Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
Should a regulator fine you
or help you get more resilient?
Welcome to Threat Talks.
My name is Lieuwe Jan Koning and here
from the Security Operations Center
at ON2IT., the subject of today
is a refreshing approach
by a supervisory regulator, the RDI.
Let's get onto it. Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
Let me introduce my guest of today.
His name is Jasper Nagtegaal,
and I'm thrilled he is here because he is
the director of Digital Resilience
at the RDI.
And the RDI is the body that's
responsible for a lot of, well,
I'll ask Jasper in a minute
what it actually is, because it's a lot.
But the point here is that
with the upcoming NIS2 regulations
and especially all those more companies
that actually fall under this regulation,
Jasper is the guy to talk to
because his organization
is actually going to supervise
all of them.
So that's interesting for any Dutch
company, any European company,
companies abroad that
invest in the Netherlands.
But there's also something
to learn from the approach,
which I truly think
is refreshing to me at least.
So, yeah, it's about time that we talk to him
about this, I'm really thrilled about it. Jasper.
Welcome.
And before we start about this subject,
I'd like to know,what industry you feel is the most
mature in safety in general?
Well Lieuwe, the first one that pops
to mind, in my head is, aviation,
I would say. I've learned from
that a little bit in the past,
and it also a little bit inspires me
in our current approach in supervision.
It's about Just Culture, they introduced
a long time ago in aviation.
That's about, really, admitting
on the faults or incidents
that happen and be open and
evaluate and learn from them.
And from there get better
and better and better,
because safety for people in the air, it’s a priority.
Yeah, noboidy wants a problem there. Yeah.
I once read that, it's actually
if I go on a trip
to the United States, which I do often,
the chance that I get killed
is higher on my road trip to the airport
than from the airport overall.
Is that true?
I don't know if it's true by numbers.
So I don't have the data to examine,
but, I also tell this to my children.
If we go on a holiday trip and say
airplane or car, I say, airplane
is safer. Better take the train
maybe even, if that's available.
Yeah. That's more..,yYeah.
Okay. Yeah. Because,
why am I asking this,
because, I mean, maybe you can
explain a little bit about the RDI
because it's not just cybersecurity
that you're dealing with.
It's much broader than that and especially in your career,
you've overseen many, many different verticals.
So please explain.
Yeah.
Well, it's the Dutch authority
for digital infrastructure. And,
we've come a long way
from radio communications
to where we are right now.
And, our work is, you can capture it
in one mission, and that's about a
secure and safely connected Netherlands.
And there you hear it already,
it's about connections.
So networks but also devices and everything
that you need to stay connected.
So cables underground, but, radio
communications above ground, through the air.
So all the things we use and need
to be digitally connected
in economy and society.
That's where we have a role.
And sometimes we monitor,
it's about scarcity so it's also about
giving out permits,
to use the radio frequency,
the spectrum, it's also about looking into
the market, just like, all products and,
coming into the EU market
have to be safe and secure.
It's also about secure networks.
So are they resilient?
Are they continuously available, for example.
That's a lot.
That's a lot.
And we'll talk about it a little bit later.
But your jurisdiction, so to speak,
is the country of the Netherlands.
There's comparable bodies
in the rest of Europe and America
and Canada, also,
we'll touch upon that.
But you have a lot of experience, right?
Apparently this is quite
aligned with the country borders.
How this is done.
Yeah. Yeah.
So and it's on an international scale.
So if you talk about radio
communications, it’s international,
they have to be interoperable because
otherwise you cannot use your phone
in the States, for example.
So yeah.
So, but it's also in an EU scale.
So, there's all kinds of standardization,
and normalization
procedures, international and also
within the EU. And within the EU,
of course, we have the whole digital
regulation framework from the Commission
they pushed out the last couple of years.
And it's also a lot.
So you have to work together.
Yeah. Yeah. Okay. Yeah.
Actually, that reminds me, you mentioned,
we have to standardize all these things.
I remember that certain frequencies
were not possible in the Netherlands
because there was some kind of
military thing in the north,
where they ‘need it’ for unspecified...
I won't ask you what they needed it for.
Yeah.
That’s commonly known,
for military purposes, but yeah.
Then it's used.
And if you want to have this frequency used
by network operators for the 5G networks,
yeah, then you have to do something about it
if you want to roll out that properly. Yeah.
And that took some time.
This is all part of what RDI does.
Yeah.
We are also involved there also
with our Ministry for Economic Affairs,
of course, also play a big role.
But, we work together
on that sort of cases.
Yeah.
Okay.
So can you explain a little bit?
Well, maybe, there's NIS2.
