Oct 21, 24
Episode Description
In this episode of the Hands on CISO podcast, Adi interviews Bas Volkers, an interim CISO with extensive experience in crisis management and business optimization. Bas discusses the unique challenges and responsibilities of being an interim CISO, emphasizing the importance of data management, understanding the evolving cyber threat landscape, and the need for effective communication with management. He highlights the human factors in security, the balance between education and control, and the future of the CISO role as a trusted business partner rather than just a technical expert.
Watch On YouTube
transcriptAdi (00:01.644)
Hi everyone. Welcome to the Hands on CISO podcast. My name is Adi and today we're talking to Bas Valkers. Bas has a background in crisis projects and business optimizations based on business intelligence. He's currently the interim CISO of Tilburg University and a security advisor. Bas, how are you doing today?
Bas (00:20.129)
I'm fine. How are you?
Adi (00:22.09)
I'm very good. Excited to have you on the show. I want to hear. Sure. First of all, could you explain what does it mean to be an interim CISO versus just CISO?
Bas (00:25.56)Thanks.Bas (00:35.757)
Well, I've never been a CISO in a permanent job, so I don't know exactly. But as I see it, my job as a consultant or an interim is more like clearing the path for the permanent people, doing the tough work that needs to be done to create a situation where you can actually maintain, for instance, the ISMS and the security things that need to be done.
I think that's kind of my assignment. Yeah.
Adi (01:08.79)
Interesting. And how did you end up in this role?
Bas (01:14.029)
Well, I've been a consultant for most of my working life basically. So I worked in a bank for almost two years. That was my first job. And then I ended up with a consultancy firm. And from then on, I've always been working as consultant. And from 2007, I've been working for myself. So yeah, I don't know anything else.
I love to advise customers and I love to move from one customer to the other, do projects. And also what I just said is, and it's one of my main points, I'm Dutch, so I like to say what the client doesn't want to hear. That's what they pay me for. So I like to discuss the tough things, the tough subjects that they need to hear.
And maybe, and even if they don't actually want to hear it, I'm still telling them because that's, think my added value as a consultant.
Adi (02:14.004)
Interesting. And how do you, how does your day to day look like if you have different clients, different people you're working with?
Bas (02:22.133)
Yeah, well, mostly I have one main client that I work for and then I some other clients that I advise. So I try to keep that separate so I can focus on my job. But sometimes it's just from one call to another and that's that's kind of hectic or the day becomes very long. But that's part of the job, right? So I'm not complaining. Yeah, so basically my current job, the day to day is more like a mixture of
helping the team of information security officers, supporting them with the things they need to do or discussing with them what the plans are. And on the other hand, having conversations with directors, board members, project and program managers about security projects or risk acceptances, stuff like that. So it's just running around every day while trying to
Yeah, get to a certain goal, I guess. Yeah.
Adi (03:24.48)
Interesting. So most of your work is happening with the leadership teams and less with the companies, employees, people who are like actually like the people of the company.
Bas (03:36.076)Yeah.Bas (03:40.685)
Well, that too, but in my opinion, if you're a CISO, then your core responsibility is to help the board and the management to actually take their responsibilities. It starts with understanding them and for the board, even their liabilities in security and privacy protection. So they need to understand
what they need to do and I'm there to help them and then the rest of the organization can follow. So it's not the other way around, right? It's a hierarchical thing, I guess. So for me, that's very important, but also my background is what you just said, it's in business optimization. And so I'm used to working with board members and management to talk about how they can improve their business.
And as a CISO, my job is exactly the same, but then it's from a security perspective. So, and the funny thing, by the way, is that I still strongly believe that if you want to secure your business, you need to clean it up. So the less data you need to protect, the better it is. The more organized your organization is, the easier it is to protect your data because it's easier to understand your vulnerabilities, right?
if it's one big chaos, it's difficult to see through that and understand what your actual vulnerabilities are. So yeah, that's basically how I look at it.
Adi (05:21.28)
Interesting. So you're saying if you know what data you have and what you're doing, it's much easier to protect it and yourself.
