On the evening of Thursday, September 21st, a group of 14 digital leaders - CIO, CISO, head of architecture, … - gathered to discuss the intriguing and pressing topic of "The Human Risk" in cybersecurity. The event took place at the renowned Restaurant “Het land aan de overkant” in Leuven and was organised by CIONET, in partnership with NRB, the Belgian ICT service integrator.
Thomas Colyn, CISO at DPG Media, and Johan Celis, CISO at the VDAB, served as conversation starters bringing with them a rich track record and expertise in the domain of cybersecurity. The central question of this event was how to cope with the critical role that human behaviour plays in contributing to security breaches, an alarming 82% according to research.
The discussion delved into the delicate balance of the human element on the cyber risk tightrope. The current era, marked by the surge of sophisticated attacks, driven by social engineering, and powered by advanced AI solutions like ChatGPT, amplifies the urgency of these discussions. The participants accentuated the dual role of humans as both the potential breach point or weakest link and as the primary line of defence. They advocated for a balanced, human-centric approach to cybersecurity, bolstered by appropriate technological enhancements and robust processes.
Johan championed the concept of viewing humans not as the ‘weakest link’ but as integral components within a comprehensive cybersecurity strategy built upon three equally essential pillars: technology, process, and people. He underscored the significance of cultivating a culture of collective responsibility and called for customised awareness programmes tailored to various organisational segments, ranging from management to operations. Johan emphasised a much-needed shift in focus highlighting that the true starting point should revolve around understanding the value of the data at stake. “Understanding the worth of the data is the correct first exercise to do.”
Thomas Colyn, on the other hand, emphasised the importance of acknowledging the growing complexity and sophistication of large-scale cyberattacks when compared to the unpredictable nature of human behaviour. He delved into the intricate strategies employed at DPG Media, such as implementing a zero-trust network and conducting continuous internal awareness programs, including phishing campaigns integrated with e-learning platforms. Thomas placed strong emphasis on the necessity of advanced training for IT and security personnel in particular, recognising their pivotal roles within the organisation. In light of the current critical cyber threat landscape, Thomas advocated for a practical and realistic approach, strongly advocating for proactive resilience strategies to mitigate potential damages.
Johan also delved into the often-overlooked issue of stereotyping, stressing the importance of careful consideration to avoid biases and generalisations between white-collar and blue-collar workers. He noted, “Our analysis showed that blue-collar workers often exhibited more prudence and awareness than white-collar workers,” debunking commonly held beliefs and emphasising the role of shared information and warnings within social networks.
IT vs. the Rest of the Company:
He also pointed out the stereotypes regarding IT personnel who are often assumed to be more vigilant towards cybersecurity threats. The discussions highlighted the criticality of understanding the symbiotic relationship between different organisational segments, acknowledging the unique challenges and perspectives of each, and fostering a unified approach to cybersecurity.
Chris Borremans, CIO of Komatsu, brought attention to the significant discrepancies in how people perceive cybersecurity in a personal versus a professional atmosphere, emphasising the general lack of awareness regarding the repercussions of cybersecurity breaches on businesses.
Dirk De Ridder, IT director at SMALS, emphasised the power of collaboration, sharing positive experiences with intensive collaboration across different organisational levels, roles (DPO, IT, security, operations,) and departments. He believed that adding the right (business) context is crucial for providing richer and more relevant information to the board.
Participants explored a spectrum of challenges and solutions, emphasising the importance of grassroots-level security awareness and debating over the prioritisation of investments between technology and employee training. The importance of recognising sophisticated cyber-attacks and developing proactive strategies was a focal point of the discussion, advocating for a united front to protect valuable data.
The roundtable accentuated the need for an environment that encourages reporting security problems without the fear of retribution. The conversation touched upon effective reporting strategies, focusing on elements such as detection time and response time, rather than the frequency of incidents.
In the session's wrap-up, Michael Boeckx, COO of The NRB Group, highlighted the key takeaways. The session emphasised the necessity of adopting a balanced and layered approach to cyber defence, advocating for a strategy that's grounded in risk assessment. Michael stressed the importance of avoiding complacency and moving beyond mere compliance, underlining that each organisation's unique situation depends on factors like the type of data they handle, their exposure to the public, and the tech and cybersecurity expertise of their team and board members.
Furthermore, Michael emphasised the significance of collective responsibility, dispelling stereotypes, and promoting collaborative efforts to tackle the intricate web of cybersecurity challenges in today's interconnected world. The session served as a powerful reminder of the transformative potential inherent in a unified, balanced approach to cybersecurity, setting the stage for more resilient and secure organisations.