I mentioned that in the, maybe
summarize it in two sentences
for those who haven't heard of it.
NIS2. Yeah. NIS2 is a directive,
mainly aimed at boosting the digital
resilience of the European
economy, I would say.
Yeah, the focus is on resilience. Yeah.
Because what I said in the introduction,
I mean, I think,
it's a refreshing approach that
you take because I asked,
well, could you answer the question
is better to fine or to build resilience?
I would say to build resilience,
of course.
Fining is just, it's a tool we use,
it’s a part of enforcement.
But, no, I would say building resilience,
take a risk based approach on
having a resilient economy
or a resilient company you lead. Yeah.
So you have this legislation
that's your weapon, so to speak.
And then of course, you have
the authority to issue fines, etc.
But you said, no,. if we let it, play out all the way
until the end: where are the fines needed..
Yeah? We have actually
already failed. Then you,
yeah. You're failing.
More or less.
At least as a country.
I heard a good phrase, within a group of other
supervisors and to us about, how do you say it
right? It's about, enforcement
or fining is the most price, price-ly
part of supervision because,
yeah, it doesn't help me.
It doesn't help a company
because we have to take a lot of time
to do in-depth investigation
and then all, you have to go to court
maybe, because otherwise,
you don't like to be fined,
so you use your protection,
based on Dutch administrative law.
And then we have a whole process,
just about one company
building on a little bit of compliance
there and us,trying to push a fine, that's all
at the end of the tale, because...
The disaster had already happened.
The big gain is at the front.
It's a bit like in health care.
You better screen, do a
regular health screening,
so you don't in a very late stage
discover you have cancer.
Because if you do it early on,
is it that kind of mechanism?
Yeah it's preventive.
So yeah.
So supervision should be on
a preventive matter and building
digital resilience within
a sector or an economy.
Yeah. So can you explain a little bit
what are you doing to achieve this?
Well, first of all, this, being
out there and explaining
how we operate and how our perspective
is on, supervision and enforcement.
Of course.
And, getting into touch also, upfront
with all our sectoral responsibilities.
So with the energy sector or space
or a lot of industries,
telecommunications, cloud, etc., etc.
and we want to be there.
So we are approaching
branch organizations
and talking to them,
trying to establish
some sort of vision about,
how do they work?
What are the main concerns, r
isks in those sectors
and then approaching from a business side.
So, how do they work and how can we
find an angle to work
with them together to
yeah, crank up the resilience there.
Yeah.
So suppose I am
in critical infrastructure,
I'm part of a company, let's say,
an energy company or so.
what would you, so you would knock on
the door, well, phone them up and say,
well, listen, we need to talk, because
we have NIS2 and we’re concerned.
Yeah. How does that work?
Mainly, basically like that.
So, yeah, we make an appointment. Yeah.
And then we say, okay, we come to you,
and then you.. And they're all frightened
because the regulator is there.
Some of them, some are quite sturdy
and say, okay, let's have it on.
But, no, but, when you're there what
we did in the last couple of years was,
also inviting in that talk,
the CEO of the company.
So the boardroom awareness
was, right from the start was there.
And then we try to understand
how your business works.
So that's one of the first things my inspectors
do is trying to understand the business.
And how they approach resilience or
security or safety in that company.
And as you named the energy
sector, for instance,
is they really work from a safety
perspective already there.
So continuity in electricity,
that's the main thing.
We don't want no electricity in society.
We can't handle that.
So we need it.
So and they know that.
So they build on safety in those industry
and in the energy sector.
And they already have a
whole risk management
process in place in that company,
and in that sector.
So if you take an approach
with a totally different
security talk about hackers and state actors,
etc., then they say, yeah, right.
And they don't really believe you, but
if you take an approach from their
risk perspective in the board.
So yeah, but if you get hacked
or your systems are down or
your data is not available or stolen,
then you're out of business.
And that's the same thing about safety.
So if you incorporate this risk
perspective on digital assets,
also in your risk management approach that
you already have, then you can work with it.
And they said wow, good idea.
So you’re building on a culture
that's already there then.
It's already there. Yeah.
And you’re just showing the way.
Listen, it's not just the flu that is
there or a flood or whatever.
It's also the cyber risk.
It's also the cyber risk.
And then you have a talk and then..
But what comes out of this? Because it's really nice.
So you're educating them more or less
and helping them understand more.
Yeah.
And then what?
Next step is, trying to understand
which standards they use.
So, for example, in the energy sector
or an industry sector,
they are much more accustomed
to 62443 standards.
And not 27001.
So that's there.
So then you use that approach,
to talk with them about
how do you approach
security, for example.
But we also do deep dives.