Bas (05:28.693)
Yeah, yeah, just yeah, that's basically how I see it. So I always tell clients I'm just kind of like the cleanup guy. I hope you guys are going to throw away a lot of data that you actually don't need, right? Because why would you have it? Why would you hoard all that data if you don't actually use it and you don't actually need it? You need to protect everything. So it's a lot of work for what? So clean up and make it as simple as possible. That's basically one of my major
advice to all companies. Yeah. For some reason, it's difficult. We all became hoarders, right? Digital hoarders. Think of your own mailbox. I mean, it's probably filled with emails. Yeah, everybody has that. Me too. I mean, we all have that. yeah.
Adi (06:19.776)
Interesting. And do you get any pushbacks from business leaders, people who maybe don't see the value the same way that you do?
Bas (06:27.127)
Yeah. Well, yeah, of course, but every business leader has multiple responsibilities needs to balance between, how would I say that? Yeah, different things to choose from priorities, right? So the business needs to go on and you need to make money or add your value to society, whatever, as a university, for instance.
So yeah, you need to make choices. can't say, the only important thing I have is securing everything, right? And cleaning up my legacy stuff. So I am secure. It's not that easy. So the business goes on while I'm there still complaining about the fact that I think it should be more secure, right? So yeah, they don't always give priority what I think is most important.
But I do understand their perspective, yeah.
Adi (07:28.48)
Interesting. Are you ever in the position of like bad cop saying this can't happen? This can happen.
Bas (07:37.165)
But that's your, I mean, as a CISO, that's, I think, major part of your job, right? You have to keep telling people that it's important that you understand their other priorities, but they need to listen or they need to take to think about it more, right? I'm not saying that, yeah, I'm not saying that they don't take it seriously, but then in the priorities, it's, you need to keep doing that even if everybody doesn't seem to like you.
As a CISO, you're not there to be liked, right? Sorry, I need some water. I'm getting emotional.
Adi (08:15.51)
Well, that's what CSELs are like, know? Emotional and mental security.
Bas (08:16.045)
Yeah, actually, I'm always sitting here crying in my office. It's just a very important part of your job. you so that's also something which for me as an interim is easier to do just tell board members that, well, they should take it more seriously or
Adi (08:22.422)Hopefully.Bas (08:42.157)
spend more time on it, even though their schedule is super busy, which I understand. And they need to, obviously, I always think they need to spend more money on it, right? But you need, yeah, and you need to have a good conversation about that. And you need to show them some projects that which are actually successful. So to prove what you're trying to tell them and teach them, right? If you know what I mean.
Adi (09:11.188)
Interesting. I can see that security is like one of the fields that are changing very, very, very fast. Like every day you have new technology and new breaches, new things happening. Like how do you keep updated in such a field?
Bas (09:19.582)Yeah.Bas (09:24.204)Yeah.Bas (09:29.377)
difficult. I think it's, it's for me as a person, I try to keep up with as much information as I can while I'm running around every day. Obviously, during the day, you get into situations where you learn new stuff, right about external threats. Yeah. But it's impossible to keep up with everything, of course, and certainly as a business, it's difficult. But then again, that's what I'm saying, if you're lean,
I have a lean background, lean Six Sigma. And let's say the word lean and mean, right? I mean, if you're lean, then you can actually, it's easier to keep up than when you're not lean and it's all like a big mess and changes take, yeah, like for a year to change, to improve, right? It's too slow for the world around us. That's basically a big challenge of most companies and organizations, right? We're not used to
being threatened in this way. We've never been and now all of the sudden in the last couple of years, yeah, the threat grew like extremely a lot, right? So.
Adi (10:43.564)
How would you? I was going to ask, how would you say that the field changed over the past few years? Like what are the differences?
