2024: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Johan Claessens: I am an IT professional by training. When my wife, who is a freelance photographer, noticed that certain clients were trying to hack her photos, it triggered me to focus on cyber security. I started as a CISO at water-link in response to the NIS regulation that requires every organisation providing essential services to effectively manage its cyber security. Being a drinking water company, we wanted to go beyond ‘the minimum’ compliance with the NIS regulations, and to ensure that our drinking water production is completely secured. In my CISO role, I am dedicated to this goal. 
 
What are the biggest threats for a company like water-link? 
 
water-link produces drinking water for 40% of the Flemish population. All these people buy water from us, trusting that their tap water is of the highest quality and meets the strictest European guidelines. We cannot risk our production coming to a standstill due to a ransomware attack, or our water quality being compromised because purification processes are sabotaged. We protect ourselves against all risks that threaten the direct production and distribution of drinking water. 
 
What are your main tasks as a CISO? 
 
They are very diverse. At one moment, I may be discussing technical configurations with IT people, at another discussing the security strategy and new projects with the board. I also negotiate with suppliers and evaluate new products. Plus, I have to drop everything when an incident occurs. It’s a varied and often unpredictable job. 
 
Within the sector federation AquaFlanders, we have a working group of drinking water company CISOs. We meet monthly to share knowledge, discuss incidents, and look at potential problems encountered when implementing our strategic roadmaps for improving the security of our organisations. As we are not in competition with each other, we are very open in sharing our findings and experiences around security. 
 
What are the main challenges you see for CISOs today? 
 
The most obvious challenge and threat is artificial intelligence. AI is an asset for cyber criminals - one they can effectively use in their attacks. But AI can also be useful for us, the defenders. The difference is that attackers can unleash AI without knowing the result in advance. We, on the other hand, must first go through an entire test procedure to ensure that we do not create any bad side effects.  
 
Another challenge is the geopolitical landscape. In the past, the main goal of an attack was to make money. Now we see more and more attacks linked to geopolitics. For example, the week before the municipal elections, many websites were hit by Distributed Denial-of-Service (DDOS) attacks. These send excessive traffic to a website to shut it down so that visitors no longer have access to the services, which can harm the organisation’s image. It appears these specific attacks were initiated by pro-Russian groups. 
 
What does the CISO of the Year award mean to you? 
 
Quite a lot! I am the first CISO at water-link, and this is also my first experience taking on a CISO role. I did not really have a frame of reference. Am I doing well? Or am I simply a one-eyed person in the land of the blind? The award is a confirmation that we are doing well! 

Reinaert Van de Cruys: During my IT education, we learned about security at school, but mainly through a defensive approach. Infiltrating a network is something we taught ourselves. One of my first ethical hacks was the website of a municipality in Limburg. It turned out to have a serious problem: I was able to access the data of ten thousand citizens. When you discover such a thing, it gives you a huge kick! In that sense, hacking is a bit of an adrenaline sport. (laughs)  
 
Nowadays, there are also security courses that take the offensive approach. You can study to become an ethical hacker, which is a good development. This role fulfils a monitoring task that must be executed. You can't just assume that IT administrators configure their firewalls properly and that everything will be fine. The independent ethical hacker who looks for errors and holes is an essential part of the cyber security ecosystem. 
 
Which activities does Fox&Fish carry out? 
 
We are very busy with customised training for end users, software developers and IT administrators. We turn it into a kind of magic show with live hacking demonstrations and an interactive quiz section. By making hacking very concrete and practical, we increase the involvement of our audience in cyber security. We also puncture the Hollywood image that hackers are wizards. We show our trainees that they are just using certain tricks and that it is possible to protect yourself against them. 
 
In addition, we perform classical ethical hacking: checking websites, applications and organisations. Breaking in, seeing what we find, and then delivering reports about it. 
 
How do you keep up with the latest developments?  
 
It’s challenging, because the cyber world is evolving incredibly quickly and customers expect – rightly - that we are always up to date with the latest trends. We use many, different sources, such as articles that appear on our online feed or tips and tricks from colleagues. There are also a few excellent podcasts about cyber security. ‘Dasprivé’ for example by Bart Van Buitenen and Tim Van Haeren. It’s the best choice to stay up to date in the field of privacy and GDPR. And I am lucky to regularly collaborate with a number of ethical hackers on a freelance basis. If you want to learn new hacking techniques, nothing beats a duo project with another hacker! 
 
What does this award mean to you? 
 
I was told that we received the award mainly because we make cyber security understandable for everyone: cutting through the jargon and thick reports, and providing very concrete and practical tips. In this way, we help increase cyber security awareness and convince more people of its importance. I believe this is crucial, and the award motivates us to focus even more on this area. 
 
In 2025, we will share videos with tips for end users, because we want to make more information available. Our ambition and our mission remain to take cyber security in Belgium to a higher level, both in the business world and with private individuals. 
 
Which achievement are you most proud of so far? 
 
I like to think back to the very first audit I did, five years ago. I was very nervous because it was my first official assignment as an ethical hacker, and it was for a well-secured multinational. The company had already implemented several security measures and done previous audits. I certainly wasn't going to find any low-hanging fruit!  
 