So if we do a risk analysis on,
well, everything goes wrong
and it will surely happen
once in your lifetime as a company.
It will go wrong.
Then we approach them with the question,
what about your business continuity?
How do you approach your business
continuity in your organization?
And then we do a deep dive throughout
different companies, and then we analyze
and try to find out what's the
biggest problem or risk there.
So not on an individual company,
but also on a sector wide level
and try to establish some sort
of idea what’s wrong. It sounds a bit like,
it’s like a consult that
you have with an auditor.
Yeah. Beforehand.
But then for free, I guess, I mean, you can also
hire a company to help you play this out.
Yeah, sure.
[ ] but you're proactively...
Yeah, yeah, yeah, proactively doing that
because we work from public interest
and that's I think important
to say, I'm not there to
be a police on your compliance.
So, standing right beside you
and, do you do it,
are you doing it wrong and
“You're doing that wrong” and..
Yeah, you’re there with your notebook,
looking at the files that are in the wrong place.
That’s not very ... And then a
person in the company says what,
I'm mean, what am I then doing wrong?
And then you say, that's,
I don't like you doing that.
Okay. That's very precise.
That’s not ... Yeah.
We have people in place who can do that,
but that's not our main approach.
You don't want to end up doing that. No.
And then you're a police officer
standing on the sideline.
But you want to have a real,
steward approach on the whole system.
Yeah. How do you decide
which organization to approach?
Because you cannot have I mean,
there are so many organizations...
So we have a lot. Yeah. Yeah, yeah.
So thousands. Yeah.
Yeah, risk-based-
You have to employ half the nation.
Yeah. Yeah.
So yeah we have a lot of efforts,
and no, but we have,
we have a risk based approach,
just like a company itself.
Yeah. Of course,
because, that's our business.
So our business is supervising,
and the business of a company is,
yeah, all companies have different business,
but they have a risk based approach.
We also have one.
Yeah. Is that something
that's already in the law?
Or is that Committee’s or the government
that steers this or gives you focus areas?
Yeah. There is room for a risk
based approach. So that's NIS2.
It really literally says,
take a risk based approach.
So it's there.
And there's also room in our own approach because,
supervisors or regulatory bodies are independent.
So they have their own policies on how to approach
a sector or supervisory problem or target.
Yeah.
How independent are you really?
I mean, at some point, maybe the politics
interfere or is it's completely separated?
Politics always play a role.
So, a, minister or how do you call that
in the States, a secretary of state,
they have a little bit of influence
so they can say up front,
it's really important that you pay
attention to this topic or this risk.
But they cannot intervene
on a detailed level in the program of
a regulator, no- Because you have
the knowledge on where your real risk
is, I guess. Yes.
Because that's your profession.
That's our profession.
So but you have the freedom to choose if you
some day feel, hm, maybe it’s the solar panels. Yeah.
It's nowhere in law, nowhere on
the agenda of the politicians,
you can decide, okay, now we're going go
after this and we are going to educate them.
Yeah. And that's risk based.
So we do analysis
and they say this is a topic.
And of course you sometimes
have incidents, big incidents.
Last a couple of months, we had two big ones about
the public prosecution in the Netherlands.
And also with the health care system.
With the research company and
then, yeah, there is real public,
how do you call it; the people are
a little bit angry and concerned
and they want to do,
is there something done about it?
And then you have supervisory authorities stepping in
because there's public arousal, public interest, in place.
And then you have to step in.
Yeah. Okay.
And then it becomes politics.
So and how important is this fining part then.
Because I can imagine if you...
I really like the approach,
helping, because in my experience
there's a lot of things that we could
do, which is relatively easy to do,
especially on the technical level.
That's what all these guys
are doing all day of course.
But it's really hard
to get that message across
because often it's not properly
seen where the problem is.
Right? No. So I understand this approach.
I'm really in favor of it.
But at some point, I mean,
if there's no consequence,
we have the privacy body in
the Netherlands, the AP,
everybody knows they're understaffed,
so the chances of you
getting a fine is quite low.
Yeah. That's what people tell me, right?
So, what about you?
Do you have this big weapon actually ready?
Yeah. I know this discussion and yeah,
if you're understaffed of course,
then it’s difficult, but, yeah.
Yeah, we have the big stick, everything.
And not only the big stick, so
you have the fining, that's really
at the end and it's repercussion,
because you cannot mend anything anymore
because it's already done.
And then you can use fines,
but there are all kinds of means
you can use in enforcement,
in front of that.
And then you have, really at the front,
you have all the things about
information, behavioral insights, how do you call it,
working together with branch companies,
talking about how you can address risks,
maybe missing standards are there,
then you take the approach
to the standardizing
community, and say, hey,
maybe we can work something up.