Bas (10:54.381)
Well, obviously the cyber threats are way bigger than they were before because it's a very, for cyber criminals, it's a very lucrative business, right? And cyber criminal organizations became very rich. So they are better optimized than we are. And they don't have to stick to any law or whatever. So it's easier for them.
to use all kinds of tools. So this whole world around us threatening us professionalized. So that's a big change. We went from individuals trying to hack a company to organized change of organization. It's a chain, right? So one organization produces software for malware. Another one uses that software based on a SaaS model to try to hack into
companies and then there's actually cyber crime organization who does the once the organization is hijacked who does the whole negotiation procedure. It's not even one organization anymore. It's not like there are five nerds on the attic somewhere outside in another country, right? It's like professionally organized. So the threats are yeah, way more difficult and advanced and nowadays everybody's talking about AI obviously. So
that makes it even harder because yeah, there's it's difficult to to understand what's real and what isn't so fishing went to a next level. I mean, we have the first cases of financial people paying bills while they're in a in a call like this. And then it turns out that their colleagues weren't even real. I mean, think about it, it's it's how are you going to protect yourself against that?
You constantly need to wonder if that, but if you're looking at the screen at your colleague, if they're actually real. So if they started asking very sensitive questions, then you should wonder, should I answer or not? Right. So that, that changed a lot. And from the internal perspective of companies and organizations, well, I think that the awareness grew. So a lot of people right by now understand the importance of this.
Bas (13:20.577)
But it's still at the level that they know, but they're not really trained for it or really understand what they need to do. Right. I mean, a lot of discussions with people and they tell me, yeah, I understand that it's important, but I don't know, tell me what to do and I will do it. So from our profession, we make things. Obviously we find what we do very important, but we make things always
pretty complex. we produce these difficult documents with policies. And it's like 80 pages of text and then we send it into the organization. They all need to do this. Why aren't they doing that? Are they stupid? No, they're not. But they have their own job. They already had 50 hours of work a week and they just, you just need to tell them, okay, I'm Dutch.
If you go to the office on your bike and you put your bike in front of the office building, you lock it. If you don't, it's stolen by the end of the day, right? And then that's the digital version of you need to lock your screen, for instance. But you're not going to write a policy on, yeah, everybody needs to lock his bike and then fill 60 pages of text with it and no one is going to read it, right? That's our problem. We are not communicating, right? We're not clear.
Right, we don't think from the perspective of the people we want to actually do the security measures, right? Is that the proper English?
Adi (14:56.736)
Yeah, it's interesting. I saw that what you do is a lot of also crisis projects. What does that mean?
Bas (14:57.293)So, yeah.Bas (15:08.653)
Well, yeah, in the past I ended up doing projects which went, how would I say that, off rail? So customer had a project with a consulting firm, they build a system, but then, well, it was kind of like in many IT and information projects, the people who need to build it, they're nice people, they're developers, so they just keep building while actually all the prerequisites are not in place.
things are not in order. Maybe the customer doesn't understand what they're asking, right? And so things went south. And then they asked me just to get in there, make sure that both parties are cooperating again. It's like if you have a blue helmet on and you sit there and you look at the contracts and then say, so okay, you're complaining about the consulting firm.
But when I look at the contracts, there's this list of prerequisites, but dear client, but and like 80 % of that you didn't live up to it. So what did you expect if you don't give them what they need? And their problem is they never said anything. They just kept going because they tried to help you. But that's also a very important thing. Also for information security officers saying no to a customer is also helping somebody, right? It's not always doing what the customer
or somebody in your business asks you to do, right? A director or whatever. So you need to help them do their job right. And the same is with crisis projects. So lots of crisis projects just happened because, how do I say that? Because the consulting firm didn't say no, they didn't say, hey, we had a contract, you need to deliver us this and this and this.
If you can't, we can't deliver your product, right? Now they just kept going and they tried to compensate and then, yeah, you get this one big mess and customers say, it's way more expensive than you told me and blah, blah, blah, I'm angry. said, okay, but maybe the ball is somewhere in the middle. And if everybody starts doing what they need to do, then maybe we can still get a result, right? It's really interesting. You learn a lot when you do crisis projects. It's not like a positive thing because in the end,
Bas (17:30.901)
No one will in the end be actually happy, at least you solve the issue, right? But yeah, I don't know, a crisis, learn a lot about people when they're in a crisis situation, let's say it like that. It's interesting. And it helps me now obviously with risks and stuff like that. yeah.
