2024: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

“Today’s cyber security leaders can’t limit themselves to the role of enforcer. First and foremost, they need to focus on building a resilient organisational structure and culture,” opens Yuri Bobbert. In practice, this underscores a growing need for soft and managerial skills among leaders in the IT world. “Fostering resilience among all members of an organisation requires paying attention to the human element and responding to it successfully.”

Focus on soft skills

“This is precisely why our programme focuses on these soft skills,” he continues. “While purely technical skills are central to more tech-oriented programmes, they are less of a focus for us. We have maintained a strong focus on governance and leadership: areas in which we, as a management school, have a distinct expertise. We also serve a lot of very technical-oriented managers that acknowledge they need to develop their soft skills like convincing, persuasion, negotiating, and presenting.”

The Executive Master in IT Risk and Cybersecurity programme, a specialisation within the Executive IT Management programme, is open to candidates with a Bachelor’s or Master’s degree plus five years of relevant experience. It therefore attracts IT professionals in leadership positions. “For example, IT managers from major players in the Antwerp port area, financial industry and petrochemical cluster, as well as consultants or people who approach the topic from an HR or financial perspective,” Yuri explains.

Students who follow our track typically gain skills and capabilities for building a solid cybersecurity investment case and developing a roadmap with the right resources like people and money. They learn to define governance structures to manage and maintain an effective security organisation. To understand risk management practices, students learn how to quantify risks and develop cost-effective programmes. Next to these skills they learn how to negotiate, manage incidents, and inspire their teams with the right leadership.

Knowledge sharing as a central goal

The Master’s programme culminates in a research project. “The students dive deeply into a specific risk or security topic and truly become experts. The knowledge and insights generated over the years are made maximally accessible to the public by AMS. To maximise the impact of the research, we allow our top students to present their findings at sector meetings across Europe and make the theses, about 40 annually, publicly available afterward. This demonstrates that knowledge sharing and valorisation are central to us.

A concrete example of such a project is an extensive glossary that a student compiled last year as his graduation project. “This is essentially an atlas of all existing concepts within cybersecurity. For cyber professionals, it provides a chance to understand how the current world is structured. Once again, this shows how we aim to advance the field,” says Yuri.

The two-year Executive Master’s programme has already produced around 100 alumni. “Each contributes to strengthening the cybersecurity landscape,” Yuri continues. “Accordingly, membership of the Cyber Security Coalition is highly valuable for the AMS. “It allowed us to connect with a significant portion of our target audience for this programme. Finally, as a member, we can better understand what everyone else is doing and the issues they face, and sow the seeds for new collaborations,” Bobbert concludes.

The panel consisted of Bjorn R. Watne, Senior Vice President and Chief Security Officer of Telenor; Joanna Świątkowska, ECSO Deputy Secretary General; and Miguel De Bruycker, Managing Director General of Centre for Cybersecurity Belgium. Marc Vael, President of SAI vzw, moderated the conversation. 

The discussion explored various themes, emphasising the evolving skill set required for modern CISOs, the impact of AI and quantum computing, and the importance of regulatory frameworks. 

Evolving skill set for CISOs 

The role of the CISO is expanding beyond traditional risk and incident management, to encompass the entire cyber security supply chain, Joanna Świątkowska stressed. She highlighted the necessity for CISOs to possess both technological expertise and a deep understanding of business needs. Cyber security, she argued, is a team effort requiring diverse expertise and strong collaboration. 

Bjorn Watne concurred, noting that the CISO's role has rapidly evolved. Today, CISOs must be adept in crisis management, disaster recovery, business continuity and proactive cyber security measures. 

Miguel De Bruycker called attention to the importance of adapting to organisational scale and fostering a culture where cyber security concerns flow from IT to management, and vice versa. He also pointed out the value of the EU Cybersecurity Skills Framework for HR departments as a benchmarking tool. 

The role of AI in cyber security 

Delving into the implications of AI in cyber security, Miguel advised caution, noting that AI's effectiveness depends heavily on the quality of input data. While AI can significantly ease cyber security tasks, it also introduces new risks and challenges that must be managed carefully. 

Bjorn discussed the dual nature of AI, as both a potential threat and a powerful tool for enhancing cyber security measures. Joanna viewed AI as a revolutionary technology capable of shifting cyber security efforts from reactive to proactive, particularly by enhancing Cyber Threat Intelligence (CTI). 

Audience members raised concerns about AI security policies, emphasising the need for caution with classified data and the importance of existing rules and ethical standards. The panel agreed that AI's limitations, particularly its lack of explainability, call for careful integration into cyber security strategies. In terms of a specific AI security policy, the room did not have a unanimous opinion. Nonetheless, the existing rules, ethics policies and codes of conduct for access management and classification should also apply to AI. 

Quantum: preparing for the future 

Quantum computing was another hot topic. Some highlighted its immense potential and the significant risks it introduces, particularly due to the reliance on legacy systems. While quantum computing promises revolutionary advancements, many organisations' older libraries and algorithms may not be quantum-proof, posing substantial security threats. 

Other participants took a cautious perspective, noting that while quantum-proof algorithms are in development, their practical implementation is still evolving. They pointed out the importance of robust lifecycle management for all systems, to prevent outdated technologies from becoming critical vulnerabilities. 

