2023: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Ellen Stassart became Head of Belgian’s National Cybersecurity Coordination Centre (NCC-BE) in 2022. She is the representative for Belgium in the Governing Board of the European Cybersecurity Competence Centre (ECCC). “To comply with European regulations, each Member State had to establish an NCC. In some countries, this body falls under federal services, such as economy or justice. In Belgium, the NCC is a transversal, national body under the Chancellery of the Prime Minister as part of the CCB,” Ellen explains the position of the NCC-BE. 

The main task of the NCC-BE is to coordinate all cybersecurity investments for Flanders, Wallonia and Brussels, for the purposes of two major programmes. “This is about investments in the broad sense – money, manpower, time, training and so on – that fit into the framework of the Horizon Europe programme for research and innovation, and the Digital Europe programme. We help to make these actions concrete. In addition, it is also the NCC-BE's duty to support the ECCC in strategic tasks.” 

European support 

The European Commission directed the Member States governments to have a project proposal ready by 2023. “50% of the investment for this project is paid by the country itself, 50% is supported by the European Commission. By doing so, Europe is showing that it supports each country to set up more actions to enhance cybersecurity,” Ellen Stassart states. Although this assignment was not a competition, countries were ranked on their proposal. “Belgium made a strong commitment to invest in the NCC-BE, because this is a 50% Grant. Its preparation and submission were an administrative and bureaucratic adventure!  Our proposal scored well, and we hope it will provide good support to beneficiaries in Belgium of future national and European funding.” 

Our country can continue to count on another type of European support, as well. “Europe usually transfers funding directly to companies or agencies that submit a project. Something new is the extra funding that will be transferred directly to the NCCs, and that the NCC will distribute further on a national level. This is called the Financial Support for Third Parties and will amount to 240,000 euros for the four projects in 2025. The intention is to make this project budget much bigger in the future, because we believe in the premise that, as our country's national hub, we know much better where the priorities lie.”   

Mutual reinforcement 

The ECCC is only as strong as the group that is part of it. “This is why we choose to be a very active player in the Coalition Focus Groups. Belgium hosted a meeting mid-December to draw up a concrete and implementable action plan based on all the priorities. By taking an active role, we can ensure that priorities for our own strategic plan are incorporated as much as possible into the action plan.” 

In order to know what the Belgian economy needs, as well as to create more awareness, the NCC-BE is gathering input from the field and the existing (cybersecurity) associations. We have to ensure we don’t reinvent the wheel; Ellen warns. “By creating an overview of the existing awareness initiatives, both in Belgium and in Europe, we can work together to reach each target group, in a dedicated way. We want to reinforce each other, but also create more synergies between regions and different groups.” 

“The NCC strives to bring together all research, innovation, awareness and training initiatives, , and coordinate all this to make Belgium one of the least vulnerable European countries. We keep our finger on the pulse so that we know where to invest.,” Ellen Stassart concludes. 

These are undoubtedly turbulent times. The wars in Ukraine and the Middle East, for example, are often the breeding ground for cyberattacks targeting utilities, public infrastructure… and the financial sector. “Every day, hackers attempt to penetrate our systems. Especially when certain software systems need an update, we see the number of cyberattacks increase noticeably,” says Simon De Schoenmaeker of KBC. 

Red, blue & purple teaming 

Simon has been working for KBC since 2011, initially as Systems Engineer Telecom and today as Information Risk Officer. He has seen first-hand the increasing sophistication of cyberattacks. “With my team, we are trying to find appropriate answers to this. We believe that we can optimise our security by regularly testing our security systems and protocols. We do this, among other things, through ‘red teaming’: where we give ethical hackers free rein to break into our systems. We then examine whether our protective systems are efficient enough, and whether we can respond sufficiently quickly to repel the attack.” 

While the exercises are particularly educational for KBC, this remains a one-sided approach. That is why for several years the company has also been using so-called ‘purple teaming’, where the red and blue teams join forces. Simon: “Both methods complement each other impeccably. Red teaming will always be useful, because it is the perfect way to put our procedures and processes to the test. However, these exercises are secret and the blue team is only informed at the end, when it is faced with essentially a fait accompli.”  

“If you have a sufficiently mature organisation, purple teaming can lead to new insights more quickly. Involving the blue team from the start gives you more interaction, allowing you to share knowledge more quickly and provide direct feedback.” 

AI: friend or enemy?  

But a company needs sufficient manpower to carry out these types of exercises. “That poses a problem with the current labour shortage,” Simon continues. “And it is precisely why we regularly organise training courses to make our staff aware of existing security risks. We look at emerging technologies that can help us automate the exercises, as well.” 

“AI will certainly play a role in this automation. At the same time, we must keep aware that hackers will also use technology to achieve their goals. The key is to continue to put cybersecurity high on the agenda, in order to be as prepared as possible”, KBC’s Information Risk Officer concludes. 

Bug bounty programmes give ethical hackers the opportunity to detect vulnerabilities; and in the event of a successful detection, they will then be reimbursed. The model has become increasingly established in recent years. “When we started our company about eight years ago, we always had to explain and defend the model. It was difficult to convince people to pay hackers. Today, even the average person knows the principle,” says CEO Stijn Jans of Intigriti, a Belgian company that has become a European leader in the field of ethical hacking. 

The increasing success is mainly linked to the changes that the business world and society have undergone in recent years. Since the global COVID pandemic, for example, more and more companies and sectors have become highly dependent on online applications, and are therefore potential victims of cyberattacks. “Just think of sectors such as fintech and e-commerce, which are increasingly prominent in our world,” Jans states. 

Social impact 

“Our growth path is of course great for us as a company, but is especially valuable for the community connected to it,” Jans continues. “Intigriti is crowdsourced. We work with an international community of hackers, spread across more than 150 countries. So we can avoid situations where certain systems are always tested by the same people; this approach prevents tunnel vision from developing. In addition, it ensures our hackers' creative ideas are optimally utilised. So it is an opportunistic model.” 

Intigriti prides itself on its social impact. “We also work with hackers from countries where economic conditions are more difficult. The compensation they receive can significantly impact their quality of life. The social added value is therefore not only limited to the security aspect. That is precisely why we strongly believe in the added value of our project,” Jans continues. 

Whistleblower Act  

The Cyber Security Coalition strongly believes in the project and uses the community to better secure their business. In addition, bug bounties also received a big push from the Belgian legislature this year. Since the Belgian Whistleblower Act came into force in February 2023, everyone in our country can legally test companies' security. If a vulnerability is detected, it is then up to the company itself to deal with it and provide an appropriate response. In this way, the government wants to encourage the business community to work on sound security architecture and clear recovery plans in the event of a cyberattack.  

“It comes down to the legal anchoring of our model,” says Stijn Jans. “The groundbreaking initiative is primarily the work of the Centre for Cybersecurity Belgium (CBB), which deserves a lot of credit. Belgium is putting itself in the spotlight as a pioneer and can now also pull this bandwagon at European level. Throughout the EU, more and more people are interested in this way of working.” 

Supported by the change in law, Intigriti is looking to the future with enthusiasm. “Our model should become even more mainstream, while the quality of our community will continue to increase. Not only through numerical growth, but also the steadily improving technological tools we have available. The ethical hacker community will certainly continue to embrace AI. However, because our model is clearly focused on the creative inspiration and out-of-the-box thinking of our hackers, we do not believe that AI will replace our activities.” 

Our contemporary business environment and, by extension, entire society face several technological challenges. Since the COVID pandemic, the digital transformation has accelerated, which also raises new security concerns. After all, virtually every company and organisation uses a multitude of technology products or services from both large technology players such as Microsoft or SAP, and service providers for a particular sector. 

Larger attack surface  

This context obviously involves major implications for the cybersecurity of these organisations. “Companies spend a lot of time securing their own data, but then interact with others, distributing some of that data to service providers or third parties. By increasing the attack surface, this also increases the risk of cyberattacks,” states Debbie Janeczek. She is Chief Security Officer at Swift, an international banking cooperative providing services related to the execution of financial transactions and payments  worldwide. “It is evident in actuality. For example, third-party breaches at large companies have continued to increase, and are commonly acknowledged to be a problem in the industry." 

Coupled with the reality that cybercrime is now an industry in itself, driven by economic motives, it comes as no surprise that third-party risk management has become a constituent part of a cybersecurity strategy. “In practice, you will notice that this is a starting point when devising cybersecurity policies. Today, for instance, potential partners extensively question one another on cybersecurity, before engaging with each other. The questionnaires are increasingly robust.” 

This increase in maturity can also be extended to the handling of vendors and to the internal operations of large companies, which are progressively operating to set standards when considering possible collaborations with third parties. “In summary, this evolution should mainly be understood as a shift from reactive to proactive policies in terms of dealing with third parties within cybersecurity. In fact, it has become a basic requirement for anyone who wants to do business. The financial sector, which historically has been at the forefront of technology, has played a leading role in this shift,” clarifies Janeczek, who immediately stresses that this approach can only exist in a world where there is a constant focus on knowledge sharing and collaboration. 

Embracing new technologies  

The trend is by no means new. “It is fundamentally different from AI, which has taken the world by storm in 2023, and currently occupies the entire cybersecurity sector. The latter, however, also offers clear opportunities around third-party risks. Thus, in the future, it cannot be ruled out that AI could be used structurally as a means of third-party management.” 

For Debbie Janeczek, this structural embrace of new technologies is no less than a minimum requirement for the future. Only by doing so, will we be able to keep up with the increasingly complex security challenges: “The further developments around quantum computing are tantamount to the arrival of a totally new reality, once again requiring us to completely rethink security and cyber risks. Conversations on the subject are already in full swing and will only increase,” she concludes.  

As Belgium’s largest insurance broker, Vanbreda Risk & Benefits has a good overview of the cyber risks that Belgian companies are confronted with. The broker’s portfolio of insurance policies against cybercrime increased by 20 percent in 2023, to 15.6 million euros. “We are seeing an increase in both the number of customers and the cost of current policies, causing the premium volume to rise. That should not be surprising, because hackers are increasingly bold. Any company can be a target. Insurance is therefore not a luxury,” says Tom Van Britsom. 

Cyber insurance remains a relatively new concept for the sector. “Many insurance companies struggle with correctly estimating a premium. As a result, there are big price differentials in the market, and a premium can be expensive,” Tom explains. “That is why it is important to be transparent about your situation:  giving a good picture of your company, your suppliers and your customers. The size of the company, its activities, the number of employees, the claims history, the turnover, the cybersecurity maturity of the company, etc., determine the pricing.” 

Stricter acceptance rules 

In some cases, the insurer refuses to grant a company a policy against cyber risks. “That has to do with their acceptance rules. For an insurer, the balance sheet must be in balance over several years. In other words, the premiums received must continue to reimburse claims. This explains why certain insurers focus on specific sectors or sizes of companies.” 

One of the factors playing a role in acceptance is third-party risks. Tom Van Britsom: “Insurers are increasingly taking third-party risks into account in their underwriting policies. They need a good assessment of the digital dependency and connectivity between companies. Today, companies may use common systems or be dependent on a service provider. Manufacturing companies need logistics companies, which in turn transport goods to warehouses, etc. Because every company plays a crucial role in the supply chain, a cyber incident rarely affects just one organisation.” 

Working on the human firewall 

The fact that insurance is becoming more expensive and sometimes more difficult to obtain should not stop companies from insuring themselves against cyber risks, Van Britsom suggests: “The exercise of considering an insurance can be instructive. Furthermore, it is better not to postpone the decision: the world is evolving so quickly that we will always be confronted with new cyber challenges.” 

In addition - and this is often a misconception - cyber insurance is about much more than compensation for the damage incurred. “For example, the insurer’s helpline is also important and valuable, because it will guide you through the entire incident, including the recovery process. That is why it is important to look at how the helpline is structured and which experts you will be able to call on.” 

The cyber expert of Van Breda Risk & Benefits concludes with one final piece of advice: “In addition to insurance, companies must continue to invest in the human factor, and point out the dangers to their employees. Insurance and prevention go hand in hand. Don’t forget that human action is still the basis of 90% of cyber incidents.”  

While Mastercard has long enjoyed global recognition for its role in payment solutions, its more recent commitment to cybersecurity is less widely acknowledged. “Through our payment cards, we’ve established a strong foundation of trust. This trust is what we aim to replicate in our cybersecurity solutions. As a prominent player in the global financial sphere, we understand that we are among the most targeted companies worldwide, giving us substantial experience with cyberattacks,” explains Maikel Ninaber. 

In pursuit of this objective, the company is dedicated to, among other initiatives, comprehensive research and analysis of the existing cyber landscape. “Our research indicates there will be a significant transformation within the cyber ecosystem in the upcoming years. Approximately 75 percent of employees will interface with technologies operating beyond their traditional IT systems. Consequently, third-party risks will surge, both in quantity and scope. This will inevitably lead to both a substantial escalation in cyber risks and in the repercussions of incidents, with breach costs potentially increasing as much as sevenfold,” Ninaber continues.  

Reimagining security: examining each “ingredient” 

At present, however, effective security measures involve continuous monitoring to mitigate risks that might not be entirely clear. “The truth remains that, for numerous services, we lack comprehensive insight into all the involved entities and systems. And adapting to this reality will require a change in approach. In current day-to-day practices, regrettably, responses are often reactive, occurring only after an incident has taken place - by which time it's too late.”  

This context thus necessitates a paradigm shift in identifying potential risk contributors. Maikel Ninaber: “Our goal should be to create a framework where we don't merely scrutinise and assess products based on associated risks at a surface level. Rather, we must delve deeper into examining the ‘ingredients’ of each product, and apply risk analysis at this granular level. For every product and supplier, an assessment of these ingredients becomes imperative, as they constitute potential layers where vulnerabilities might manifest.” 

Tools tailored to a new reality  

To facilitate this transition, Mastercard itself offers an array of tools. “Our aim is to equip the ecosystem with tools that foster a novel approach towards understanding third-party risks. This symbiotic relationship between our studies, landscape analyses, and tool development underlines their intrinsic coherence. These tools don't merely offer insights into the complex risk landscape; they also contribute by pinpointing critical areas of concern and delineating necessary remedial measures. Additionally, they prioritise actionable steps,” adds Ninaber. 

Legislation takes on a pivotal role in this endeavour. “Our suite of tools is distinguished from others, as it aligns with regulatory initiatives such as NIS2 and the Digital Operational Resilience Act (DORA). Companies can use these tools to effectively chart their compliance with the stringent regulations. This, in turn, furnishes them with comprehensive guidance, enabling international benchmarking without extensive survey efforts,” Maikel Ninaber concludes. 

Companies are being driven to adopt technology at an unprecedented pace. In the past years, both remote working and the transition towards Industry 4.0 have accelerated the introduction of new technologies and digital tools. While such technology has been of great assistance, it has also brought about an increase in malicious cyber activity.  

“Cyber threats introduce risk to business operations and to systems,” says Egide Nzabonimana, president of the Belgium chapter of ISACA, an international non-profit organisation for IT professionals. “Not only are the systems used by the company itself at risk, but so are those outsourced to their third-party suppliers. This is particularly concerning for organisations whose operations rely heavily on third-party support and capabilities.” 

The back-end has become a complex web 

The result is that the back-end of a company’s digital systems has become a complex web involving many different players. Their software and systems must be compatible with each other in order to function correctly. But in the light of continuous cyber attacks, this web must fit together as tightly as possible, with no security gaps. “You can compare the situation to a newly formed family. Third-party risk management is the new form of marriage that enables our current way of operating a business,” according to Nzabonimana. 

Companies must thus not only assess their own security environments, but also understand the security environments of their third-party suppliers. “You need to treat the third-party supplier’s environment as an extension of your own IT systems. Third parties must demonstrate that their state of governance and their cybersecurity are in harmony with those of the organisations they work for, supporting systems without introducing weaknesses that can be exploited by cyber criminals. These are two major challenges for any enterprise infrastructure and accompanying third-party supplier, as the objectives of each may not align as smoothly as one would expect.” 

Keeping up with technological changes 

For successful third-party risk management, there is first a need for digital trust. “In practice, that level of trust can only be achieved when there is a common language. And this is ISACA's aim. By offering training, audits and certificates to IT trust professionals, we enable dialogue,” Egide Nzabonimana explains. “Our certificates are a globally recognised quality label that is also linked to an ethical code of conduct. They demonstrate that someone is able to contribute to a specific theme within cybersecurity. Moreover – and this is essential – you can only renew the certificates if you can demonstrate that you are keeping up with technological changes.” 

One of the most important technological breakthroughs of 2023 was generative AI, which can also become a game changer for cybersecurity. “If we want to keep up, it is crucial that we learn to have the right focus. That is why we must continue to build a framework that can deal with these impactful trends. We further contribute to this through the ISACA certificate we have now introduced for new technology.”

Collaboration and knowledge-sharing among cyber professionals therefore remains very important. “Thanks to organisations such as the Cyber Security Coalition, a well-developed ecosystem has emerged in Belgium, with the same mission as ISACA. This ensures that we do not have to keep reinventing the wheel. Especially considering the ongoing labour shortage in our sector, we must continue to look for ways to allow business-minded people to collaborate optimally with IT professionals,” the president of the Belgium chapter of ISACA concludes.

ChatGPT is just over a year old and the arrival of the smart chatbot caused great enthusiasm about AI worldwide. Now that more and more people are using the technology of generative AI, more and more companies are gradually realizing its added value. David Dab, Microsoft’s National Technology Officer: “AI is not new, but we have passed an important turning point, because for the first time many people can understand and see what the impact of AI can be. ChatGPT has really democratized AI, not just in terms of awareness, but sheer power and ease of use.” 

Yet the technology raises concern among many people. “It is simply not always used for good purposes. For example, hackers can develop key components of a large-scale, sophisticated attack with the snap of a finger,” David continues. In response, Microsoft has set up the Secure Future Initiative. “It has three pillars, focused on AI-based cyber defences, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats. With regard to our products, we will use AI to detect threats faster and more effectively. After all, only by fighting with equal weapons can we make the lives of hackers a lot more difficult and their criminal business less attractive.” 

AI technology can also help address the shortage of cyber professionals. “We cannot ignore it: we will not get there with people alone. That is why AI in cybersecurity is an absolute must. At Microsoft we’ve developed our own AI tool: Microsoft Security Copilot. It is an assistant that can take over a number of routine tasks from the cyber professional. AI can make very accurate vulnerability analyzes and predictions based on data. This should help cyber professionals identify suspicious activities more quickly.” 

Stronger together 

The use of AI in new and more secure software is an important step forward. Microsoft is also taking measures to combat identity fraud. “This is crucial because in the past year the number of cases of identity theft has increased tenfold. Therefore, we will also develop a new protocol and more consistent method for account verification. Finally, if we look at the speed at which the attacks are coming our way today, we simply need to respond faster and implement our security updates more quickly to ensure that there are no holes in our defence wall. AI will contribute to this as well.” 

In this way, Microsoft hopes to better protect itself and its customers against the increasingly bold attack methods of hackers. “In that context, cooperation between the public and private sectors must also be intensified. I see an important role for the Cyber Security Coalition in this because it is precisely by sharing experiences with each other and joining forces that we can make progress faster. More than ever, cyber security is a shared responsibility,” concludes David Dab. 

The explosion in the use of AI is undoubtedly the most discussed topic of the year within the IT world. This new reality generates a myriad of new cybersecurity challenges. “Traditionally, this tension materialises in two ways. On the one hand, there is the use of AI to create smarter attack models. There are numerous examples of this. On the other hand, you also see an increase in the use of AI models for remediation during or after an attack,” clarifies Sabri Skhiri, CTO and Research Director at Euranova, a Walloon company that develops AI models for a wide range of international customers.  

Bypassing face recognition technology 

“But there is a third - as yet hotly underexposed - modus, where AI gets in the way of cybersecurity. And that is when AI is deployed to disrupt the machine learning process,” he continues. “It is very impactful, because of the consequences on the ultimate operation of the software model. You can compare it to a traffic light being covered and thus not visible, which means that the data that ends up in a traffic model about the crossroads does not match the reality. As a result, the optimisation of traffic flows, which was the purpose of the model, will not be achieved.” 

Other, potentially more harmful, examples of this use of AI can be found in face recognition. For example, researchers from Vietnam built a 3D face mask capable of bypassing Apple's Face ID technology. An even stronger illustration is the Italian startup Cap_able, which is marketing a clothing line that - when it encounters the AI algorithms in cameras performing face recognition - ensures that the wearer is no longer identified based on their face, but instead is recognised by the software as an animal. “These developers want to address what they see as the problematic nature of facial recognition. Such examples show the complexity of the issue, and the need for more attention to this area of tension,” Skhiri explains. 

Security by design 

This is precisely why Skhiri advocates more active awareness of the potential consequences of interacting with AI during the development phase of software models. “We cannot and should not leave software developers alone in the challenge. The potential consequences are too serious. More and more demonstrative use cases are also emerging. Each such case is implicit evidence that people underestimate this aspect of the relationship between AI and cybersecurity.” 

In other words, the construction process must always be accompanied by clear security tailored to this development. “We must strive for a real translation of the principle of security by design. In the current reality, however, it is not as obvious as one might think,” Skhiri continues. “The sharp growth of AI has clearly led to a race between companies, which are therefore freeing up very large amounts of resources and manpower and, as a result, are sometimes not sufficiently aware of the risks they are exposing themselves to.” 

Sharing own experiences  

Euranova itself came into extensive contact with this complex field of tension in recent months. For instance, for Eurocontrol, the body responsible for traffic safety in our airspace, the Walloon firm developed a new AI model to increase the efficiency and safety of air traffic. “The objective was to increase predictability, which would allow better anticipation of potential problems,” explains Eric Delacroix, co-founder and CEO of Euranova. 
 
Such highly sensitive and therefore highly secure datasets are, in practice, very clearly isolated from the rest of the world. “This means that the case cannot really be used as an example to demonstrate the issue. Nevertheless, it did contribute to us as a company starting to think about the issue even more intensively,” Skhiri adds. “And that is precisely why we joined the Belgian Cyber Security Coalition this year. After all, we believe very clearly in the model of knowledge sharing.” 

The complex relationship between generative AI and cybersecurity has become one of the most discussed topics within the industry. Currently, the main focus is on using AI to improve cybersecurity detection. This makes sense, because the technology has proven extremely effective in this domain. “However, what gets too little attention within this debate is the use of AI for automating responses in the event of large-scale and complex attacks,” Vinod Vasudevan remarks. He is Global CTO MDR & Global Deputy CTO Cybersecurity Services for Eviden, the ATOS business leading in digital transformation, cloud, big data and cybersecurity. 

As a result, today’s discussions are missing out on important opportunities. “The advent of generative AI enables a new perspective: we can deploy AI assistants to manage attacks, working together with security analysts. But this means we need to begin looking at AI more as a knowledge base for experts, who can thus learn to respond even better to complex attacks. We should tell that story more often,” Vasudevan states. 

Paradigm shift on the horizon  

In other words: the use of AI will change the way the cybersecurity field operates in the coming years, requiring a further expansion of its role. For instance, the further roll-out of self-healing endpoints will cause a paradigm shift in managed detection and response (MDR). "Moreover, AI will play an important role in orchestrating the most efficient recovery path for a business after a major cybersecurity incident,” Vasudevan explains.  

“This will include the use of AI for determining the Recovery Time Objective (RTO), Recovery Point Objective (RPO), application interdependencies, and business operations linkages, and using this understanding to generate recovery steps for resuming different business lines,” he continues. In fact, this paradigm shift is de facto necessary, as the use of multi-cloud, hybrid infrastructure will be increasingly pushed in the coming years. Recovery paths capable of dealing with such complex reality are by definition built on AI algorithms. 

“Approaching this environment through AI will also allow MDR to increasingly focus on prevention in the near future,” Vasudevan says. That preventative approach, even on a day-to-day level, will have a major impact on MDR operations. “A practical example of prevention is the use of policy management in MDR. Because cloud has thousands of configurations that keep changing, a small alteration can potentially lead to costly breaches. It could be as simple as an S3 bucket permission becoming public; this bucket could be storing critical customer information, which the organisation might not even realise. It is therefore important to continuously push configuration policies across all cloud workloads, detect critical configuration changes, and alter the configuration to secure state.” 

Countering fragmentation  

For this shift to come to fruition, however, the organisation of the cybersecurity sector also requires work. It remains too fragmented, according to Vinod Vasudevan: “Cloud and digital transformation have made the IT landscape dynamic, leading to exploitable opportunities for cybercrime syndicates. Consequently, numerous specialised areas of attack have emerged. Therefore, the market is characterised by a continuous need for innovation, which is met by a large ecosystem of innovative start-ups. This in turn leads to fragmentation.” 

So while this fragmentation is a logical consequence of the relative youth of the sector, it must decrease in the near future. “The implementation of innovative architectures such as Cybersecurity Mesh Architecture (CSMA) will contribute to increased maturity,” Vasudevan adds. “In this way, the sector will also be progressively able to meet security and recovery challenges - which will only increase exponentially with the upcoming AI revolution.” 

Artificial Intelligence, and generative AI more specifically, has really broken through in the past year. This immediately sparked a public debate about the desirability, the ethical implications, and the potential dangers of the technology. It also brought the need for a regulatory framework for AI to the forefront. Within academia, this discussion has been going on for several years. “I have been working on this since 2017. Today, we can really say it has become hyped up,” begins Prof. Dr. Nathalie Smuha. She specialises in the legal, ethical and societal implications of AI, and currently holds an Emile Noël Fellowship at New York University School of Law. 

The world’s first comprehensive AI regulation 

As a researcher, Smuha is well placed to oversee the current debate. “What I miss in the present discussion is the acknowledgement that AI is ultimately human work. It is often pretended that this is a technological reality we can no longer escape, hoping it won't harm us too much as humans. That narrative is obviously not true, because we as humans ultimately determine what place AI has in our lives, and not the other way around.”  

The most palpable translation of this area of tension is the push for an AI-specific legislative framework. Just before the end of 2023, the European Parliament and Council reached a political agreement on the framework that AI applications in Europe must comply with. “This compromise is the result of a legislative proposal submitted in 2021, thus before ChatGPT's boom. It also builds on a set of ethical guidelines drafted by an expert group, which I coordinated in 2019,” Smuha explains. The EU AI Act will be formally adopted by both the Parliament and Council in the coming months, becoming the world’s first comprehensive AI regulation. 

Race to regulate AI  

The EU AI Act must be seen in the context of the rapid development of AI worldwide. "In Europe, we view AI and the need to tackle its impact on human rights differently from the US, where the emphasis is generally more on industry and innovation. The discrepancy is culturally determined, and related to disparate views on the roles of regulation and government, which is driven by our historical frame of reference and the political climate.”  

“Therefore, this distinction is also felt in academia, creating a distinct view on AI regulation. In the US, they take a different starting point; as they often trust the market more than the government, they are hesitant to adopt new laws that could hamper innovation. At the same time, more and more countries – including the US – are contemplating new binding or non-binding AI regulations,” Smuha says. “In other words, besides the current race to implement AI, we should also talk about a race to regulate AI.” 

Hence, the fact that Europe is the first authority to come up with a comprehensive legislative framework is of great importance. After all, this clearly reinforces the EU's regulatory position and allows it to take a leading role in terms of AI standard-setting worldwide. “Given that even AI applications developed outside Europe will eventually have to comply with this framework if they want to be marketed in the Union, I believe there could be a movement whereby other regions of the world will adopt a homogeneous set of rules, similarly to the “Brussels-effect” we have seen with the GDPR. If Europe had not been the first to come up with such an initiative, it would have been much harder to create this dynamic. This is precisely why I believe the EU AI Act can become very impactful. However, we still need to see what kind of impact this will be." 

Extending the debate even wider 

If we want this dynamic to succeed, it is crucial that the debate be opened up even further in the coming months and years. “Europe has been accused by the rest of the world of being too preoccupied with regulation. And even the best regulation will not be enough to deal with the risks of AI. Therefore, we must also ensure more training and awareness-raising. That means looking at the long-term and asking ourselves what kind of society we want to live in, as well as involving the voice of the general public more than we have so far. In other words: the debate on AI should be even broader in 2024.”  

This debate will also involve cybersecurity. “The more we use AI applications, the more vulnerable we become, and therefore the more need these is for solid cybersecurity systems. This applies, for instance, to self-driving cars, but equally to robots or advanced chatbots. The cybersecurity sector must thus also take up an active role in this broad debate,” Nathalie Smuha concludes. 

Today, the biggest challenge in the area of cyber security is an atypical skills gap. The sector does not simply suffer from vacancies. “The aggravator is that the cyber sector and the threat landscape are evolving so fast that the people already working in the sector and their skills cannot evolve as quickly as needed. Combining these two, the vacancies and the need for up- and reskilling, makes the sector, the cyber employees and the skills gap very unsteady”, Despina Spanou explains. 

The first challenge is to retain and evolve the current workforces. “The current cyber security professionals are suffering from fatigue, stress and sometimes even burn-outs due to a high workload and crisis management. We need to retain the workforces we have today and keep them relevant. For example, we need to invest in the people already working in the sector to deal with artificial intelligence, which has brought new elements in the threat landscape.” 

Challenge within the challenge 

Next to the challenge of retaining workforces, the sector also needs to attract new talent. “Not enough new people start working in this field of expertise. I have met a lot of young, talented people in international cyber security championships. When I ask them if they want to do this as a job, they politely decline. We need to promote the appeal of the sector, to attract talented people and to convince young graduates who start their education or professional career to orientate themselves towards the cyber sector.” 

As a founding member of the Women4Cyber initiative, Despina also addresses a third challenge, namely not having enough women in the sector. “Cyber security is not the only area that shows this deficit, it occurs in all technical fields and STEM oriented areas. We need to encourage young girls and convince them that this is not a field exclusive to men.” These are the challenges within the challenge for the cyber security sector. 

Beneficial to all 

In April 2023, the European Commission launched the EU Cybersecurity Skills Academy, a platform created to address in a coordinated manner the many challenges related to the cybersecurity skills gap. “A lot of Member States are already trying to unite forces. In Belgium, the Cyber Security Coalition is a great example of the solid cyber ecosystem that has already been built. Members learn from each other and support each other. The Coalition will benefit from using our Academy as an opportunity to offer trainings, education, (re)skilling and to look for work forces that find refuge in this Academy.” 

The Cyber Security Skills Academy was built with the aim of housing all levels of skills education. “It is a one-stop-shop for cyber security training offers, funding opportunities, syllabuses for schools and universities ... Whether you are a young professional seeking to get new skills to enter the field of cyber security, or you are an organisation providing trainings, you can find or pledge training or reskilling opportunities. By bringing everything together, we provide solutions that reduce the skills gap in the short term, the medium term and eventually the long term.” 

Evaluate and improve 

The Academy is currently hosted on the EU Digital Skills and Jobs Platform of the European Commission. “The Commission’s role is temporary. We continue to be part of the management of the Academy, but we involve other actors such as ENISA, the EU Agency for Cybersecurity, and the EU Cybersecurity Competence Centre. It should quickly become a sustainable European infrastructure hosted by EU Member States.” 

Since the launch in April 2023, the initiative received 12 pledges from private companies, training and certifying organisations, and academia that offer training and up- and re-skilling opportunities, etc. All pledges, which have to meet specific criteria to be housed under the Academy, have to be assessed after 6 months in operation, in order to be able to measure their impact and success. “Since most pledges started around the summer, we will know very soon how many people have already engaged in them. We certainly aim to (re)skill thousands of people all over Europe given our current needs”, Despina Spanou concludes. 

There is no doubt that awareness of cyber risks has grown over the past years. But the actual impact of a cyberattack has risen sharply, as well. And thus more action is needed. There is still a lot of room for improvement, including amongst SMEs. Joyce Proot, director of Technofutur TIC and Technocité, two Hainaut-based competence centres that have set up an extensive cybersecurity training offer: “The need to raise awareness remains enormous. Many SMEs still consider cybersecurity to be a matter of password selection and a firewall; they remain unaware that protection should involve every employee.” 

Training tailored to every need 

Reflecting this reality, there have been a number of new training modules created within Technofutur TIC over the past year. “For example, we have developed training webinars for local administrations,” Proot explains. “We also organise a more advanced hybrid training programme for people with IT-related functions in companies. We address both the technical and the governance sides of cybersecurity. Among other things, the aim is to teach participants how to carry out a thorough risk analysis. And we familiarise them with legislative initiatives such as NIS2, etc." 

Because the need in the field remains acute, Joyce Proot wants the training offerings to reach even more people in the coming years. “We will, for instance, offer free seminars. By making them aware of the existing risks and potential impact, we hope to convince more people to sign up for one of our advanced training courses, which are given by a diverse group of experts. At Technocité, we also have a training course that goes a step further, and aims to train people to become a real reference for cybersecurity within their company. This course also applies to jobseekers.” 

The need for a Disaster Recovery Plan 

Alongside these training courses, both competence centres try to engage in awareness-raising through specially designed games. “For instance, we have an escape game that aims to teach participants how to deal with the different cyber threats. We especially want to show how much more than traditional phishing is involved. Our so-called cryptoparties have a similar goal. These are actually coaching workshops. Here, participants learn how to set up a security system.” 

An important common factor in these initiatives is to demonstrate the potential damage from a successful cyber attack. Joyce Proot: “The reality today is that, when an IT system goes down, the entire business stops. So cybersecurity is indispensable for your company. We must make it clear to SMEs who still think they are not an interesting target, that this is a totally wrong reading of reality. They too need to work on a Disaster Recovery Plan, which a lot of large companies already have in place today.”  

“By focusing on raising awareness and getting more people to our training sessions, we want to achieve a shift among SMEs. As an important part of the ecosystem, the Cyber Security Coalition offers significant added value to this,” Proot concludes.   

"In 2017, we were the first University college in Wallonia to launch a fully-fledged cybersecurity course," opens Fabian Restiaux, Director of Engineering Sciences and Technology at Hénallux (Haute École Namur-Liège-Luxembourg). "At the time, we responded to an existing demand in society for training, which was palpable in the media and politics. This was also evident in the field. In the first year, for instance, we immediately had 185 enrolments for the bachelor's degree in cybersecurity." 

Responding to trends and screenings  

That trend continued in subsequent years. "Over the past few years, around a hundred students have graduated with us each year. Due to the high demand on the labour market, almost all of these profiles also find work in the sector," says Fabian Restiaux, who at the same time also clearly emphasises that the programme is subject to constant evolution. "We try as much as possible to work on cross-fertilisation between cybersecurity, robotics and AI. Three courses that are inextricably linked in terms of content." 

Furthermore, the results of screenings and analyses of its own operation are also taken into account as much as possible. Since this year, for example, Hénallux has installed a new structure for first-year students. "From now on, all students within the field of computer science receive the same curriculum for the first four months and only after that have to choose which specialisation they want to continue in," explains Restiaux. "After all, we want students  to choose a particular specialisation more consciously. Cybersecurity is obviously one of them.   

This reality of rapid change can obviously only be realised in practice thanks to a well-informed and committed group of instructors. "We have to admit that in reality, keeping them on board is not always easy. After all, they are very desirable profiles on the labour market and therefore often receive very interesting offers from private players," it sounds. 

Network and knowledge sharing  

Additionally, educational facilities themselves need to be extra alert to cyber risks. "Due to the fact that we train students to deal with all kinds of attacks, in reality many of these systems are also set up within our own environment. Therefore, we ourselves must always be extra vigilant and develop an architecture capable of dealing with this increased risk. Being able to rely on membership of the Cyber Security Coalition and the knowledge sharing it provides is a big advantage in this respect," Restiaux explains.  

This also immediately accounts for why Hénallux puts a lot of time and energy into strengthening its own network. "For example, we have established a partnership with Sweden, which allows us to offer our cybersecurity students an exchange programme. Talks are also ongoing with institutions in Finland and Malta. In parallel, we are also major advocates of European initiatives set up to achieve a more widely supported standardisation of cybersecurity courses," Restiaux clarifies. 

This, he says, is also a key concern for 2024. "The number of cyber training courses has boomed in recent years. For example, a lot of technology players today also offer their own training programmes. This makes it increasingly difficult for interested parties to find their way around. That is why a clearer system of benchmarking is needed. Certification from Europe is probably the most appropriate way of doing this," concludes Restiaux. 

Cyber security has quickly become a necessity for organisations all over the world. Schools and universities are adapting their offerings to address this need, and there are numerous initiatives for facilitating employee reskilling or upskilling. BeCode is a social impact school with four campuses in Belgium; it provides technical training on web development, artificial intelligence and cyber security, for people who are vulnerable on the job market. “Our school is bridging the digital divide, and delivering a solution to the talent scarcity at the same time," CEO Béatrice de Mahieu explains. 

BeCode offers a step up from unemployment, to fill the need for tech talent. “As a social impact school, we can be compared with the VDAB, Actiris or FOREM. Younger people who are disconnected from work or studies, people who have been unemployed for a longer period, refugees, etc., can enrol in a course," Beatrice continues. “Anyone who is on unemployment benefits can join, as long as they are motivated and willing to learn.” 

Hands-on bootcamp 

Ludovic Patho is in his sixth year of work at BeCode. Starting out as a coach in web development, he now conducts trainings and creates curricula for the cyber security courses. "I noticed during my web development coaching sessions that there is a lack of knowledge about security in general, and cyber security in particular. Conversely, there are many job opportunities in that niche. That is why I created the cyber security bootcamp," Ludovic says. 

After months of brainstorming and content gathering, the first bootcamp was organised in Charleroi in 2022. “The first edition had 28 participants. The bootcamp takes place on weekdays from 9 to 5, and lasts a total of seven months. After four months spent learning the basics, the students get to choose the field of cyber security in which they want to operate: attack or defence. Over the next three months, our career coach fully prepares them for their internship at an enterprise. They learn how to write a CV, apply for a job, etc.," Ludovic continues. 

Successful initiative 

This year, 55 participants have already signed up in Brussels, Ghent and Charleroi; the bootcamp will also be held in Liège starting this autumn. Béatrice de Mahieu: “All of last year’s participants quickly found a company for their internship, and were hired afterwards. A lot of companies are recruiting cyber security profiles on a regular basis. We feared the pool of candidates would become too big, but the demand is extremely high. All of this year’s 55 students, who are eager to start, will be able to find a job in no time.” 

These figures confirm the demand for these profiles on the market, although diversity remains an issue. “The low representation of women in the cyber security bootcamp - only 12% so far - concerns us. We are trying to inspire and show girls that there are a lot of jobs in cyber, not only technical ones.” 
 
Joining forces 

As one of the structural partners for cyber security at BeCode, Microsoft recommended that Béatrice get in contact with the Cyber Security Coalition. “When we started our cyber security bootcamps, the Coalition opened doors for us, introducing us to their partners, and putting us in contact with companies recruiting cyber security talent. Our final aim is that companies will come to BeCode to find cyber talents, and support us with various kinds of financing or partnerships,” Béatrice says. 

To achieve its goals, BeCode needs to attract participants and raise funds. “BeCode’s offering is completely free for the participants. Our financing comes partly from subsidies, partly from donations by companies or individuals; we also rely on the companies who support us through contracting for vacancies. In future, we hope to raise enough money to increase our offerings and train more students to reinforce the work field.” 

Cyber Award 

BeCode has submitted two candidates for the Cyber Security Personality of the Year award. Béatrice nominated Ludovic, while Ludovic nominated one of the participants from the first bootcamp. “Maria Silva is a young, female professional who was recruited by Orange Cyber Defense immediately after the bootcamp,” Ludovic explains. “The awards are a good way to shine a light on the different kinds of profiles needed in cyber security,” Béatrice de Mahieu concludes. 

Based on the input from its members, the Cyber Security Coalition is well-aware of the continuing massive shortage of cyber security experts. A range of initiatives will be needed to close the gap: Passwerk is one of them. “People on the autism spectrum can have the right competences for technical jobs that need a lot of precision. We want to use their talents to test and develop software, follow up support processes, etc. Since last year, we have also been focusing on cyber security; more specifically on the profiles of security operations centre (SOC) analysts,” Guillaume Dewyn, Customer Relationship Manager at Passwerk, explains. 

Passwerk was founded 15 years ago, and during that time, the organisation has won the trust of more than 250 customers who rely on the organisation to find the right match. “We have about 185 consultants. Passwerk's great strength is the expertise of our job coaches, who guide both consultants and clients. The job coach team consists of colleagues with an ortho pedagogical and psychological background, who understand our consultants through and through. 80% of assignments are long-term, and 95% of consultants follow the client's work regime,” Guillaume says proudly. 

Perfect match 

To match the right consultant to the right assignment and the right company, Passwerk has set up an extensive matching process. “Our consultants are our main priority. We want to know them thoroughly before assigning them to a position. It is equally important to get a good view of our client's corporate culture, environment and expectations, which is why we do an on-site survey. When we think we have found the right match, both parties are prepared by our job coach. The job coach, on the one hand, explains to the consultant what they will be doing, where they will work, and what the company’s practices are. On the other hand, they also inform the customer about autism and which aspects apply to our consultant.” 

There is no denying that employing someone with autism requires specific effort. “We work with very diverse profiles, which is why matching is so extremely important. Our consultants mainly have mild to moderate diagnoses. Some are very stimulus-sensitive, others need communication support, and some need to know clearly who to contact for which problem,” Guillaume clarifies. “Every two weeks, there is a check-in with the job coach, the consultant and the client to follow up that everyone is feeling comfortable with the cooperation.” 

Win-win-win 

According to Passwerk, there is no context in which someone diagnosed with autism spectrum disorder would not be able to participate. “It is a conscious choice to keep our client portfolio as broad as possible: the federal and Flemish government, financial institutions, industry, pharma, retail, etc.,” Guillaume lists. “Our consultants are passionate, conscientious and have a very good eye for detail. Employing their qualities and making the best use of their talents means a win for society, a win for our client, and a win for our consultant. It is incredible to see how they gain self-confidence and blossom thanks to these professional opportunities.” 

If the job context changes, for example, if the consultant outgrows the company or vice versa, the search for the right match restarts. Guillaume Dewyn: “At Passwerk, our consultants have job security without the stress of applying for a new job every time. If they find themselves temporarily without an assignment, or they want to go in a different direction, they can follow trainings in our Academy.” 

Reskilling Academy 

The Passwerk Academy gives new and seasoned consultants the chance to reskill. “Since September 2022, together with partners such as Sébastien Deleernsyder of Toreon (Cyber Security Personality of the Year), we have been offering a SOC level 1 analyst training course. 50% of the training consists of learning how to analyse and monitor networks and systems for suspicious actions. The other 50% is learning to properly draft written reports. This isn’t entry-level training: participants need a CCNA certificate, which is the minimum basic knowledge of networks,” Guillaume explains. 

Six intensive weeks of online lessons are followed by two weeks of internship, often resulting in a first assignment. “We have trained 10 people in one year, one of whom has already progressed to SOC level 3. We often see that even in their spare time, the consultants continue to work on the subject matter, through passion and interest. This allows them to strongly grow their expertise in a short time. In our opinion, the training offers a new way to engage a larger population of people on the autism spectrum in the cyber security labour market,” Guillaume Dewyn concludes. 

As the youngest of eight siblings, Ibrahim Ouassari grew up with plenty of well-educated role models. Yet, he himself left school at the age of 13. “Even with role models and academic support at home, the educational system is just not for everyone,” explains Ibrahim, recounting the personal journey that led him to the field of technology. 

His first encounter with it involved secretly trying to download music from the internet; an experience that eventually ignited a fervour for technology. Years later, he oversaw four companies.

“Technology and entrepreneurship were quite accessible for me. However, when I spoke with young people from my neighbourhood, it became clear that they didn’t see any opportunity or perspective in the sector. This motivated me to start MolenGeek, to prove that technology is accessible to all, even without an academic background,” Ibrahim continues. 

Strong business model 

MolenGeek is built on three main pillars. “We offer a coworking space, both long- and short-term training programs, and dynamic events such as Hackathons, Geektalks, workshops and more. Our goal is to provide employment prospects based on motivation alone, without prerequisites or certifications,” Ibrahim says. “We remove all other types of barriers. We overcome the mental barrier - that they are not cut out for a job in tech – with our welcoming environment. We eliminate the financial barrier by offering everything for free. You don’t have the right material to join a course? We can lend you a computer. In other words, we take away their excuses for not starting a career in technology. The only criteria are to be at least 18 years old, unemployed, and proficient in one of Belgium’s national languages.” 

The project was warmly welcomed by the technology sector. Partnerships with major companies such as Google, Microsoft, Meta, Amazon, Proximus and PwC bolster the organisation financially. At the same time, Ibrahim has designed a self-sustaining business model: “We are proving to companies that individuals without a formal academic background, yet with the right skills, can contribute substantial value. Enterprises willingly engage us to find and train their workforce. With this funding, we sustain our growth.” 

Adapting to demand 

MolenGeek is constantly evolving, including national and international incubators, and adapting to the ongoing development of technologies. The digital sector is booming and MolenGeek is riding the wave. “MolenGeek now has eight incubators: three in Belgium, three in the Netherlands, one in Italy and one in Morocco. Last year, we trained 400 people in Belgium alone. Six months post-training, 85% of them had secured careers in the sector. We believe this percentage will have risen even more a year later.”  

In partnership with Microsoft, MolenGeek introduced a specialised Cyber Security training. “Microsoft connected us with several companies seeking talent in cyber security, particularly for the role of SOC analyst. Given our students’ non-technical backgrounds, we created a training with content adapted to their capacities. For example, we use a lot of metaphors to make it easier for them to understand. The goal is to learn what a SOC analyst does, and to obtain three related Microsoft certifications.” 

Collaborative work 

Companies are finally recognising the need to regain control over their cyber security, which is why they are counting on Ibrahim and his team to provide them with the necessary experts. “This cyber security training is just the beginning. We hope to develop more trainings on other cyber security topics, such as pen testing. In this way, we aim to provide companies in Europe with a maximum talent pool for crucial jobs such as cyber expert.” 

To find and attract students, MolenGeek uses its social networks. To engage with companies, Ibrahim explains, “Initiatives like the Cyber Security Coalition play a pivotal role in spreading MolenGeek’s message. Companies need to know that they can rely on us to solve the talent shortage. With their input, we can also develop our trainings to match market demand. In other words, we all benefit from communicating and collaborating.” 

Siska Hallemeesch: I have always worked in IT, including nearly 13 years in Managed Security Services for a major American telecom company. But then I ended up like so many people: once you are over 50, you are both too expensive and too old. For me, this was the moment to reconsider what I wanted to do next, because I certainly wasn’t ready to be written off. I completed an Executive Master’s degree in Information Security at the Solvay Brussels School, obtained the most important security certificates (CISM, CISSP, ISO 27001 lead implementor), started working as a senior security consultant, and built my new experience step by step. After two and a half years, I was ready for a new job as a CISO-as-a-service, under the wings of NVISO. 
 
What does this award mean to you? 
 
I hope that my journey can inspire others. Giving your professional life a new twist is hard work, but it is possible, even if you are over 50. I have a tip for companies: when hiring, look at the entire person standing in front of you. Passion, talent and dynamics tell a much more complete story than just skills and age. At NVISO, I work with many young people. The interaction between the generations is enriching. We continuously learn from each other's experience and curiosity. 
 
What challenges lie ahead in the domain of cybersecurity? 
 
It is very important that companies view cybercrime as a business risk. It is not simply an IT problem that you can solve with a few tools and programmes. It is an entrepreneurial risk that affects your entire company. A ransomware attack can paralyse your entire organisation, and cost you a lot of money. As a CISO, I always start by identifying the risks for the company as a whole. What is there for cybercriminals to gain here, and how are we going to arm ourselves against them? We then determine which measures are best suited within the context of this specific company. 
 
What is your advice for SMEs? 
 
Be prepared. When I talked about geopolitical risks in the field of cybersecurity five years ago, people raised their eyebrows. But today, the ransomware comes from Russia, China and Korea. A lot of SMEs are not prepared for this. If you wait for it to happen to you, it will cost you so much more than if you are well-prepared. 
  
Can you give a concrete example of a cyber risk that you have encountered? And how you handled it? 
 
We recently had a case of “Shadow IT”; this is when employees start using their own IT resources in their working environment, without the IT department being aware. It can involve both software and hardware, which fall outside the management of the IT department. In this case, there was an application that had been running for 10 years, completely unsecured. That makes you very vulnerable as a company; it is essentially an online portal that is wide open. Cybercriminals can easily enter your company through it, with all the disastrous consequences that this entails. In this case, we were able to prevent the worst. But you should definitely be alert to these types of vulnerabilities within your organisation. 

Kurt Callewaert: Our economy’s digital transformation is leading to many more cyberattacks. The risks of hacking have increased enormously. And with the new European legislation, companies are obliged to make efforts to improve their security. The need for cybersecurity experts is therefore on the rise. We are inundated by companies with requests for internships, and graduating students are immediately recruited. 
 
Since 2020, we have expanded our pool with international students; we now have about a hundred of them. Existing developers and IT professionals who want to upgrade or reorient themselves can now follow the cybersecurity module online. In these ways, we can deliver many professionals to the economy. 
 
Do new evolutions come with new challenges? 
 
Absolutely. For example, we are in the midst of an energy transition. Traditional fossil energy sources are being phased out, including natural gas from Russia -  to the benefit of new, sustainable energy sources, such as the North Sea wind farms. These are sensitive industrial networks that can be hacked, too. To prevent our “friends” from Russia from shutting down the entire network, we are conducting intensive research into the cybersecurity of the offshore network, to ensure we will be able to respond very quickly. 
 
Cybersecurity is a broad domain. Where do you put the emphasis in the training? 
 
Our students are prepared on three fronts. If you compare it to a football team, first and foremost you have the attackers: the hackers. We train ethical hackers who check websites for weak spots. Then there are the defenders, who organise our networks differently in order to better protect them. And finally, there is the Board of the football team: those who conduct risk research, and take into account the legislation. However, while these are three different profiles, we do expect our students to fully master all three pillars. 
 
What does this award mean to you?  
 
Our mission is to provide students with the skills and knowledge they need to meet the challenges of the digital world in the future. This award confirms that we are on the right track at Howest. It is an honour to receive this recognition from the Cyber Security Coalition. 
 
Why should young people choose a cybersecurity course? 
 
It is a fascinating profession. You come into contact with companies and organisations from different domains worldwide. You remain continuously informed of the latest technologies. You play an honourable role in defending our digital society. And last but not least: the salary package is very attractive.  
 
According to you, what are the biggest challenges for our country in the field of cybersecurity? 
 
I see three major challenges. Firstly, we must get everyone onboard. Generally, large companies are already investing a lot in cybersecurity. It is the smaller companies that are often unaware of the dangers. Belgium is a country of SMEs, and we know they are a popular target for cybercriminals. This is why the Flemish government, for instance, provides subsidies through VLAIO for SMEs that want to improve their cybersecurity. 
 
Secondly, everyone within the company must understand what cybersecurity means to him or her. The issues are different for an accountant versus a sales manager, for instance. Personalised training is therefore important. 

And thirdly, companies should not consider cybersecurity as a cost, but rather as a quality label. You invest in the quality and safety of your services, and the structure and stability of your company. This will become more and more important in future.  

Inti De Ceukelaire: We operate in the same way as cybercriminals, but as ethical hackers we do not cause any damage. We penetrate the systems of companies and organisations, usually with their permission. I say 'usually' because this is no longer required in Belgium, as long as you respect certain rules and inform the company if you find something. We look for vulnerabilities in software systems, computers and hardware.  
 
It is very fascinating and varied work. For example, if you have to get past a counter for an assignment, you need to hone your human skills. Experience shows that you can always get in wearing a fluorescent vest or carrying a ladder. If you then find a cable or an internet port, you put your technical hacking skills to use. Artificial Intelligence (AI) makes it all even more interesting. To deceive AI, you need both language skills and creative thinking. 
 
Are companies more open towards ethical hacking today?  
 
I see a difference compared to a decade ago, when most companies didn't know anything about hackers. Most of them are now aware that ethical hackers don't break things, but instead identify things that could cause problems. If you don't look for problems, you will not find any, but that doesn't mean they aren't there. As a company, you can bury your head in the sand until things go completely wrong. Or you can do proactive testing. Criminal practices must of course be punished, but companies also have a responsibility to keep their data safe. 
 
Consumers bear a responsibility, too. They should be careful, for instance, when downloading apps. An example: as soon as you download the Temu app (an e-commerce platform with cheap shopping), Temu has access to your data. It’s a Chinese company, so it is subject to Chinese law. That means a completely different type of data protection applies. If the Chinese government were to request data from Temu, there is no guarantee that it will not be shared. I think transparency is very important. When I install an app, I want to know what the app does with my phone and with my data. 
 
What attracts you to this job? 
 
I admit, I really like to cheat. It started when I was a kid. When a game was explained to us young people, I immediately looked for ways to creatively circumvent or bend the rules and win. I find it very refreshing to question rules. Why do we do it this way and not another way? Sometimes you come across very new and interesting ideas. 
 
When I was given toys as a child, I always tried to destroy them immediately. I enjoyed seeing how things worked. I was already looking for the vulnerabilities of, say, a toy car or a computer game. If you know how and why things break, you can also improve them. This is often how start-ups are created. A good entrepreneur always has a bit of a hacker mentality. There is no need to walk within the lines. 
 
What is your golden tip for entrepreneurs to be safe? 
 
Make the effort to imagine that a hacker has access to everything in your company: what does this mean? How bad is the situation? What's out on the street? How much damage does this cause your company, and how can you limit the harm? And of course: what could you have done to prevent this? It’s good to think about this in advance. “I don’t care if my phone is hacked,” people sometimes say, “I have nothing to hide.” Until I say, “OK, give me your phone.” Then they suddenly realise what they are giving away. So my tip is: simulate a hack in your head and learn from it the exercise.