Adi (17:55.732)
It's really interesting how have you been working with a company that had a severe security incident? And of course, no names or companies, but like.
Bas (18:07.701)Yeah, so yeah.Adi (18:13.4)
Could you tell us about some incident that you saw firsthand that was interesting?
Bas (18:23.309)
can I tell? Yeah, I saw many incidents that were interesting. I'm just thinking what can I tell without keeping it general, let's say it like that. Because, well, obviously, well, what I find interesting, I'm going to keep it general, sorry. What I find interesting when you have security incidents is that management,
and directors keep in some sort of stay in some sort of denial when it's about people. let me say one customer had a person working for them. It's an admin and he did a lot like and he worked there for like more than 20 years. And the guy
Well, he had an addiction, it turned out he had an addiction and actually the employer knew because he had that before. So...
And then all of the sudden we found this unknown network in the server room. And we found out that some servers were stolen and stuff like that. So there was something weird going on. And then it turned out that this guy, yeah, he was in depth again. It's very sad, obviously, right? It's personally sad. then, yeah, and then his depth were magically
they magically disappeared. So it's kind of weird, right? And at the same time you have this. we were basically, we were able to figure out and prove that he did all this stuff. So, yeah, obviously you need to fire somebody like that. And then I was in a meeting with the management, it's always on a Friday afternoon. This is weird when you actually want to go to the bar and then you sit in this cold light. Why is that always happening on Friday afternoon? And then they were just like,
Bas (20:29.333)
Yeah, I can't believe it. He would never do that. He's been working here for 20 years. He's such a good guy. And I was of course, it's good, right? That people are that good that they can't believe that somebody else does something bad. But it just, I'm sitting there like, how much proof do you need, right? It's just, so that's kind of interesting when you see things like this and...
It was not an incident, but another meeting in another company with another board. I explained to them about ransomware and what will happen. And I told them about this chain and that you're called by professional call center, stuff like that. And they couldn't just, they were just like, they were still thinking like, if we're hacked, it's just some guy, the addict five streets down the road and the police will get him or something like that. don't know. And then all of a sudden one of those,
this feels very uncomfortable. Basically, you're telling me that next week, I could be sitting here negotiating with criminals. Yeah, it's like, well, it was 20. I don't know. But it's like 2024. And what do you think, man? Don't you read the newspapers or what? It's just interesting to see how naive lots of people still are about the world that we live in. Right?
Do you understand? mean, that's... Yeah. It's interesting. And maybe I'm just a bit weird by now, but that's probably... Yeah. Yeah.
Adi (21:52.33)
Interesting. Do you think most companies...
For sure, but also it's true. Interesting. Do you think most companies find themselves to be more secure than they actually are? Like they think they're safe when they're maybe not so safe.
Bas (22:13.527)
Yeah, absolutely. Even if they're certified. I mean, I'm a certified implementer of ISO 27001, a lead implementer. did all the training. And yeah, but I mean, being certified, being compliant to all kinds of stuff doesn't mean that you're real in reality, right? Because you need to do all the stuff, yeah.
And you can actually do the stuff, do everything you need to do. Yeah, on a minimum level and don't, but, you can do it for real. And that's basically what I'm always trying to implement in organizations, to teach them and that it's more about cleaning up your business, being a bit more disciplined, keep doing it, and then you stay safe. And all the other stuff with policies and stuff, I don't know.
It's part of that, but the essence is that you just need to actually do the things to stay safe. And it's not about the paper or the certification that you have. To give you an example, I always want to implement risk management, right? And not because I like risks, but because
what's behind the risk. what happens, lots of companies say, when I get there, say, we have a risk log. Okay. So yeah, we are implementing all these kinds, all these measures. It's a whole project and blah, blah, blah. Okay, so interesting. Where did the risks come from? Yeah, we had these meetings and we figured out risks. Okay. But what is actually behind, what is a risk?
it's a risk you can get hacked or whatever. Okay. But what does a risk, what are the components of actual risk? People don't think, so I want to go back to the actual essence. I have a Lean Six Sigma background, so I I learned to ask why, why, why, why? So I'm like a toddler, right? Asking why all the time? And that's actually what you're doing here too. And then we go back to what a risk is. It's a vulnerability.
