in the Business—And Takes Up Everyone’s Time

A clear consensus emerged: security is no longer an isolated IT function. It is demanding a significantly larger share of both budget and personnel time across the organization.

• Increased Time Commitment: Participants noted that even non-CISO employees are now spending approximately 10–20% of their time on security-related matters—a substantial increase. While the amount of time and budget allocated to security varies considerably, the trend is universally upward.
• The Global and Decentralized Challenge: For leaders like a VP Technology at a Telecom Operator, the challenge lies in setting a consistent security baseline for autonomous, underlying international parties, highlighting the complexity of enforcing a central policy in a highly decentralized global structure.
• Protecting Core Assets: The threat landscape has forced organizations like a  Global Agricultural Company, as noted by their Information Security Architect, to focus heavily on data sovereignty and the protection of critical Intellectual Property (knowledge about genes and cattle breeding).

3. The High-Stakes Expansion: OT Security and Data Lineage

With core IT security maturing, the spotlight is rapidly shifting to new, critical areas, particularly those tied directly to vital operations and infrastructure.

• OT Security as the ‘New’ Surface: Splunk identified bringing OT into the scope of the CISO as a major current topic, stating that companies have relied too long on securing only the IT environment, where the biggest damage can often be done on the OT side. The CTO at a Pharmaceutical Distributor provided a powerful, life-critical example, noting that for a distributor, "in time delivery" is paramount, and disruption or error could be life-threatening. This necessitates a clear separation between OT and IT security environments and places massive urgency on OT defense.
• Data Lineage is a Major Challenge: Regardless of the environment (IT or OT), ensuring data lineage—the traceability of data from source to destination—was highlighted as a monumental challenge for large, complex organizations. This challenge is compounded by the need to trace user behavior and actions, which will become exponentially more critical with the rise of Agentic AI, where autonomous agents act as additional 'users.'

4. Compliance: Navigating the Fog of Rules

The regulatory environment is putting increasing pressure on leaders, but the approach to compliance must be strategic, not purely reactive.

• NIS2 Mandates Monitoring: The upcoming NIS2 regulation is a key subject, particularly as it will be translated into Dutch law. NIS2 makes logging, monitoring, and detection mandatory as a necessary component of the mandatory incident reporting requirements.
• Strategic Compliance: Compliance was framed as having "two realities," comparing it to deciding whether to use a weather app—the basic goal is to avoid getting wet, but the method varies. The advice was simple: use the model or framework that fits your business.
• Contradictory Rules: Participants noted a specific, frustrating complexity in the Netherlands: Dutch legislation contains contradictory rules regarding security and data management, making compliance extremely difficult to navigate.
• Client-Driven Audits: A CIO at a Global Engineering Firm shared the challenge of dealing with multiple client-driven auditors, noting the wide variations in approach—from simple checklist reviews to highly technical assessments.
• Risk Management Shift: Instead of focusing purely on Escalation, organizations are now paying more attention to Return on Risk (ROR), creating a better balance toward proactive Management of Risks.

5. The CISO Striking Back: A Legal and Practical Dilemma

The most charged question of the night was the roundtable's title: Does the CISO strike back?

• The Legal Grey Zone: While the CISO's inclination may be to retaliate—for instance, by isolating or taking down a malicious site—the legality of this remains a significant grey zone. Practical reluctance remains, though it was noted that financial institutions like ICS (credit card services) do engage in aggressive active measures.

6. Security Operations Must Align with Business Goals

The strategic advice from the co-host for this digitally leading audience was clear: security operations must be relevant, tested, and aligned with the broader business objectives.

• Alignment is Key: Splunk’s advice to the strategic audience was to ensure that the actual security operation aligns with the business goals and the current threat landscape. This means constantly staying ahead of the arms race, often requiring steps further than only complying with regulations like NIS2.
• Testing and Relevance: The key to monitoring and detection is making it relevant to the organization: determining what keeps executives up at night and which adversaries are actively targeting the company. Security teams must test and finetune detection and response processes by conducting red-teaming exercises and tabletop drills.

7. Security Must Become an Innovation Accelerator

The long-standing perception of security as a 'blocker' for innovation is being actively challenged by leaders who are embedding security directly into the value chain.

• Embedding Security in Development: Leaders like the CISO at a High-Security National Documents Manufacturer are focused on optimizing the DevSecOps process (with a specific focus on the SEC component) to ensure security is integrated from the start—a necessity when dealing with critical assets like ID cards and passports. Similarly, the CTO leading a Major European Payment Platform Transition is embedding security into a fundamental European payment platform transition.
• From Blocker to Advantage: As noted by an Innovation Development Lead at a Major International Airline, security often acts as a blockade for innovation. However, the discussion confirmed that good, well-defined processes around security do not hinder innovation—they accelerate it, and can even be leveraged as a competitive advantage that builds customer trust.
• Resilience and Checklists: A reading recommendation, The Checklist Manifesto, was offered, underscoring the point that adopting simple, established processes (checklists) can actually boost cyber resilience.

8. The Critical Need for Deeper Forensic Intelligence

The discussion highlighted a critical gap: the inability to conduct robust post-incident investigations and gather actionable forensic data.

• A Call to Action for Forensics: A specific call was made to vendors like Splunk: develop a product explicitly designed for forensic use during a hacker attack—a "digital footprint" tool. This would allow multiple attacks to be aggregated for law enforcement, enabling faster detection and prosecution, as the current requirement is to make a slow, complete "bit by bit" copy of data.
• Beyond Monitoring: The CTO at a Pharmaceutical Distributor articulated this need perfectly: while many tools exist for monitoring and triggers, there are few good options for in-depth investigation.

9. The Asymmetric AI Advantage

AI remains a high-potential topic, but its current application creates an immediate, asymmetric advantage for threat actors.

• Agility vs. Governance: Participants agreed that AI currently benefits the 'bad actors' because they can operate with the agility of startups, quickly "pivoting" their strategies without being bound by the corporate and ethical regulations that slow down large organizations.
• Local Innovation, Global Lag: An interesting insight was shared: given that the core of ChatGPT (Python and Machine Learning) has Dutch origins, there's an expectation that the Netherlands, as a country, should be further ahead in applying these innovations securely.

Conclusion

The CIONET roundtable affirmed that Active Cyber Defense is essential for navigating the complex threat landscape of the 2020s. Success will hinge on embedding security into the core business—from DevSecOps to OT environments—while simultaneously pushing for better forensic capabilities and balancing the need for agility against the relentless demands of compliance. As the co-host advised, the next step for strategic leaders is to ensure security operations move beyond minimum compliance and truly align with business resilience and current threat realities.

Partner with CIONET for Future Executive Events

Did the insights from this confidential executive roundtable resonate with your strategic goals? CIONET regularly hosts high-level, focused events designed to foster peer-to-peer learning and networking.

If your company is interested in partnering with CIONET to participate in or even co-host future exclusive events, share thought leadership, and connect with a select audience of top CIOs and CISOs, and Digital Leaders, please email us: nlcionet@cionet.com