So there's a lot of that, but the stick is always there.
But I can imagine that the reason they listen to you, is
because of the stick, right?
The reason to listen to you
is A) because you want to do the best thing.
Yeah.
Of course, hopefully that's always the case.
But the other one is if you don't listen,
there's the stick always. Yeah.
How big is this stick by the way?
What are fines... Oh I don't know.
From by heart we have different
forms of regulation.
So, different fines.
In NIS they are quite
yeah, heavy, they’re in the NIS directive,
literally defined at a
maximum- ... a personal liability.
And a personal liability. Yeah.
That's also end of pipe.
So, if, if we get there.
well, how do-
Your goal is not to be there, I get that.
But to me, it's important to
understand, if an organization
really does nothing,
what's the ultimate consequence?
Then, we can put all our
enforcement measures in place, so,
so we can use, how you call it,
I don't know in English right yet, but,
you can work with finance. So, if you don't
do this or do that, then you have to pay.
Then you have the, and if you're passed that,
then there's also the possibility that there’s,
someone in the board of
the organization is frustrating
a better resilience, security
in the organization.
And you can utlimately
also put that person out of,
yeah, off the board
or on this specific topic,
saying you're not eligible anymore to steer-
Is there gonna be a criminal investigation also?
No, no criminal investigation.
So no one
is going to end up in jail,
but you're going to lose your job.
Yeah, you can be replaced-
Or personally fined, maybe?
- for I think for a certain time
on this matter in the board
for something like that.
So, yeah.
Then you're out options.
It’s hard.. it doesn’t look
good on your résumé. No, that's, I think
if your committee of supervisors
is looking over your shoulder,
then they say maybe it's time to move.
So you don't want to get there.
And then you get the fine as well.
So they weren't all too happy with you anyway.
Yeah. Yeah. So it's there.
And we already did a lot of cases already,
on big organizations also in Netherlands,
which were ultimately,
yeah, ended up into fining.
So yeah, we use it.
But yeah, preferably- You hate to use it,
but if you have to, you can.
Yeah, we sure do. Yeah.
Let's look at, explore a little bit,
there's all these other industries like
the telecommunication industry sector.
You have a ton of experience
in those fields.
What can the cybersecurity industry
or the CISOs learn from this?
What works well in other areas?
You mentioned aviation, for example,
where people learn from their mistakes,
that's probably one of them. Yeah.
I already tipped on the energy sector.
So it's also about safety and
health, safety and environmental,
HSE is that called, it’s quality systems
and that's what they use.
So and also telecommunication
sector are already
also there because their main goal
is to deliver on continuity of business.
So it's not only about profit,
and the weighing of profit
versus compliance in their board,
but they know they have societal role
also with telecommunications and energy.
People need that, like drinking water, also. So those
companies already have a culture established
focused on continuity of their business.
And they incorporate cybersecurity also
in that same policy. And that helps. Yeah.
Yeah, yeah, I can imagine that for like,
the utility companies that have, that are
part private, part public maybe,
or at least the government has a big
say in those companies,
that's easier to achieve.
But you also mentioned aviation.
I mean, if there's one sector that
fights for profit, it's that one.
So why does it work
there as well then?
Yeah.
Because my point is, companies by
default, their main incentive is money.
Yeah. Right. Yeah.
But what you're saying here is that
in aviation, it actually also works,
everybody apparently has safety
on their mind. Because...
yeah, what's the main difference there?
I think it's because everybody in that sector
really believes in that main goal
of having a secure aviation sector.
If- It’s not just because ... “just”,
because if your plane
crashes more than average, then
nobody will ... and you’ll go bankrupt anyway.
Which is probably also true.
And then you’re out of business of course.
And so it's also an economic perspective. But it’s more
than this, if I hear you speak. Yeah, it’s more than this.
People believe and not everybody
still believes in digital...
More and more, luckily.
But not everybody still believes
in digital resilience as something
that you can benefit from.
They still see it as a burden, as something
you put into compliance, as a cost.
And it's not.
So, how can we change that?
And is this among all employees, or is it
the board or is it the CISO that
needs to speak up better
or what's the reason?
It's about well, I was yesterday speaking
somewhere and there was someone who made
the comparison with Groundhog Day,
Bill Murray, the movie it was,
and I don't, I think that-
This can be a very depressing answer.
It's it's not about that
because it's also about repetition.
And it's also, bringing the message
into those boardrooms and not by
giving your boardroom a lecture about,
you have to also be a CISO or,
it's about making it uncomfortable
talking about
continuity risks for your business and about
costs you don't want to have in the future. So.