Bas (24:36.233)
in your business where there's which is actually threatened to be abused, right? So you can have lots of vulnerabilities, but if there's no threat, I mean, if no one ever steals a bike, you could say that the bike without a lock is a film is vulnerable, but it's not a threat because it's not a risk because no one steals bikes in Amsterdam. Right? That's still hope for that, but it's not gonna happen. So
So I'm going back to the basics. And then the next step is, I want you to understand your vulnerabilities. That's the first thing you need to do. And then we can come up with all the threats. We're good at that in our line of work. We know all these threats. There are a lot of threats, so that's fine. So do you actually understand what your actual vulnerabilities are? then we get to that business which is in order because...
to be able to oversee your vulnerabilities, you need to have an organized, or the word says it, organization, right? So if you have a pretty chaotic organization with tons of data, and you don't know which data is used in which process by whom, on which devices and where it's actually stored, or right? It's going to be very difficult to understand what your actual vulnerabilities are.
So that's the essence of information security. You start there, get your business in order, understand your vulnerabilities, then match them with threats. And then you can get to a actually smart risk log, which is actually, which you can use and where you can prioritize, right? It's not that difficult actually, but it's just something that never happens. It's weird, right?
Adi (26:28.554)
It's interesting. sounds, would you say that the role of someone who is in charge of security at CISO is more technical or more business? Because it sounds, sorry, business, expand.
Bas (26:40.077)Business.business.Bas (26:48.631)Sorry.Adi (26:50.674)
Could you expand on that? Because I know that, yeah.
Bas (26:52.781)
Yeah. Well, in my opinion, if you look at it from a technical perspective, you just simply only look at it from an IT, because technique is mostly IT, although you also have physical storage and infrastructure in some companies, right? If you work for a university, they also have physical archives.
And it's not dusty archives where no one ever has been there for last 20 years, but these are actually up to date, modern archives with interesting information that needs to be protected too. We tend to forget that, but it can be very important. Obviously, if you have a startup like you guys, is online, right? You probably don't have physical archives. I hope not. So, and otherwise she should get rid of it probably, but yeah.
It's no need, but that's the difference between for intergovernmental organizations and a tech startup. So if you just look at it from a technical perspective, that's just a part. It's an important one because you want a secure network, you want a good firewall, you want to know that your database is secure and that the data is encrypted when it's all stored. But in my opinion, even though that seems to be very difficult,
that should not be the most difficult part of security. In my opinion, the most difficult part of security is getting that business lean and structured and organized so that the business, the first line of defense, as we call it in the three lines of defense model, actually oversees its own business and understands its own vulnerabilities. It's not an IT job, it's a business management job to understand that.
And if I ask simple questions like, give me your overview of all your suppliers and contracts, or can you give me an overview of everybody who works here, what its function is, so we can determine and classify each function on how their work, how would I say that in English? Sometimes it's difficult.
Bas (29:10.317)
It's a very simple word, but I can't come up. So you want to classify everything. Well, it's about, do they do high secure work or low secure work? Somebody can do lots of work for a company, but it's not very interesting from an information security perspective. And somebody can have a job and maybe works only one day a week, but work one day a week with very high secure data, right? So you want to make sure that even though that person only works one day a week for you,
Adi (29:13.304)Subscribe to it.Bas (29:40.755)
he or she knows very well how to work in a secure way. Often when you see you get into organizations and you see training campaigns and then say okay how do we determine who gets a training and who doesn't? Well everybody who only who works part-time doesn't have to do it. Okay I don't did we classify our functions and the work that people did? No we didn't because we classify most companies classify systems right applications.
So, yeah, think that it's information security is a business thing. And the main part is the business and management overseeing its own business and understanding its own vulnerabilities. And that's actually a very interesting subject because wherever you go, this is not how information security is looked upon in the last couple of years.
That's IT thing. You need to go to the IT manager. No, you delegated a lot of stuff to your IT manager, but you're still the first line and you're responsible. And I'm still asking you to tell me what your vulnerabilities are.
