Written by Laurent Dupont

Security Leader Insider Newsletter

November 2024 Edition

Welcome to this edition of Security Leader Insider, where we bring you the latest insights and expert perspectives to help navigate the ever-evolving cybersecurity landscape. In this issue, we feature a guest article by John Bun offering a step-by-step approach to improving digital safety, alongside curated insights from McKinsey on how a CISO background can benefit a business-unit CIO. The World Economic Forum shares top AI-related concerns from Chief Information Security Officers, and Toreon’s own Thomas Dejagere provides practical guidance on navigating the upcoming NIS2 legislation.

Let’s dive into this edition’s content!

Welcome!

Let’s dive into this edition’s content!

On this edition

Guest article
A step-by-step approach to improve Digital Safety By John Bun

Curated content
The benefits of a CISO background to a business-unit CIO, by McKinsey

Curated content
Navigating AI: What are the top concerns of Chief Information Security Officers?, by World Economic Forum

Toreon insights
Navigating the upcoming NIS2 Legislation, by Thomas Dejagere

Tips & Tricks
The CISO Assistant Community

Upcoming Trainings

GUEST ARTICLE

A step-by-step approach to improve Digital

By John Bun

In today’s complex digital world, keeping companies safe from cybersecurity threats can feel like a never-ending battle.

Within Toreon we are turning this challenge into an actionable, streamlined Operating Model, helping organizations to protect their most valuable assets while maintaining efficiency.

At the heart of our approach is a basic principle: it all starts with threats.

The Worldwide Cybersecurity Threat Landscape is continuously evolving, and this Yearly Threat Landscape (within Toreon we use Enisa ETL) is the starting point for our Cybersecurity Operating Model —whether it’s ransomware, phishing, or zero-day vulnerabilities, the challenge is to stay ahead. This yearly Threat Landscape is updated with weekly and daily Threat Intelligence Feeds (like SANS Internet Storm, or the Threat Intelligence Feeds from Secure Operations Centers or the daily feeds from CCB or other sources) and also by the security incidents we encountered within our customer portfolio. But how does this translate into practical actions that drive security forward for your organization?

Step 1: Identify Vulnerabilities through a Threat-Driven Lens

Based on the Cybersecurity Threat Landscape (ETL) and by tracking the latest threats, threats are projected onto your assets. Having a clear view on Assets (at least everything which is connected to your network) is important.

We have to know what you have, in order to know what we must protect. Asset discovery with tools such as Microsoft Defender or Lansweeper and Daily Asset Management with your Service Management Tooling (JIRA, ServiceNow, or others) is an important prerequisite to take the step of identifying threats and projecting them on our assets.

Not all organizations face the same risks. For example, a textile manufacturing company such as BD has different threat exposures compared to a financial services company or a digital agency.

By understanding your assets and aligning them with current threats, we can start pinpointing vulnerabilities. These vulnerabilities must be registered in a vulnerability register and monitored by vulnerability asset management tooling such as Microsoft Defender, Nessus, Lansweeper or others and keep them up to date.

Assessments and audits also play a key role here. By conducting security maturity assessments and reviewing audit results from statutory auditors or audits from clients or mother companies, our CISOs are able to identify weaknesses and confirm groups of vulnerabilities in the organization’s environment. These findings are fed directly into a Cybersecurity Risk Register, creating a living document that tracks every potential cybersecurity risk in our organization.

Step 2: Mitigating Risks with Policies and Actions

Once risks have been identified, mitigation begins with policy creation. Based on the identified vulnerabilities, the CISO collaborates with IT and business teams e.g. HR and Compliance to develop targeted policies that address security gaps. Whether it’s a password policy, data encryption standard, or Patch Management Policy, these policies form the foundation of the Security Framework. Policies are implemented following a Riskbased Cybersecurity Roadmap.

For these policies to be effective, they must not only be approved by IT management but also officially endorsed by the Executive Committee (ExCom) or by the Board. This ensures these policies carry the necessary authority, and are aligned with business goals, ownership and accountability is taken, and resources needed for implementation and for enforcement are taken care of.

But what about vulnerabilities resulting in risks that the organization lacks the resources to address immediately? For these, we establish Risk Acceptances. These are carefully assessed risks presented to the Executive Committee, ensuring that risks are either mitigated or accepted and ownership is assigned to a responsible party.

This is also part of a yearly budget and forecast cycle where the organization decides whether we will mitigate, and approve necessary budgets or accept the risk and assign ownership.

Step 3: Tracking Progress with Dashboards and Metrics

For policies in implementation or implemented, Dashboards are created to monitor progress. These dashboards track security measures, flag exceptions, and are consolidated in a Company Cybersecurity Dashboard with Key Risk Indicators (KRIs) that management can easily follow.