And then you get the attention
and also, making them digital savvy.
So do you really know what-
So it’s a top-down thing that we need to do then
if I hear you. It's bottom up
and top down, talking together.
So and making sure that they really know
how deeply digital assets have already entered
our society and economy
and how dependent you are on them.
Yeah, but do you think that companies
don't know this then?
Still not.
No, no. Surprisingly, unaware then. Yeah.
Why is it quite easy to talk about finance and financial
control and financial reporting in boardrooms.
That's quite easy.
And we cannot talk about digital reporting
and digital accountability and data
and digital assets are just as maybe more
valuable nowadays than financial.
Now there are many different kinds of CISOs, b
ut would you say that the CISO should be
as powerful in that sense as the CFO, for
example, because the idea of the CFO is
this person knows about all finances and about
investing and about everything money. Right.
In the board, he is on an assignment,
and if he tells us, yeah,
we need to, invest in whatever
or we need to sell these assets
or whatever, then everybody listens.
It's not the same in my experience,
with the CISO, it’s not at the same level.
It's not at the same level.
Should it.. why?
Is it because it's immature?
Should the CISO be at the same level,
you think? Would that be better?
Well, there's a C in the name.
But... Exactly. Yeah.
So.. That's a start. Yeah, that's a start.
But the same level differs
from the company of course.
But I think, they should at least have,
and luckily you see that more and more,
have direct access to the board.
So if they want to tell something there,
they have should have access.
And, if you're a really digital company,
then you should have a CIO or a
CISO, have maybe direct access
into your board.
And really- Yeah, I often say that the CISO
reports to the CIO, and the CIO is in the board.
Yeah, that's there.
But then the CISO is not in the board.
No.
But if security is such a main thing,
yeah, you should consider, maybe
bringing that, for a permanent position into
the boardroom. And have their own budget...
Yeah, yeah.
Understand. Yeah.
Anything else that we can learn from
other sectors that springs to mind?
Well, that's a good one.
Other sectors.
Energy was a good one.
Aviation.
Health care, maybe?
Health care.
Ooh, that's a good one.
Can we learn from health care?
Do you have an idea?
When we talk to hospitals, I mean, of course,
cyber is really important, but if we're talking about
the availability part of the IT,
it always strikes me that,
I talked to a CIO once, and he told me
the most important system that we have,
we always ask our organizations,
where are your assets?
That's the first thing you want to know.
Where are your crown jewels?
What do you want to protect?
The whole Zero Trust thing is around all that.
And his answer was, it's the elevators.
And why?
Because everything else
is super resilient already.
I mean, if the planning system
goes down, they have a print out
and the pump for the insulin,
there's also manual thing there
or it’s on batteries or whatever.
It's not... the digital world hasn't
penetrated in the crucial parts
except the elevators, because
they have to move patients
into the operating room, into the OR.
So, yeah, what I'd say, I think the mindset is certainly there,
because, I mean, every person that dies is one to many.
Yeah.
So the culture that you mentioned earlier
in energy and in aviation
that you enable, yeah, somehow you press
a switch and then it starts to work for IT.
I think it works less for IT in some
health care organizations.
Yeah.
And it’s I think the same thing.
You don't see it.
It's about- You almost think that.
Yeah, but don't see it.
I mean, there's so many
incidents happening. Yeah.
All to the point they were saying,
oh not a breach, not a breach.
If I look on the dark web,
on my name, there's so many...
I mean, there's, actually in aviation,
in a southern European country that
we flew there once, everything is there.
My passport, my ..
You can simply look it up. Yeah.
It's everywhere. Yeah. So why is it not, well
not on the short term in their face probably.
It's because maybe we still talk
about it too much in terms of security.
Not in terms of business continuity
and profit loss, etc.
Maybe, the whole continuation
of your company and for the future.
So if you talk in those terms
and then you realize
it's all about the digital choices
you make in your organization,
then you have maybe a different talk.
Good takeaway for all the CISOs
that are listening, I mean,
speak the language of your board, and that's
risk based and that's continuity based.
Yeah, that should be. Yeah.
I want to talk to you a little bit about the international...
but before we do, we actually have
a treasure hunt, that we
always do in these episodes.
To our listeners, you already know,
and we have a few collectors
that request each and every
T-shirt that we give away.
So, again, you can win a T-shirt from us.
The first 200 people who respond,
we have the following code.
I'll name it only once.
That gets that shipped, actually, you mail it to
code@threat-talks.com, and the code is 230026.
Good luck.
Other countries. Because so far we've talked
about your experience here.