And if you can't, we need to figure it out.
that's basically my job, it's not that difficult.
Adi (30:58.251)Interesting.Adi (31:02.146)
How do you balance, on the one hand, making people understand how they should act and what is secure and what is insecure. And all of that more human side is obviously very high on the list of priorities. But then on the other hand, do you at all...
put controls that stop people from making certain mistakes or like how do you see the balance between I'm educating people but I'm also making sure they don't do like stupid mistakes.
Bas (31:37.729)
Yeah, you can, I mean, if you can implement controls, which make sure that people can't do anything stupid, say it like that, or make mistakes, mostly it's by accident, right? It's just people who don't, or they didn't know, or they didn't meant to, but it happened. Yeah, of course you need to do that, right? Make life of the users as easy as possible.
But I still will tell the management that it stays their responsibility and not because we have some kind of magical control. They don't have to think about it anymore because that's the other side. But yeah, of course you need to implement that. But as we already discussed before, this world of threats change all the time really fast. So if you implement a control like that, there will be another threat that will solve the issue for the cybersecurity.
criminal to get around it, right? They figure out the workaround. For some reason, cybersecurity criminals are endlessly creative. So yeah. So in the end, you go back to the core of the business, which even with all the automation and whatever, in my opinion, is still people. Maybe we're replaced by AI in 10 years. I don't know. But right now it's people. So the better they understand themselves,
the more secure we are. Right?
Adi (33:07.916)
What do you think is one thing that people that are outside security most don't understand?
Bas (33:18.445)
it's a difficult question.
But maybe it's a simple answer that they don't understand that it's that they themselves who are the main part of security that they can determine if we are secure or not. And not the system and not the security measures on the system. It's like putting this really great lock on your front door, but nobody uses it.
I mean, it's a great measure to put this very secure safe on your front door. But if all the employees just don't use the lock and the door is open, then the lock is kind of useless. it's still, it's again, it's the person who needs to understand, I need to lock this door because otherwise somebody else gets in who shouldn't be there and they probably steal our stuff. you know, and you can call it awareness, but I think it's more than just awareness, right? Awareness is...
is good. But at some point you need to start actually training people they should really really understand that security is about them and not about systems.
That's my opinion, right? It's just me.
Adi (34:37.174)
Yeah, it's really interesting. What do you think is the biggest challenge right now in the whole cybersecurity space?
Bas (34:47.329)
Well, there are several, mean, most older companies have a huge legacy and history on the technical landscape, but also on the business landscape. So they have all these processes in place, but they're like, they became complex for some reason, if people work together for a long time in an organization, stuff gets complex, there are all these cultural things that are normal, which maybe they're not, and they should be cleaned up.
technically there are lots of systems. So we are fighting a war against cyber criminals as organizations and we need to be safe now, but we also need to clean up our whole legacy. So it's keeping us back, right? Do you know what I mean? So that's one of our main challenges. So you need to do so many things at the same time. And then
We as professionals say, you need to invest in that and you need to do that and you need to change and delete those legacy systems. we put in place another one, but the organization needs to cope with that. People have worked for 15 years in that system and then they would need to work in a different system. It has huge impact. And, and, and yeah, at the same time, we want them to secure all the modern stuff that we have.
put in place the new systems, the new processes, stuff like that, right? So it's just too much at the same time. And it's difficult to make choices for board members and managers. I understand that it's just so we need to also spend a lot of time and energy in making that picture clear for them. Translated into not complex power, 50 slide PowerPoints with bullets, but just
try to bring it back to one picture like, don't know, in the Netherlands we call that, do you know Miffy? It's the little rabbit from the Netherlands. It's very Miffy. Well, Google it. And Miffy is a children books with very simple pictures and just a few words. So you need to try to make it as simple as possible for them to be able to make choices.
Adi (36:56.065)youBas (37:07.467)
You can't expect them to figure it out all by themselves, obviously. That's what we are here for. But it's very difficult to make a simple overview from a very complex situation, right? That's kind of the issue. And that's what we are, the challenge of a CISO. And if I start talking nerd talk to a board member and all kinds of details, yeah, it just, it won't land. So he's just like, okay.