But only 20 minutes into the audit, I was in their systems - because the CFO had reused a password that had been leaked on the dark web. It was just there, for the taking. Sometimes it is just that simple. You can invest heavily in firewalls and training, but then a simple human inattention, such as an unprotected password, can be your downfall. This shows how we still sometimes make things very easy for hackers. It’s a message that grabs people's attention.  

Axel Legay started his career in the academic field, specialising in formal verification, testing and cyber security. As a pioneer in statistical model checking (SMC), he greatly influenced industrial verification practices. He has brought together Walloon researchers and economic stakeholders in Cyberwal.

When Legay was named Cyber Security Researcher of the Year at Belgium’s Cyber Security Awards in December, the jury cited his pioneering research, including advanced AI algorithms for malware detection. Reflecting on the honour, Legay states: “For me, CoronaAlert will always be my most important achievement, because it united people across regions, disciplines and institutions. It taught me that genuine progress arises when we collaborate, listen and trust one another, which requires different kinds of intelligence.” 

Belgium is increasingly being recognised for its cyber security efforts. How would you describe its current position in cyber security research? 

“Belgium is among the leading players in Europe. We have made significant progress, thanks to strong digital foundations and a willingness to adapt. Although we face complex administrative structures across regions, we are aligning priorities and moving towards a more integrated approach. That’s why we need to maintain political momentum as well as continue our investments in research and training programmes to produce skilled cyber security professionals.” 

What are the biggest priorities for Belgian cyber security research right now? 

“In my opinion: cross-regional collaboration, strengthening public-private partnerships, and enhancing education at every level. We need more structured, long-term investments to ensure that universities, businesses and governmental agencies work together efficiently. Bridging technical and legal aspects—ensuring that engineers understand regulations and policymakers grasp technology—is likewise crucial.” 

Why is cooperation between academia and the private sector so important? 

“It ensures practical, impactful results. For example, when we worked with Cisco on malware detection, they provided real-world data and deep industry insight, while the university brought cutting-edge machine learning algorithms. By combining high-level academic research (low Technology Readiness Level) with immediate industrial needs (high TRL), we created a valuable feedback loop that accelerated innovation on both sides.” 

Which threats do you foresee in the future? And how can we cope with them?  

“The threats are both technical and human. Critical infrastructures (including hospitals, energy grids and transportation networks) are increasingly interconnected and vulnerable. As digital devices proliferate — from smart homes to connected cars — the attack surface grows. Educating citizens, professionals and policymakers is essential. Cyber threats aren’t just technical challenges; they also stem from a lack of awareness and digital literacy.” 

Do you see Belgium becoming a top European cyber security leader? 

“Yes, absolutely. We are on track, and I believe Belgium can be in Europe’s top five for cyber security. By building an ecosystem that includes strong research, innovative companies, supportive public agencies and well-educated citizens, we can create a robust defence against evolving cyber threats.” 

Vanessa Ling: I graduated with a law degree and began my career as a lawyer at the Brussels Bar. After 10 years, I switched to a more commercial role in an international media group, which offered me an interesting mix of law and business. In 2012, I started working at Proximus as an executive advisor, joining the legal team in 2018 when the GDPR entered into force. For me, it was the right time to move back into law, in charge of consumer protection, media rights, IP protection and privacy.

Why are you passionate about privacy?

I fell into it in 2018, but I immediately saw the importance and complexity of this domain. Privacy is about the protection of a fundamental right, and at the same time it’s at the heart of everything we do as a telco, at the heart of our innovation. So it was a challenging job, but the freedom to design new processes, establish a governance and create a team, all from scratch, made it extremely interesting. Seven years on, the domain is still growing every day: privacy is a never-ending story. When I started, there was one person working on this topic; today, my team counts 10 lawyers, supported by external help.

What was your approach to embedding privacy in the organisation’s broader governance strategy?

We first set up a privacy governance body, with representatives of the business, risk management, security, data, and so on. During our monthly sessions, we discuss data-related subjects. We subsequently designed a privacy review process using Collibra. This helps ensure we have a good intake of all initiatives – there are over a 1000 new initiatives per year! We capture them in a process that is as automated as possible. The aim is to embed privacy in our project management, building the right culture and changing the mindset for our people who have yet another issue to manage in their project. One key to success has been our community of privacy ambassadors: 120 colleagues who have voluntarily taken on a role to help build a privacy culture.

What does the Privacy Professional of the Year award mean to you?

It’s a meaningful recognition. Privacy protection is a tough job for in-house experts, who face high pressure from the business and their objectives, while dealing with data regulation compliance. I also appreciate that the award stresses the collaboration with our cyber colleagues. Fabrice Clément, who represents Proximus on the Cyber Security Coalition board, encouraged me to apply. The award has allowed me to discover the Coalition’s network. I am looking forward to working more with the Privacy Focus Group in future.

What are the main challenges ahead in privacy protection?

We are facing more, and more complex, regulation. There is even some overregulation to a certain extent, with overlapping rules and contradictions: for instance, between the GDPR and telco sector-related legislation. In a rapidly changing technology environment, it is hard to remain competitive while complying with strict regulations. A typical example is fraud prevention and detection. In order to identity customers and protect their accounts, we require large amounts of personal data. In 2025, I fully intend to work more on advocacy, to gain more flexibility in protecting our customers. We need to explain this better to both Belgian and European regulators and policy makers.