Is this the same, let's first say
the rest of Europe. Yeah.
Is the approach the same?
Like building on resilience?
Yes and no.
I think, yes. On the part that, other countries
are not stupid or something.
So they can, also they,
they agreed with the NIS directive
and they know about the resilient part
and about the directive’s approach.
So it’s not new, no.
But then on the other part, they have to
work with it and then, kicks in culture.
So, every European country has
their own culture and some are more
centralized, some are more decentralized
in their approach.
Some are more, based on, like we have
in the Netherlands, we work together,
it's more an eco systemic approach and then you see
France, they are a more centralized approach.
But, [ ] or German colleagues who really built on structured
approach with audits, and auditing reports, etc. they use.
So a lot of standardizing.
So that's different.
It's follows the country culture a bit.
A little bit. And I think that's
well, if you look from a harmonized approach. So, do you
want to harmonize regulation throughout Europe?
Yeah. I think then you have to do something
about harmonization. So, we do already so, for instance,
we have under the NIS cooperation group
that's derived from the NIS directive,
and they have a cooperation group
and all kinds of work streams under there.
We also have a workstream on supervision.
We kickstarted that,
I think two years ago.
And we said, okay, we want
to have all those regulators,
all the supervisory authorities together
so they can harmonize.
So there is something already there
to exchange information
and to harmonize our approach.
But that's the thing about the harmonization,
that's good. We have to do that.
But you also have to think about,
how culture is in organizations
in different countries because that defines how
their behavioral stances in that organization.
And you have to take an approach
not only on compliance, but also on
how does the culture in that company work
and how can you influence
that culture and their approach
on security and resilience.
Can you explain... Do you have an example of how
your approach wouldn't work for a certain culture
in a certain, maybe certain country
or certain type of organization?
Well, for instance, our German neighbors,
they really work with auditing reporting
and all kinds of reports and they
come into a workflow
up to the regulator there.
And they look at it and then they analyze and
backbench and work from different cases there.
And what we do is, we go out there
so we have a more informal talk.
With Germany it’s quite formal.
So you have to have a formal approach.
Otherwise; ‘What kind of regulator are you?’
You're coming to drink some coffee
here with our CISO
and then talk about security.
And the approach in the Netherlands
works quite well, it’s well perceived.
So the more informal approach works quite
well here, but would not work in Germany.
So you- So if you would phone up.
Well, if you were just in Germany,
you would do the same thing.
in German then, say hi,
I'm going to talk to you about NIS2.
And, then they will be confused.
They will be polite and they
will accept the invitation.
But, does that really work?
They want a formal approach, and they want
a nice leaflet and a document to start with.
And then they provide you
with information and work from there.
So that's a different stance.
What about the United States? Yeah.
I have not all the insights on
how my U.S colleagues work,
but I have some ideas,
because often, of course,
you talk about these kind of topic-
And there’s many U.S based companies that
are here. Yeah. That you govern, right?
Or regulate. Yeah.
And I see it's about,
it's a different culture.
It's about pushing risks and liability
out of your organization, so,
everybody knows the phrase, right,
I sue you. That’s of course not
what I want to say,
but it's about liability.
And liability is a big thing.
So liability in companies, but also of
boardroom members in companies in the US
does something with the culture
there about cybersecurity.
So compliance is there very
important, I think, because
if you don't fulfill your compliance,
then you'll be held liable. Then you’re liable.
Yeah. Yeah.
So you may say that on top
of the layer of risk based
approach, there's a liability
approach around that.
If you didn't do your risk,
manage your risk well. Yeah.
And that's different from the Netherlands,
for instance, because, yeah,
In my case, I give more space to companies and then
they have to have their own maturity
and take their own responsibility.
And they will be held
accountable, of course.
But it's not like that, if they miss one dot
in the compliance checklist, they
just like that, liable
and just accountable.
It’s not black and white.
It's not black and white. No.
That's why there's always a story behind it.
Can we learn from the US approach?
Is it better in a sense?
I mean, I can imagine,
what you're describing
I believe, is that the stick in the United
States is more important. Yeah.
And we can learn from that.
So we shouldn't be blind
because ultimately,
as a supervisor, you work with
the whole portfolio of instruments
you have to boost digital resilience.
And if the culture there works with sticks
and the stick is the most effective
tool you can use to boost
the cybersecurity there,
then you should use it quite often
maybe, but if you back down there
and you say we do nothing-
Yeah, because you said before,
this is the most expensive way of doing,
of becoming resilient. Yeah. So yeah, lawsuits,
etc., everything you have to do. Yeah.
