As part of my goal of becoming a Chief Information Security Office in the future, I have been conducting interviews with CISOs to gain insight and advice based on their experiences in this position.

In this edition of #AskACISO,  I interviewed Youri Lammerts van Bueren , the CISO of the BUCH, which manages the Bergen - Uitgeest - Castricum - Heiloo municipalities in the Netherlands.

Kha: Could you tell us a bit about yourself?

Lammerts van Bueren: I am 30 years old and since 2008 I have been working for various municipalities. Currently, I am the CISO for four municipalities. Until 2014, I  specialized in information management and since 2014 I specialized in Information Security. I do not have a work-related ICT-background. In my role for information management I advised the organization in business process management and IT. For my current role, I performed a study at the university, which helped me in my current job as CISO.

To become a good CISO, you have to understand the goals and needs of the organization.  As a CISO I perform risk analyses and therefore it's necessary to speak the language of the business instead of a technical language. For my specialization in information security I followed different kind of studies. As of now, I am a CISM, CISA and CISSP. It is very important to keep up with the latest (IT-)developments and in my opinion a good CISO will perform continuing education.

What do you consider the main tasks and responsibilities in your role?

Like every one else in my organization, my main responsibility is to achieve our political and business goals. In my role it’s important that we guarantee the quality and continuity of business processes and the reliability of data. This is the basis for the quality in what we deliver and serve as a municipality. In order to achieve our goals, we need to take risks. My role is to give advice in risk management, making security policies, monitor compliance, and to create a culture in which employees are aware of risks and understand how to deal with them (and incidents).

What are the common ''security related'' mistakes that could lead to a data breach?

Human action. In order to achieve political and business goals, you have to deal with risks. When achieving these goals, people naturally seek the simplest way. The simplest way, though, can mean that we take unnecessary risks if employees do not understand all of the ramifications of their actions. Naturally they choose solutions which are user-friendly (quick and dirty). Their is a certain tension between usability and security. That's why it is important to continue to train employees in security. For me, as CISO, it is important to give advice which is workable, user-friendly, and secure.

We have all read about it. Equifax got breached and 143 million users were compromised. The former CISO retired from her job. What would you do if you were in his/her position?

I do not know the details of this breach. In my opinion the CISO cannot be held responsible for a data breach, but it is rather the responsibility of the board (and CEO). My opinion is that the CISO has to ensure that the board and CEO take this responsibility. The question is: where did it go wrong? You can be a good CISO, but when the board is risk-driven or does not take responsibility, you can not blame the CISO. If the CISO failed in their responsibilities, though, then resigning is a logical consequence.

What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?

In a municipality it is very important to have a sense of the politics. Budget is needed to be able to take measures and working on permanent awareness.

How can you balance innovation and security when you have to move quickly?

Through security by design. When a project starts, our security requirements need to also be involved. When a project is finished and security was not considered, it will cost much more time and money to correct the situation. Therefore, when software is purchased, it is important to have a clear understanding of what security requirements need to be met. This is especially helpful when comparing software during the selection process. If software is purchased where security is not properly considered, it is difficult to correct this in the future.  So if you want to move quickly, make sure security is involved from the beginning.  

How do you keep your IT management up-to-date with the latest security issues and methods?

Via periodic newsletters and scheduled meetings. It is necessary that there is a direct and short line between the CISO and the board. In my situation this is the case. This ensures involved board-members, who are aware of and committed to security. This is conditional for them in order to be able to take responsibility in security and associated risks.

I'm sure that not everyone in your company has knowledge of IT Security. How do you educate those people and make them aware of the potential (security) threats?

In different ways:

  • With e-learning we increase the level of knowledge
  • We explain risks using demonstrations
  • People are also educated through controlled phishing mails, mystery guests, etc
  • I am involved in work meetings
  • I organize tailor-made sessions

What questions do you get asked and how often? Are you confident in responding to them?

I am usually asked for advice in risks. Most of the time they invite me to join a project or to review certain documents. This ensures security by design, which is a key point in security.

What are your business priorities and how do they relate them to your cyber security efforts?

Like I sad before, the main priority is achieving our political and business goals. Municipalities are data driven and thus we depend on reliable data so we can deliver the right products and services to our citizens. My main priority is continuity of our business processes and reliable data. This is important because the increased quality of a lot of products and services makes it possible for people to participate in society.

Have you implemented a SOC (Security Operation Center) or do you have plans to implement one? If yes, what is your strategic and technical approach to implementing one as efficiently as possible?

We will start with this in 2018. We do not have the knowledge to do this ourselves and a specialized company will support us in this project. It is necessary to have a clear picture of what you want and what you need. It is important to implement a process in which the SOC can operate effectively with our IT-department. This means IT needs to be well involved in this project.


Related Articles:

Get 96% off The Cisco Networking & Cloud Computing Certification Bundle Deal

Over 80 Cisco Products Affected by FragmentSmack DoS Bug

Get 92% off The Complete Cisco Network Certification Training Bundle

Cisco Releases 16 Security Alerts Rated Critical and High

Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal