2023: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Siska Hallemeesch: I have always worked in IT, including nearly 13 years in Managed Security Services for a major American telecom company. But then I ended up like so many people: once you are over 50, you are both too expensive and too old. For me, this was the moment to reconsider what I wanted to do next, because I certainly wasn’t ready to be written off. I completed an Executive Master’s degree in Information Security at the Solvay Brussels School, obtained the most important security certificates (CISM, CISSP, ISO 27001 lead implementor), started working as a senior security consultant, and built my new experience step by step. After two and a half years, I was ready for a new job as a CISO-as-a-service, under the wings of NVISO. 
 
What does this award mean to you? 
 
I hope that my journey can inspire others. Giving your professional life a new twist is hard work, but it is possible, even if you are over 50. I have a tip for companies: when hiring, look at the entire person standing in front of you. Passion, talent and dynamics tell a much more complete story than just skills and age. At NVISO, I work with many young people. The interaction between the generations is enriching. We continuously learn from each other's experience and curiosity. 
 
What challenges lie ahead in the domain of cybersecurity? 
 
It is very important that companies view cybercrime as a business risk. It is not simply an IT problem that you can solve with a few tools and programmes. It is an entrepreneurial risk that affects your entire company. A ransomware attack can paralyse your entire organisation, and cost you a lot of money. As a CISO, I always start by identifying the risks for the company as a whole. What is there for cybercriminals to gain here, and how are we going to arm ourselves against them? We then determine which measures are best suited within the context of this specific company. 
 
What is your advice for SMEs? 
 
Be prepared. When I talked about geopolitical risks in the field of cybersecurity five years ago, people raised their eyebrows. But today, the ransomware comes from Russia, China and Korea. A lot of SMEs are not prepared for this. If you wait for it to happen to you, it will cost you so much more than if you are well-prepared. 
  
Can you give a concrete example of a cyber risk that you have encountered? And how you handled it? 
 
We recently had a case of “Shadow IT”; this is when employees start using their own IT resources in their working environment, without the IT department being aware. It can involve both software and hardware, which fall outside the management of the IT department. In this case, there was an application that had been running for 10 years, completely unsecured. That makes you very vulnerable as a company; it is essentially an online portal that is wide open. Cybercriminals can easily enter your company through it, with all the disastrous consequences that this entails. In this case, we were able to prevent the worst. But you should definitely be alert to these types of vulnerabilities within your organisation. 

Kurt Callewaert: Our economy’s digital transformation is leading to many more cyberattacks. The risks of hacking have increased enormously. And with the new European legislation, companies are obliged to make efforts to improve their security. The need for cybersecurity experts is therefore on the rise. We are inundated by companies with requests for internships, and graduating students are immediately recruited. 
 
Since 2020, we have expanded our pool with international students; we now have about a hundred of them. Existing developers and IT professionals who want to upgrade or reorient themselves can now follow the cybersecurity module online. In these ways, we can deliver many professionals to the economy. 
 
Do new evolutions come with new challenges? 
 
Absolutely. For example, we are in the midst of an energy transition. Traditional fossil energy sources are being phased out, including natural gas from Russia -  to the benefit of new, sustainable energy sources, such as the North Sea wind farms. These are sensitive industrial networks that can be hacked, too. To prevent our “friends” from Russia from shutting down the entire network, we are conducting intensive research into the cybersecurity of the offshore network, to ensure we will be able to respond very quickly. 
 
Cybersecurity is a broad domain. Where do you put the emphasis in the training? 
 
Our students are prepared on three fronts. If you compare it to a football team, first and foremost you have the attackers: the hackers. We train ethical hackers who check websites for weak spots. Then there are the defenders, who organise our networks differently in order to better protect them. And finally, there is the Board of the football team: those who conduct risk research, and take into account the legislation. However, while these are three different profiles, we do expect our students to fully master all three pillars. 
 
What does this award mean to you?  
 