So yeah, I don't know if it would work here,
but from the whole perspective, I'm a fan of
a Dutch professor, sorry, Dutch professor,
a US professor, on Harvard, Malcolm Sparrow.
My name is Nightingale, so I like
people with bird names, but yeah.
But, Malcolm Sparrow
and he's worldwide,
he's the known guru on supervision
and enforcement, and
he really works with a problem
based, a problem centric approach.
So look about the big problems, the big risks,
and fix them. Fix them first.
And that's that's his approach.
Not doing, just do your thing, like, as a supervisor
to do your inspections and find companies.
But look at, from a public perspective, what are the big risks
in a sector or with companies or on a certain team or
topic and approach those.
Analyze them.
What's the real problem?
And advance.
And then you can do something about it, maybe
as supervisor, but maybe you're not the person
or the organization who can fix it.
Maybe you need someone else,
then let someone else do it.
I mean, your translation of this
is that you actually go out
to those organizations
and listen. And listen.
There's something completely different
than there's a law, and there is a checklist.
And if it doesn't add up all green, then,
you're liable. Yeah. So maybe for a little,
for example, if you, just fictive
example, of course.
But, a company, has to do something
from a security perspective
and I say, okay, you have to do it.
And they say, okay,
we really want to do it.
But they have no people, no expertise.
There's no, in the market, there's no vendor
or service or something available.
Then I can push and push and push
and push, but they will not do it.
And not because they don't want to,
but they're not able to. It is not possible.
And then the solution is not there
in our relationship.
But the solution has to be, there has to be something
in the market, or we have to educate people or
go to schools, universities to
build a curriculum or about it.
So then the solution is somewhere else
and not in the relationship
between the supervisor and the company.
Yeah. Yeah.
So then it probably also becomes more important
to have this, the stick or the liability
because that will set the record
straight. Yeah, yeah.
In the organizations that
are more hierarchical, I guess.
Yeah. All right.
I'd like some practical advice from you.
I mean, you talk to so many different
organizations, CISOs, everything.
I mean, there's a ton of things
that you, maybe I'd like to,
you're there in the board and explain,
what needs to be done?
Tell us. What can we do tomorrow?
Do tomorrow.
I am the board member now. Yeah.
I'm ignorant. And tell me what to do.
Oh, dear board member.
Okay, you just had a board room meeting,
and then you’ve talk to your CISO, and then,
the first thing you want to do is give
the CISO a lot of money and say, hire
all kinds of security companies who
give us advice on how to approach
this. Many people are making
notes now, I think. Yeah.
And of course, that's good for your CISO that you
back them up and you want to give them budget.
But, the first thing you should do
is start with your risk analysis.
What's your main business goal
and your processes behind it?
Those are your crown jewels
in your organization.
And start there.
Do a risk analysis.
What do I want to really keep safe and
have continuity built around it?
So, and from there work
with that perspective.
Look how do I want to prevent
and mitigate on those risks?
That's the first step
you really have to take.
Yeah. Sounds a lot like what
we always do with Zero Trust.
You need first to make
sure that you know what..
Yeah. What you want to protect.
It's a reasonable approach. Yeah.
What else?
You mentioned boardroom
awareness also a couple of times.
Is this what you mean by it, or
how can we practically do this?
Well, and the other one
is, of course, educate, that’s
in the NIS directive, but
also in the financial, DORA.
That’s the NIS for the financial sector;
it’s about boardroom education.
So that's also there,
boardroom awareness.
The board needs to go to school.
I heard, as a very simplified translation.
I want to add a little bit on that
because, it's worked out.,
and then you have the board and they
do a little bit of a checkbox training.
I don't like it.
You don't want to have, CISO light training.
That's also, I borrowed that from a professor
in the Netherlands about cybersecurity.
She says that, a lot. But, and CISO light is,
don't do a little bit of the curriculum CISO has.
And then in small parts and then
you have a CISO in the boardroom.
No, you already have a CISO,
so don't do CISO light, but,
walk them through, rehearse with them,
do the practice, do a little bit of,
scenario practice-
[ ] to the CISOs?
Should be able too, depending on
how the regulation is built up.
You have a certified trainer right now,
that's what was in the regulation.
Well, is the CISO a certified trainer?
Some are, some not.
So, there's a little bit
about the regulation, but,
from my perspective, you should
have someone who is able to,
to have a little bit of a good tone of voice,
the right words and the right approach on
really convince the board of the risks
they have and, asking the right questions.
So do we have agreements
with our suppliers about security?
Simple question.
But if you don't know that you have
a real, quite a big stack of suppliers
because it's not one supplier,
but your suppliers, if you
yeah, break them down, you have
a whole stack of suppliers;
do I have really good agreements
on how to work with them and do they know
our risks and can they provide
on our risks from our supply chain?
