I am the Information Security Officer for Orange Cyberdefense in the Netherlands, and I am mainly responsible for the security and compliance matters within the country including; managing all our certifications and making sure we comply with customer security and privacy requirements. I’m also responsible for all internal security queries and carry out the Data Protection Officer role. This means I’m responsible for all privacy related matters around GDPR within the Netherlands as well.
My focus is to keep OCD NL safe. So, one of the main things I do is handle security incidents when they are reported. We have to respond to them and in some cases, they can be considered a low risk or a false positive. But at other times, we need to thoroughly determine impact and understand the root cause in order to improve where necessary. To be able to handle such incidents, you have to involve all responsible departments and get all your facts straight, ensuring that you’re not only managing the security element, but also considering privacy, looking at what data is involved and what consequences it has for our customers or internal systems.
That’s one of the main issues that I face as a security officer! We don’t really have a specific course, or specific studies to do this job. People expect us to know what the latest threats and vulnerabilities are, so it means that we have to keep updating our knowledge on what’s happening in the cybersecurity and technology world which includes educating ourselves and staying on top of the latest news. As I and other security officers are often limited in time, this can be considered a challenge.
I also have to consider our global security team, and when I look at security I’m not operating in a silo: we have a team of security officers that operate in many countries, where we need to consider local laws, requirements and threats. We share our knowledge and assist each other in large projects or incidents where necessary.
I’m passionate about difficult cybersecurity issues and assessing risks. It keeps me motivated to know that I can assist my colleagues in their business needs and add a level of assurance when they face security and privacy issues. Besides my security officer job, I’m also doing ongoing research into the concept of cyberwarfare together with my colleague Jort Kollerie, as this also adds more in-depth knowledge into the threats we face. The element of being able to present our findings at events and discuss the topic of cybersecurity with many people is also a driving factor in my daily job.
In our security community, we’re sharing and analyzing the differences between what the actual threats are and what risks can be dismissed after investigation. We must make sure we don’t fall into the trap where we see everything as a threat and keep a clear mind. Thankfully, we have many experts within OCD that we can count on to help us navigate this landscape.
I’ve faced many challenges, but to be honest, I do see a change. We see more women coming into cybersecurity roles. However, sometimes it still is a challenge. When I was a consultant before, I always had to prove myself at the table before being taken seriously. People would say ‘what are you going to tell me that I don't know? Do you even know what you’re talking about?’ I’ve had to deal with this on many occasions. Here, at Orange Cyberdefense, we have a lot of women within so many different roles. Before joining OCD, I had not yet encountered an environment with this much diversity and women in cybersecurity roles. It is inspiring to work in a company where people can be themselves and get many opportunities to learn. It’s a breath of fresh air.
You can see there’s a shift in what it entails to be a CISO. Many have a very technical background such as in engineering. Now, more often, you also see Security Officers coming from other backgrounds, like me. I have a background in Crisis and Security Management with a specific focus on terrorism. This had nothing to do with cybersecurity, but being risk-minded and being able to assess threats now helps me in being a Security Officer. The most important skill is communication, being able to relate and speak to different people on many levels within the business. I would also say being open-minded is important in cybersecurity, especially in a CISO role. It helps you to assess situations without any prejudice.
Not enough resources and being very restricted on time. You’re always trying to stay on top of things and that’s hard work, especially when dealing with incidents, as we cannot predict when these will happen. Time and resources are key, I guess most CISO's will agree with me on that!