Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
June 2024 Edition
The CISO Insider is back!
After a brief period away, we’re back to providing you with the latest CISO news. This edition focuses on demystifying the NIS2 directive, with a guest article by Taco Mulder and our latest The Wide Open podcast, featuring Jasper Hooft and Thomas Dejagere.
But that’s not all we have in store for you! Here’s a full overview of this month’s topics.
The CISO Insider is back!
After a brief period away, we’re back to providing you with the latest CISO news. This edition focuses on demystifying the NIS2 directive, with a guest article by Taco Mulder and our latest The Wide Open podcast, featuring Jasper Hooft and Thomas Dejagere.
But that’s not all we have in store for you! Here’s a full overview of this month’s topics.
Guest article
NIS 2 Compliance or Security… or both? Written by Taco Mulder, CISO.
Curated content
The modern CISO: Managing scale, building trust, and enabling the business, by McKinsey
Curated content
Why CIO & CISO Collaboration Is Key to Organizational Resilience, written by Robert Grazioli
Toreon insights
The Wide Open Podcast: NIS2, what does it mean and how do you become compliant?
Career watch
Join Team Toreon
The news might have reached you: NIS 2 is there! Well, at least it’s coming to your organization, or an organization near you very soon. As it always goes, all of a sudden we are in a world of NIS 2 experts that will guarantee the adoption and compliance of the NIS 2.
I don’t know about you, but subjectively I get a very uncertain feeling. It’s great to see the endeavors of the experts to assist and very happy to see more mature security companies willing to assist. What I do see is that many kinds of offers of assistance are largely geared toward compliance. Frankly, this compliance-driven approach scares me.
Compliance means conforming to a rule at a minimum level, such as a specification, policy, standard, or law. In Belgium, the NIS2 bill (transposing the European NIS 2 directive) was approved by the federal parliament on 19 April 2024 (as the second country in the EU). We now see a great many offers to assist in NIS 2 compliance.
What worries me is that compliance is geared towards a minimum requirement with the law instead of focusing on the spirit of the law, its purpose, the desired objectives, and the wanted effects. The idea behind NIS 2 is to force the targeted entities to (finally) strengthen their perimeter against ever-increasing threats. Ideally, this should have been done for a long time.
Legislation like NIS 2 is the result of wanting to address non-conformities.
Non-conformities against common sense, ethical behavior, and best practices, non-conformities against basic information security hygiene. We have seen that with the GDPR (companies that struggle most with the GDPR are the ones that do not or have not respected your privacy), DORA (requirements for financial institutions based on insufficient investment in security or governance and ownership in the financial sector), NIS 2 (essential entities that did not fall under NIS were reluctant to live up to basic security investments).
I put it to you that a secured environment (in proportion to the value of protected assets) will bring with it automatically a correct level of compliance. Working towards compliance will not guarantee a secure environment per se and lead to a “tick in the box” culture.
We need to challenge this approach. Focusing on security, following the best practices, enhancing our resilience capabilities, and supporting our organizations, will bring with it compliance with the legal expectations of NIS 2. It is by acting according to our security principles, following our known paths of ISO27001, using our CCB Cyber Fundamentals, by working through our NIST frameworks, that we will achieve the desired effects in the spirit of NIS 2.
When you are assured that you have put in place your security measures, you will live up to the NIS 2 standards and expectations. It’s by working together, by involving our colleagues from legal, HR, and our peers, by supporting each other, and by addressing audit remarks, that we will endure.
NIS 2 compliance will support the security needs and business cases to strengthen our security posture. It puts an emphasis on the personal accountability of the highest levels of an organization. It forces decision-makers to account for the investments in people, processes, knowledge, and technology to cover their risks. It addresses the vulnerability controls as never before (ex.: supply chain).
At the end of the day, it encompasses potential heavy consequences for decision makers, not for being attacked, not for being breached, but for ignoring the information security needs, for ignoring needed investments, for ignoring the lack of organization-wide measures, for ignoring reality.
Personally, I am very happy with this step in the right direction through NIS 2. NIS 2 has created, through its compliance need, and potential consequences, a strong case to support information security professionals in getting attention to security needs at the correct levels.
Make use of NIS 2 to further your security endeavors, but focus on security. Compliance will come through a security approach. We need NIS 2 to support us in building a stronger, more resilient mesh in Europe, for now, and for the future.
Happy NIS 2 deployment 😊
In the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the NIS2 Directive within the industrial sector.
The modern CISO is uniquely positioned to bridge gaps across technology, processes, automation, and cybersecurity.
In this interview Jason Witty, global CISO, JPMorgan Chase, discusses his role and the challenges with McKinsey’s James Kaplan.
In this article Robert Grazioli, Chief Information Officer at Ivanti, breaks down the silos between IT and security, starting by fostering alignment between the CIO and the chief information security officer (CISO).
In the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the NIS2 Directive within the industrial sector.
The modern CISO is uniquely positioned to bridge gaps across technology, processes, automation, and cybersecurity.
In this interview Jason Witty, global CISO, JPMorgan Chase, discusses his role and the challenges with McKinsey’s James Kaplan.
In this article Robert Grazioli, Chief Information Officer at Ivanti, breaks down the silos between IT and security, starting by fostering alignment between the CIO and the chief information security officer (CISO).
Join Toreon, the cybersecurity company that’s all about empowering individuals and organizations in the field of cybersecurity. Our team of over 50 security domain experts is driven by knowledge and impact, partnering with companies to define and implement strategic security roadmaps.
Join our dedicated GRC and privacy team of 17 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level.
Join a dynamic OT security team of 5 dedicated Toreonites, tackling exhilarating security projects in utilities and industries.
Join a dynamic and dedicated application security dream team comprising 9 passionate Toreonites who are already deeply immersed in a multitude of exhilarating security projects.
Join Toreon, the cybersecurity company that’s all about empowering individuals and organizations in the field of cybersecurity. Our team of over 50 security domain experts is driven by knowledge and impact, partnering with companies to define and implement strategic security roadmaps.
Join our dedicated GRC and privacy team of 17 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level.
Join a dynamic OT security team of 5 dedicated Toreonites, tackling exhilarating security projects in utilities and industries.
Join a dynamic and dedicated application security dream team comprising 9 passionate Toreonites who are already deeply immersed in a multitude of exhilarating security projects.
All in-person events, hosted by the Data Protection Institute
CISO M1 – Security Governance and Compliance
Next training date:
19-20 September 2024
CISO M4 – Security Operations
Next training date:
25-26 September 2024
CISO M2 – Security Architecture
Next training date:
15-16 October 2024
CISO M5 – Threat & Vulnerability Management
Next training date:
23-24 October 2024
CISO M3 – Secure System Acquisition and Development
Next training dates:
25-26 November 2024
CISO M6 – Leadership
Next training date:
3-4 December 2024
CISO M3 – Secure System Acquisition and Development
Next training dates:
25-26 November 2024