Those questions you really
should be able to ask.
And if that's in the training
and you're getting,
you're being able after the training
to answer those questions,
then it's a good training.
But do not have a CISO light
training, that doesn't work.
No. Okay.
And for all board members?
Should be. Yes.
If you're going to practice
all board members,
everybody should be aware of
what risks you have. Yeah, practicing
a data breach is really, it’s also
really fun to do, by the way, it's
almost like a team building exercise.
Yeah.
And then you know how incompetent you are,
and then you can really work from there.
You can start working on. Yeah. Yeah.
That's good. Yeah.
Many organizations also ask for guidance.
Yeah.
Tell me what to do.
Tell me what measures,
what products to buy.
Yeah. Guidance. I think guidance is good. E
very regulator should provide guidance.
But you have two more ways
to approach them.
You have the lazy guidance way.
So that's, when you provide..
Companies ask for guidance and they say to me,
okay, can you give us some guidance and,
then I give some guidance
and then something goes wrong
and they say, yeah, but that
was not in your guidance.
You skipped that one. Yeah.
But you have to be mature.
So that's not the right way.
So then they get lazy and really ask
for directions from every corner.
That doesn't work.
So what you want to do is give
guidance on principle based matter.
So what do I want you to achieve?
On what level? That works.
And then we have to set the bar
which direction or
which maturity levels
we want to see?
But the how to achieve that should be
within the companies. And guidance,
you don't want to work that up
also only from our perspective.
So also guidance should be developed
also with other organizations.
So in a public private way.
So use standardization bodies,
use regulatory
colleagues from our perspective,
but also, have branch
organizations involved and work from there
and work up with useful guidance,
because you have to utilize the regulation
within your organization.
So the guidance should not
only be your compliance
goal we give out, but should also have,
should be in sync with the way organizations work.
Yeah. Yeah.
And so what you're pushing
a lot is making sure that you do
have the right sources of information,
right awareness, do good.
And then as a result as an intended
by effect you become compliant.
That’s almost what I hear, it's not like the
starting point is the compliance. No.
And the difficulty,
that's maybe a catch 22
in this situation is, if you start
with a whole new sector or new regulation,
the first thing organizations
call for is guidance.
What should I do? Where should I start?
But our guidance is limited because we
don't have a lot of insight and information.
data about your organization or
the sector- The culture, the systems...
The culture, systems, on all levels.
And our guidance, can be more tailored
if we approach the coming years,
now we have a lot of inspections
done, assessments, research.
And you have a better understanding.
And then a guidance will be more
tailored to what you need.
Yeah. Terrific. Yeah. We're out of time.
Oh, already? Yeah. It's going fast.
Yeah. Oh, but thank you very much.
I mean, yeah, we learned a lot.
I mean, I think it's, yeah,
like I said in the introduction,
refreshing to always look at, do good
and then compliance will, and no fines.
Yeah. Compliance will come
and fines will not come.
That's the big plan.
Yeah. Yeah.
Thanks.
I hope so.
I heard that there is going
to be some guidance later, like,
there is some brochure that you’re working on...
Yeah, we’re working on...
That was a big question about
the introduction of the NIS2.
because, yeah, it's, harmonized
also across Europe.
And then you have a lot of organizations
active throughout Europe,
also from outside the EU.
And where do I address, where do I do incident reporting,
which regulator do I have to deal with. Yeah.
We have worked up in
a public private partnerships
so also with a lot of branch organizations
in the Netherlands, a little bit of a scenario book,
which gives a bit of guidance on this matter.
I think it's already available.
It's not publicy available. Yeah, my understanding is,
it’s not publicly available, but you can request it.
Yeah, you can request it.
We’ll put the way to get it
in the show notes so
everybody who’s interested
can actually get this... Yeah.
Have a good starting point
In this ecosystem of-
Yeah. It doesn't give a definitive answer,
so you’re still self responsible
to make sure, but, yeah, it helps, really.
Thank you for lots of insights today.
Yeah.
I really enjoyed our conversation.
Thank you. Yeah.
Once again, thank you very much
for being here, Jasper, very insightful
all the stuff that you provided us and lots of things
that we can actually start doing tomorrow.
Thanks for this talk, Lieuwe.
And to our viewers,
thank you very much for tuning in today.
I hope you like what you saw.
If that's the case, please like us.
It will help us spread the word further.
And if you are right there, right
next to it, there is the subscribe button,
which means that next time, the next
episode of Threat Talks will be in your inbox.
We’d appreciate it.
Thank you once again and see you next time.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.