Our mission is to provide students with the skills and knowledge they need to meet the challenges of the digital world in the future. This award confirms that we are on the right track at Howest. It is an honour to receive this recognition from the Cyber Security Coalition. 
 
Why should young people choose a cybersecurity course? 
 
It is a fascinating profession. You come into contact with companies and organisations from different domains worldwide. You remain continuously informed of the latest technologies. You play an honourable role in defending our digital society. And last but not least: the salary package is very attractive.  
 
According to you, what are the biggest challenges for our country in the field of cybersecurity? 
 
I see three major challenges. Firstly, we must get everyone onboard. Generally, large companies are already investing a lot in cybersecurity. It is the smaller companies that are often unaware of the dangers. Belgium is a country of SMEs, and we know they are a popular target for cybercriminals. This is why the Flemish government, for instance, provides subsidies through VLAIO for SMEs that want to improve their cybersecurity. 
 
Secondly, everyone within the company must understand what cybersecurity means to him or her. The issues are different for an accountant versus a sales manager, for instance. Personalised training is therefore important. 

And thirdly, companies should not consider cybersecurity as a cost, but rather as a quality label. You invest in the quality and safety of your services, and the structure and stability of your company. This will become more and more important in future.  

Inti De Ceukelaire: We operate in the same way as cybercriminals, but as ethical hackers we do not cause any damage. We penetrate the systems of companies and organisations, usually with their permission. I say 'usually' because this is no longer required in Belgium, as long as you respect certain rules and inform the company if you find something. We look for vulnerabilities in software systems, computers and hardware.  
 
It is very fascinating and varied work. For example, if you have to get past a counter for an assignment, you need to hone your human skills. Experience shows that you can always get in wearing a fluorescent vest or carrying a ladder. If you then find a cable or an internet port, you put your technical hacking skills to use. Artificial Intelligence (AI) makes it all even more interesting. To deceive AI, you need both language skills and creative thinking. 
 
Are companies more open towards ethical hacking today?  
 
I see a difference compared to a decade ago, when most companies didn't know anything about hackers. Most of them are now aware that ethical hackers don't break things, but instead identify things that could cause problems. If you don't look for problems, you will not find any, but that doesn't mean they aren't there. As a company, you can bury your head in the sand until things go completely wrong. Or you can do proactive testing. Criminal practices must of course be punished, but companies also have a responsibility to keep their data safe. 
 
Consumers bear a responsibility, too. They should be careful, for instance, when downloading apps. An example: as soon as you download the Temu app (an e-commerce platform with cheap shopping), Temu has access to your data. It’s a Chinese company, so it is subject to Chinese law. That means a completely different type of data protection applies. If the Chinese government were to request data from Temu, there is no guarantee that it will not be shared. I think transparency is very important. When I install an app, I want to know what the app does with my phone and with my data. 
 
What attracts you to this job? 
 
I admit, I really like to cheat. It started when I was a kid. When a game was explained to us young people, I immediately looked for ways to creatively circumvent or bend the rules and win. I find it very refreshing to question rules. Why do we do it this way and not another way? Sometimes you come across very new and interesting ideas. 
 
When I was given toys as a child, I always tried to destroy them immediately. I enjoyed seeing how things worked. I was already looking for the vulnerabilities of, say, a toy car or a computer game. If you know how and why things break, you can also improve them. This is often how start-ups are created. A good entrepreneur always has a bit of a hacker mentality. There is no need to walk within the lines. 
 
What is your golden tip for entrepreneurs to be safe? 
 
Make the effort to imagine that a hacker has access to everything in your company: what does this mean? How bad is the situation? What's out on the street? How much damage does this cause your company, and how can you limit the harm? And of course: what could you have done to prevent this? It’s good to think about this in advance. “I don’t care if my phone is hacked,” people sometimes say, “I have nothing to hide.” Until I say, “OK, give me your phone.” Then they suddenly realise what they are giving away. So my tip is: simulate a hack in your head and learn from it the exercise.