As part of my goal of becoming a Chief Information Security Office in the future, I have been conducting interviews with CISOs to gain insight and advice based on their experiences in this position.
In this edition of #AskACISO, I interviewed Youri Lammerts van Bueren , the CISO of the BUCH, which manages the Bergen - Uitgeest - Castricum - Heiloo municipalities in the Netherlands.
Lammerts van Bueren: I am 30 years old and since 2008 I have been working for various municipalities. Currently, I am the CISO for four municipalities. Until 2014, I specialized in information management and since 2014 I specialized in Information Security. I do not have a work-related ICT-background. In my role for information management I advised the organization in business process management and IT. For my current role, I performed a study at the university, which helped me in my current job as CISO.
To become a good CISO, you have to understand the goals and needs of the organization. As a CISO I perform risk analyses and therefore it's necessary to speak the language of the business instead of a technical language. For my specialization in information security I followed different kind of studies. As of now, I am a CISM, CISA and CISSP. It is very important to keep up with the latest (IT-)developments and in my opinion a good CISO will perform continuing education.
Like every one else in my organization, my main responsibility is to achieve our political and business goals. In my role it’s important that we guarantee the quality and continuity of business processes and the reliability of data. This is the basis for the quality in what we deliver and serve as a municipality. In order to achieve our goals, we need to take risks. My role is to give advice in risk management, making security policies, monitor compliance, and to create a culture in which employees are aware of risks and understand how to deal with them (and incidents).
Human action. In order to achieve political and business goals, you have to deal with risks. When achieving these goals, people naturally seek the simplest way. The simplest way, though, can mean that we take unnecessary risks if employees do not understand all of the ramifications of their actions. Naturally they choose solutions which are user-friendly (quick and dirty). Their is a certain tension between usability and security. That's why it is important to continue to train employees in security. For me, as CISO, it is important to give advice which is workable, user-friendly, and secure.
I do not know the details of this breach. In my opinion the CISO cannot be held responsible for a data breach, but it is rather the responsibility of the board (and CEO). My opinion is that the CISO has to ensure that the board and CEO take this responsibility. The question is: where did it go wrong? You can be a good CISO, but when the board is risk-driven or does not take responsibility, you can not blame the CISO. If the CISO failed in their responsibilities, though, then resigning is a logical consequence.
In a municipality it is very important to have a sense of the politics. Budget is needed to be able to take measures and working on permanent awareness.
Through security by design. When a project starts, our security requirements need to also be involved. When a project is finished and security was not considered, it will cost much more time and money to correct the situation. Therefore, when software is purchased, it is important to have a clear understanding of what security requirements need to be met. This is especially helpful when comparing software during the selection process. If software is purchased where security is not properly considered, it is difficult to correct this in the future. So if you want to move quickly, make sure security is involved from the beginning.
Via periodic newsletters and scheduled meetings. It is necessary that there is a direct and short line between the CISO and the board. In my situation this is the case. This ensures involved board-members, who are aware of and committed to security. This is conditional for them in order to be able to take responsibility in security and associated risks.
In different ways:
I am usually asked for advice in risks. Most of the time they invite me to join a project or to review certain documents. This ensures security by design, which is a key point in security.
Like I sad before, the main priority is achieving our political and business goals. Municipalities are data driven and thus we depend on reliable data so we can deliver the right products and services to our citizens. My main priority is continuity of our business processes and reliable data. This is important because the increased quality of a lot of products and services makes it possible for people to participate in society.
We will start with this in 2018. We do not have the knowledge to do this ourselves and a specialized company will support us in this project. It is necessary to have a clear picture of what you want and what you need. It is important to implement a process in which the SOC can operate effectively with our IT-department. This means IT needs to be well involved in this project.