The main guiding principle in our operating model is that every month we should be able to show improvement compared to the previous month. If something isn’t working or we notice delays, we quickly adjust course. Security is an ongoing process of improvement and adaptation. This also ties into ISO27001’s continuous improvement cycle, keeping your security agile and responsive to new risks.

Step 4: Closing the Loop with Incident and Exception Management

Of course, sometimes our dashboards show things don’t go as planned. That’s why we regularly hold Progress Meetings to assess the effectiveness of security initiatives. If progress stops or security improvements aren’t realized, corrective actions are discussed and logged in an incident management system like JIRA. This ensures that nothing slips through the cracks and that any issues are followed up methodically until they’re resolved.

By ensuring this clear path from threat identification to risk management, your organization will not only stay compliant but also stay secure, even in the face of constantly changing threats.

The Path Forward: Empowerment through Structured Security

Whether you’re a C-level executive, manager, or a security expert, or a BD employee, the goal is the same—securing the future of your organisation while managing risks intelligently.

Ready to take the first step? Let’s connect, assess, and start securing your future.

By adhering to well-established frameworks like ISO27001, and CIS Controls for hardening IT infrastructure and applications, and applying proven management models like LEAN and Continuous Improvement, BD builds resilient and proactive security management.

If security feels like an impressive challenge, we must always keep in mind:

The process doesn’t have to be complicated. With the right focus, structure, and expertise, risks can be evaluated together—improving security step by step and ensuring that BD improves its security, even in an uncertain threat landscape.

CURATED CONTENT

Handpicked for you

The benefits of a CISO background to a business-unit CIO

Navigating AI: What are the top concerns of Chief Information Security Officers?

Navigating the upcoming NIS2 Legislation

Although CISOs focus on technology and chief information officers (CIOs) concentrate on the business, their missions are inextricably linked. A CIO with a foot in each world enjoys a unique perspective that can only enhance effectiveness and better serve the enterprise. Rohan Amin, CIO, Consumer & Community Banking, JPMorgan Chase, explains to McKinsey’s James Kaplan how his CISO background prepared him for the CIO role.

The release of generative AI systems has significantly transformed the cyber risk landscape, compelling organizations to evaluate the associated cybersecurity implications. A critical aspect is distinguishing between immediate priority risks and longer-term concerns posed by AI. This article from the World Economic Forum highlights insights from Chief Information Security Officers (CISOs) on their top concerns related to AI and the proactive measures they are implementing to address these challenges.

As the cybersecurity landscape continues to evolve, so do the regulatory requirements that aim to protect critical sectors from cyber threats. The upcoming Network and Information Security Directive 2 (NIS2) legislation is a significant development for businesses operating across the EU. This blog post outlines the essentials of NIS2 and highlights the short-term, upcoming key deadlines for businesses operating in Belgium.

The benefits of a CISO background to a business-unit CIO

Navigating AI: What are the top concerns of Chief Information Security Officers?

Navigating the upcoming NIS2 Legislation

Do not miss our next Security Leader Update in Brussels on 2 December:

📌 Aram: Effective Metrics with OWASP SAMM and NIST CSF (workshop)
📌 Thomas: Legal Frameworks for Ethical Hacking (update)
📌 Ben: Red Teaming AI Security (workshop

Interested in participating?

Peter Berghmans, CEO of Data Protection Institute has been nominated for Belgium's Cybersecurity Privacy Professional of the Year!

Peter Berghmans, CEO of Data Protection Institute, has been nominated for the prestigious Cybersecurity Privacy Personality of the Year award!

This recognition celebrates excellence, innovation, and leadership in cybersecurity in Belgium. A multidisciplinary and independent jury will evaluate the nominees, and the winner will be announced at the Cyber Security Awards Gala on December 4th at the Africa Palace in Tervuren.

Congratulations to Peter on this well-deserved nomination!

Tips & Tricks

The CISO Assistant Community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +70 frameworks worldwide with auto-mapping: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber, NCSC, ECC, SCF and so much more!

Upcoming trainings & events

Book a seat in our upcoming trainings

All in-person events, hosted by the Data Protection Institute

Security Leader: Leadership Module

Next training date:
3-4 December 2024

Security Leader: Security Operations

Next training date:
6-7 February 2025

Security Leader: Security Governance and Compliance

Next training date:
17-18 February 2025

Security Leader: Leadership Module

Next training date:
3-4 December 2024

Security Leader: Security Operations

Next training date:
6-7 February 2025

Security Leader: Security Governance and Compliance

Next training date:
17-18 February 2025

NIS2 Lead Implementer Belgium: Legislation and practice (NL)

Next training date:
19-20 February 2025

Security Leader: Security Governance and Compliance (FR)

Next training dates:
Q3 2025

Security Leader: Threat & Vulnerability Management

Next training date:
18-19 March 2025