Who's the weirdo? Okay, well, fortunately this half hour is passed and now I can continue with my business and try not to get him into my office again, right? So, and then he's going to tell me, just go to IT and solve my problems. Okay, I did something wrong, right? It's my fault because I didn't explain it clearly enough apparently. So I need to find another way to get into his office again. I'm just gonna sit there early in the morning, wait until they arrive.
Adi (38:02.792)ThanksBas (38:06.615)Ha ha.Adi (38:07.437)
Interesting, I'm just gonna sit here and wait until he listens to my... things.
Bas (38:12.941)
Yeah. Well, sometimes you have to drop yourself into situations. That's also a see-saw thing, right? You see things happening and then you go, why am I not involved? Or maybe it's logical that you're not involved, but then if you have the feeling that it should be good that you're involved and you just need to make sure you're there and it's not always easy because yeah, it's also the way see-saws are still looked upon, right? They're like specialist nerds.
with their information security policies and they're probably more IT than anything. So they speak different difficult language and they say difficult things. So yeah, you just get a headache if you talk too long to your CISO. And that's also something that we need to work on from our perspective to be a actual partner they dare to rely on, right?
And it's not always easy, but that's something you need to try to achieve that they actually think, okay, if my CISO tells me something like this, I can rely on that it's true and a smart advice, right? And I think that as a specialist world, a niche world, we need to learn to do that. So yeah, I see a lot of CISOs also if I'm at CISO meetings struggling with that.
So we're all complaining like, the board never has any time and stuff like that. Okay, but is that their fault or is that our fault? So look at us, we're just a room filled with nerds and we're all talking nerd stuff and then we're happy. So that doesn't work for board members. They're looking at us like, they're the nerds on the, you know, in the past in the schoolyard, we're the group of nerds. No one wants to play with us, right?
So that's wrong. We need to make sure that people kind of, yeah. Do know what I mean? Try to say, yeah, but that's actually, maybe I'm too harsh on myself and my own colleagues, but that's kind of how I see it. Yeah.
Adi (40:12.652)
That's interesting. Yeah.
Adi (40:21.528)
I can see how there's like, from what I've seen with C-SOS, there's a few different types, but most of them, most of the people who are aware of the situation are like, we have to speak their language because otherwise they're not going to listen to us and you're not going to affect the company, you're not going to get budget, you're not going to like...
There is a wall that is purely communication based, which is super interesting. you think it makes me think about if you see people who are in security, but not as there's a loud sound suddenly, not sure cut this part out.
Bas (40:50.829)Exactly.Bas (41:11.565)
What are you doing?
Adi (41:18.828)
think they're cutting something outside. That's great. Can you hear something weird?
Bas (41:23.277)
I hear something like a chainsaw in the background. It's a cyber criminal.
Adi (41:25.848)
Yeah. Anyway, so I'll ask fast and then... No, okay. So I see. When you see people who are more getting started in the field, what do you recommend they focus on? Because it sounds like, yes, there's a lot of need for people who know how to do, technically, security. But it sounds like, end of the day, the thing that moves the needle is more...
understanding the bigger game, sort of like how do you see it?
Bas (41:59.211)
Yeah, it's kind of choice, right? You can choose to become a more technical oriented information security officer, implementing technical measures. There are a lot of colleagues like that. And I think that's fine because it's a lot of work and it's complex, it's difficult. I think it's also interesting. But if I train people, I also do a training here in the Netherlands for another, yeah.
university. I'm that training is focused on what I just explained, laying a foundation for structurally sound and continuous information security and improvement of the your resilience basically, right. So it's a business thing, make the whole organization understand how to manage or how to oversee
analyze vulnerabilities, match them with threats and manage your risks, right? And from that, the projects or whatever activities you start to improve your resilience. That's what I focus on. So it's a choice. And maybe you could try to do both, but it's kind of two different types of people. And that's logical, because if you're more on the technical side, you need to be more
Mathematician? Cut this out. You know what I mean. You need to be more mathematical, right? So you need to be more mathematical if you're on the technical side. And if you're more on the business side, you're kind of basically, you're sort of a business consultant, right? So you need to communicate, you need to understand, you need to think from the other person's perspective. So
Adi (43:35.689)Mathematical?Bas (43:56.353)
So what I always use, did a lot of in the past, a lot of when I did business optimization, business model canvas workshops, know, the business model canvas, I think, with the drawing one, you know what it is? Sorry. Well, business model canvas, it's made by Gai Cool. Yeah, yeah, yeah. So, so I, you know, let's start over.