The panel and audience agreed that transitioning to quantum-resistant systems requires more than technical solutions; it entails updating system architectures, integrating new hardware, and ensuring all components are quantum-ready. While this is particularly challenging for large organisations with extensive legacy systems, it nonetheless is essential for maintaining cyber security resilience in the quantum era. 

Navigating regulatory landscapes 

The discussion also addressed the complex regulatory landscape, focussing in on key regulations including the Cyber Resilience Act (CRA) and NIS-2. Joanna pointed out that while these regulations enhance cyber security, they also pose implementation challenges. Organisations need substantial education campaigns and practical toolboxes to comply effectively. 

Miguel discussed ‘regulation fatigue’, where the rapid introduction of new regulations overwhelms organisations. He noted a recent consensus among State representatives to pause the creation of new regulations until the existing ones are fully implemented and understood, to prevent an unmanageable regulatory burden. 

The panel stressed the importance of a balanced approach to regulation: stringent standards are essential, but organisations also need the resources and support to comply without stifling innovation. Continuous education and certification are crucial for keeping up with regulatory requirements, and forums such as Cybersec Europe facilitate the exchange of ideas and best practices. 

Fostering the next generation of cyber security professionals 

Both panel and audience underscored the importance of motivating and supporting the next generation of cyber security professionals. Bjorn emphasised the value of diverse roles within the CISO profession, encouraging young people to explore various aspects of the field to develop both technical and leadership skills. Joanna pointed out the challenges new professionals face (including stress and work/life imbalance), and the need for board support and a transparent vision. 

Joanna was joined by Taco Mulder, CISO FPS Policy & Support (BOSA), who advocated for mentoring programmes such as Women4Cyber and Cyber Wayfinder, noting that such initiatives not only support mentees but also provides valuable learning experiences for mentors. 

Conclusion: what makes a good CISO? 

The session concluded with reflections on the qualities that make a good CISO. A sense of humour was suggested as essential, highlighting the intense pressures of the role. Ultimately, the discussion underscored the dynamic and multifaceted nature of the CISO position, as well as the need for continuous learning, adaptability and a collaborative approach to cyber security. 

The panel recommended hosting more events specifically for CEOs to enhance their understanding of the critical role CISOs play in organisations. Increased awareness among top executives can foster better support for cyber security initiatives, ensuring that security concerns are integrated into strategic business decisions. 

The panel, which included Sandra Gobert (Executive Director at Guberna), Ronny Depoortere (President at Zetes People-ID Division), Marie-France De Pover (General Manager at KBC Group Compliance), Karine Goris, (Chief Security Officer at Belfius) and Dirk Lybaert (Secretary General at Proximus), was moderated by Marc Vael (President at SAI vzw).

One of the most pressing challenges in the ever-evolving cyber security landscape is the search for effective leadership. The increase in cyber threats has dramatically heightened the strategic importance of cyber security. As a result, today’s cyber security leaders must possess an impressive range of diverse skills and qualities.

“Chief Impossible Skillset Officer”

"A CISO must first and foremost be able to convey technical information to the board, a group that does not share the same technical background. It’s difficult but certainly achievable," said Dirk Lybaert. "A Guberna survey confirms that there are still significant gaps in technical knowledge within most boardrooms. Thus, the crucial task is ‘translation’,” added Sandra Gobert.

Considering the substantial gap between these two worlds, the panellists agreed that communication skills are now fundamental to the CISO role. “Anyone in this position must be able to inspire. This is the only way to ensure security truly becomes embedded in the organisation’s DNA, which is absolutely essential for success,” Ronny Depoortere clarified.

In addition, technical knowledge and communication must be complemented by a deep understanding of how a business operates along the entire value chain. Furthermore, a CISO must be committed to learning, including keeping up to date with the latest innovations and regulatory developments. “When you add in that a CISO must be available 24/7, it’s clear that this is a hell of a job,” Dirk Lybaert remarked. Gobert laughingly agreed: “’CISO’ today could stand for Chief Impossible Skillset Officer.”

Compliance today and tomorrow

This sentiment reflects the high expectations for cyber security leaders, who must juggle broad responsibilities. As the discussion shifted to compliance, it became clear that regulatory guidance is another key aspect of the CISO role. “The CISO must ensure that the company meets its objectives while conforming with the applicable laws and regulations,” Marie-France De Pover explained. “There is a complex web of requirements, often riddled with contradictions.”

“A company claiming to be ‘fully compliant’ with all regulations is simply not telling the truth,” Dirk Lybaert stated candidly. “Many regulatory initiatives contradict each other.” He stressed that making steady progress in compliance is what grants companies their license to operate. It’s a practical approach that reflects the importance of conformity in ensuring long-term business viability.

At the same time, the panel agreed that compliance should be paired with a robust cyber security culture, grounded in resilience. This culture should extend through every layer of the organisation, ensuring that employees at all levels are ready to respond to incidents. “Incidents will inevitably happen, and everyone in the company needs to be involved in the response,” Ronny Depoortere emphasised.

A crucial element in this process is internal testing - such as simulated phishing emails - to identify vulnerable employees. Those who fall for the tests may require additional attention and training, reinforcing the idea that cyber security is not just a technical issue but a company-wide responsibility.

The panel concluded by stressing the expanding role of the CISO as a leader with deep technical knowledge as well as top skills in communication, compliance and cultivating a cyber security culture. The expectations are vast, but as the panellists made clear, these multifaceted demands are essential to safeguarding organisations in an increasingly digital and threat-filled world.