The Evolving Role of the CISO: Insights from Cybersec Europe 2024
4 min leestijd
At the end of May, Cybersec Europe 2024 drew cyber enthusiasts and professionals to Brussels Expo, providing a platform for seasoned cyber security experts and innovative start-ups to share insights and address collective challenges. Among the 300 exhibitors, the SAI, ECSO, the Belgian Cyber Security Coalition, ISACA Belgium & Agoria hosted a panel discussion and Q&A session focused on the evolving challenges for future Chief Information Security Officers.
The Evolving Role of the CISO: Insights from Cybersec Europe 2024
The panel consisted of Bjorn R. Watne, former Senior Vice President and Chief Security Officer of Telenor; Joanna Świątkowska, ECSO Deputy Secretary General; and Miguel De Bruycker, Managing Director General of Centre for Cyber security Belgium. Marc Vael, President of SAI vzw, moderated the conversation.
The discussion explored various themes, emphasising the evolving skill set required for modern CISOs, the impact of AI and quantum computing, and the importance of regulatory frameworks.
Evolving skill set for CISOs
The role of the CISO is expanding beyond traditional risk and incident management, to encompass the entire cyber security supply chain, Joanna Świątkowska stressed. She highlighted the necessity for CISOs to possess both technological expertise and a deep understanding of business needs. Cyber security, she argued, is a team effort requiring diverse expertise and strong collaboration.
Bjorn Watne concurred, noting that the CISO’s role has rapidly evolved. Today, CISOs must be adept in crisis management, disaster recovery, business continuity and proactive cyber security measures.
Miguel De Bruycker called attention to the importance of adapting to organisational scale and fostering a culture where cyber security concerns flow from IT to management, and vice versa. He also pointed out the value of the EU Cybersecurity Skills Framework for HR departments as a benchmarking tool.
The role of AI in cyber security
Delving into the implications of AI in cyber security, Miguel advised caution, noting that AI’s effectiveness depends heavily on the quality of input data. While AI can significantly ease cyber security tasks, it also introduces new risks and challenges that must be managed carefully.
Bjorn discussed the dual nature of AI, as both a potential threat and a powerful tool for enhancing cyber security measures. Joanna viewed AI as a revolutionary technology capable of shifting cyber security efforts from reactive to proactive, particularly by enhancing Cyber Threat Intelligence (CTI).
Audience members raised concerns about AI security policies, emphasising the need for caution with classified data and the importance of existing rules and ethical standards. The panel agreed that AI’s limitations, particularly its lack of explainability, call for careful integration into cyber security strategies. In terms of a specific AI security policy, the room did not have a unanimous opinion. Nonetheless, the existing rules, ethics policies and codes of conduct for access management and classification should also apply to AI.
Quantum: preparing for the future
Quantum computing was another hot topic. Some highlighted its immense potential and the significant risks it introduces, particularly due to the reliance on legacy systems. While quantum computing promises revolutionary advancements, many organisations’ older libraries and algorithms may not be quantum-proof, posing substantial security threats.
Other participants took a cautious perspective, noting that while quantum-proof algorithms are in development, their practical implementation is still evolving. They pointed out the importance of robust lifecycle management for all systems, to prevent outdated technologies from becoming critical vulnerabilities.
The panel and audience agreed that transitioning to quantum-resistant systems requires more than technical solutions; it entails updating system architectures, integrating new hardware, and ensuring all components are quantum-ready. While this is particularly challenging for large organisations with extensive legacy systems, it nonetheless is essential for maintaining cyber security resilience in the quantum era.
Navigating regulatory landscapes
The discussion also addressed the complex regulatory landscape, focussing in on key regulations including the Cyber Resilience Act (CRA) and NIS-2. Joanna pointed out that while these regulations enhance cyber security, they also pose implementation challenges. Organisations need substantial education campaigns and practical toolboxes to comply effectively.
Miguel discussed ‘regulation fatigue’, where the rapid introduction of new regulations overwhelms organisations. He noted a recent consensus among State representatives to pause the creation of new regulations until the existing ones are fully implemented and understood, to prevent an unmanageable regulatory burden.
The panel stressed the importance of a balanced approach to regulation: stringent standards are essential, but organisations also need the resources and support to comply without stifling innovation. Continuous education and certification are crucial for keeping up with regulatory requirements, and forums such as Cybersec Europe facilitate the exchange of ideas and best practices.
Fostering the next generation of cyber security professionals
Both panel and audience underscored the importance of motivating and supporting the next generation of cyber security professionals. Bjorn emphasised the value of diverse roles within the CISO profession, encouraging young people to explore various aspects of the field to develop both technical and leadership skills. Joanna pointed out the challenges new professionals face (including stress and work/life imbalance), and the need for Board support and a transparent vision.
Joanna was joined by Taco Mulder, CISO FPS Policy & Support (BOSA), who advocated for mentoring programmes such as Women4Cyber and Cyber Wayfinder, noting that such initiatives not only support mentees but also provides valuable learning experiences for mentors.
Conclusion: what makes a good CISO?
The session concluded with reflections on the qualities that make a good CISO. A sense of humour was suggested as essential, highlighting the intense pressures of the role. Ultimately, the discussion underscored the dynamic and multifaceted nature of the CISO position, as well as the need for continuous learning, adaptability and a collaborative approach to cyber security.
The panel recommended hosting more events specifically for CEOs to enhance their understanding of the critical role CISOs play in organisations. Increased awareness among top executives can foster better support for cyber security initiatives, ensuring that security concerns are integrated into strategic business decisions.