Adi (44:11.426)Say it again.Adi (44:15.774)a canvas, yeah.Bas (44:24.331)
So in the past, did a lot of workshops on the business model canvas, which is I think widely known in the world, how that canvas works. But there is also, and it's interesting, a product canvas they made. And the product canvas is about understanding your customer first. So what are his pains and what are his gains if he buys your stuff? So what do you actually need to...
make or produce for service or product that actually fits with the customers you made it for, right? It's just simple persona kind of thinking in marketing terms. We don't have that in information security. We don't think about the user. Yeah, the user is just dumb. He doesn't understand what we want. So I try to explain to the ISOs that I work with that you need to see them as personas, as that customer. You need to understand their pains.
And you need to figure out what the gains would be if they would actually do what you ask them. So, or advise them, I should say. So, if I talk to management and board about implementing risk management, I talk to them about the vulnerabilities and I talk to them about getting their, as we call it, registers in order. So it's basically
your list of people and functions classified, your supplier list with contracts, stuff like that. So it's just basically overseeing your business. If you do that, you could also use that to optimize your business at the same time, right? If you clean up your business, you get more efficient. So it should bring you something. It's an interesting investment if you do cybersecurity the right way.
I do that because I think from their perspective, they're not sitting there because they want to define complex security goals because that's not their business and they don't want to spend money on security only if it, yeah, they don't like to spend it on security if it only brings something we say, well, you're more secure, that's it. No, if we can spend that money and we can at the same time try to optimize our business, it's getting interesting, right?
Bas (46:44.993)
That's thinking from their perspective, not from yours, not from my unreadable policy documents, Which I try to push and everybody's angry at me because no one wants to do it. It's not the way to go. That's what our world should learn basically in my opinion. Yeah.
Adi (47:05.204)
Interesting. Okay. So I'm going to ask you one final question. Before that, thank you so much. This has been really fun. And I feel like you've given a lot of, yeah. I'm so happy you joined. You have a lot of perspective on like purely the business side of how, of how important it is, which is super interesting to me. Well, you did a great job at it.
Bas (47:09.676)Yeah.Bas (47:14.477)Thank you.Bas (47:24.865)
Yeah. Yeah. Yeah. That's all I can. So yeah. Thank you. Thank you.
Adi (47:36.418)
So what do you think, in what way will the CISO role, the security leader role change over the next few years with the way you see cyber security going now?
Bas (47:50.295)
Well, obviously in my opinion, I think it will move towards what I've been telling for this last, what is it, half an hour, hour about how the role of a CISO should be. It should be a trusted advisor to the board and the management in the first line of defense. That's what you're there for. You should not be a IT technical person.
saying nerd stuff and coming up with unreadable policies, right? It's not effective. I mean, we've been proving that for the last couple of years already. So, yeah, you should be more of a business partner, understanding them and understanding the people that you want something from or that you're trying to advise and then change your advice to what they actually, well, what in the way they can actually understand it or it can actually maybe even help them.
That's the best way to go. So I think that's how the role of a CSO is going to change in the next couple of years. I hope so, by the way, because I think it's most effective way to go. But yeah, that's just me. I don't change the world.
Adi (48:58.594)
We'll have to see.
Bas (49:00.397)
Yeah, we'll figure that. And it's interesting. I mean, it's also interesting to talk to other CISOs who are more from a technical perspective and share ideas.
Adi (49:11.808)
Interesting. Thank you so much, Vess.
Bas (49:12.333)
It's really nice. Yeah, thank you for having me and listening so much to me. So, yeah.