Don't hide the risk,
manage it.
Very experienced senior security executive with a strong track record in cyber security operations, policy, technology and risk management. Extensive operational management experience, both in line and support functions. Highly successful in setting up, managing and growing new departments in a complex international organization. Strong experience in supporting private and public organisations in improving their cyber risk management at strategic level. Hands on experience with high tech, research and entrepreneurship.
Recognized thought leader in security, risk and privacy. High level of peer recognition and access to a very extensive network in the cyber security community. Sought after speaker at conferences, sharing best practices in threat intelligence, SOC operations, prevention programs, risk management, privacy. Board trainer.
Independent advisor supporting private enterprises and governments to improve their cyber resilience and cyber risk management. Strategic Advisor in multiple cyber security start up companies. Trusted Advisor and Mentor. Board trainer. Community contributor. Founder of the EU MITRE ATT&CK User Community and the CISO Metrics Working Group. Co-founder of the Cloud Security by Default initiative.
Setting up and managing the European Union Computer Emergency Response Team, protecting 60+ EU-level governmental entities in 28 countries with more than 100.000 users.
Managing a Unit of financial auditors, verifying the compliance of EU research project funding in the area of Information Society.
Various management functions including COO, managing finance, human resources and research programme, internal audit, quality management, intellectual property management and technology transfer.
Various functions in IT management and human resources management.
CIO in private industry.
This training raises cyber awareness at the C-Suite and Board level and provides tools to manage and oversee the cyber risk in an integrated manner. The content is focused on the needs of Senior Executives and is conveyed in a language they understand. The training can be provided on premise and could be integrated with an in-house brainstorming on cyber risk and mitigation.
An overview of the current threat landscape and insights in the expected evolution in coming years, taking into account advancements in technology, business processes and adversaries. What motivates your adversaries and which methods do they use? What do they target and what could be the impact for you?
A primer on cyber risk management and what a CEO really needs to know about it. About protection through understanding the key assets of the organisation and their risk of being compromised. How to integrate the cyber risk into the business risk? About Frameworks and critical preventive controls and managing the risks instead of hiding them.
What to expect from your CISO? Do you want the cyber risks to be made visible to you or taken care of for you? Where to position the CISO in your organisation and what resources to allocate? Which are the KPIs and reporting mechanisms you should expect? How to set up intelligence, prevention, detection and response mechanisms, processes and systems? How to recruit and retain specialised cyber staff in an extremely competitive environment?
Have a crisis response plan before the crisis hits. Who is in the lead, who participates? How to behave during the crisis? Comply with relevant regulations (NIS, GDPR, sectorial aspects). When and how to report? Cooperation with law enforcement: opportunities and pitfalls. What and when to communicate with your staff, your clients, the press ?
Personal IT hygiene and curating your social media footprint. How to be secure while travelling? How to safeguard your devices, your data and your credentials? With practical guidance based on the actual footprint of the participants and recommendations for mitigation.
The EU NIS2 and DORA legislations make Board cyber risk trainings compulsory for many organisations. Cyber risk is one of the top enterprise risks, delegating cyber risk to the technical (CISO, CIO) level is not an option anymore. Boards need to be able to perform informed oversight over cyber risk and resilience. This presentation shares best practices in organization Board trainings to achieve maximum impact.
The Cloud Security by Default draft secure baselines for Microsoft Azure and M365 (in xls files) present minimum secure baselines which should be implemented by any organisation. Additional security measures may be required for critical infrastructue and regulated organisations.
This Manifesto was prepared to mobilise the community to call upon cloud providers to implement baseline security by default in the user enviroment of their SAAS, PAAS and IAAS offerings. The Manifesto was signed by a large group of enterprises, industry associations, national authorities, MSPs and ISACs.
Joint keynote with CISA at the CERT-EU conference in Brussels on 10 October 2024
In our keynote panel at the One Conference 2024 we discussed the recent call of major user organizations to implement cloud baseline security by default, unburdening them of the many duplicative efforts of verifying, implementing, and maintaining recommended security baselines for the benefit of society at large. Cloud providers can play a key role in strengthening the baseline security of the ecosystem by setting robust, well-configured security controls as the default, and permitting customers to make adjustments per their own risk appetites.
This publication is a follow-up of our article “Digital Sovereignty Is Impossible Without Big Tech”, calling upon the large cloud providers Microsoft, Amazon, and Google to “improve cybersecurity worldwide by implementing baseline security by default”. Our earlier paper generated a positive response, but also requests to elaborate on baseline security by default and how it can be achieved.
CTI needs to serve a purpose, whether technical, tactical, or strategic. How do we prioritize our limited resources with a continuously changing threat landscape? How confident are we that our efforts to cyber-protect our organization are sufficient? And how can we explain to our leadership that this is indeed the case? We must step up our game by continuously adapting our defenses in an informed manner, by making sure our mitigating controls are functioning as intended and the residual risk stays within the risk appetite.
Slide deck of the presentation at the Brussels Cybersecurity Summit 18 January 2024
Most European companies and governments use the cloud infrastructure of three U.S. providers—Amazon, Microsoft, and Google. The widespread dependence on these ‘big tech’ companies for our cybersecurity - and therefore our national security - poses a threat to the digital sovereignty of the EU and its member states. Given the pervasiveness and impact of cyber threats, any form of EU digital sovereignty is only possible if we can leverage the scale of big tech as an opportunity. The authors call upon big tech to use their massive infrastructure and their insight on cyber threat actors and their modus operandi to improve cybersecurity worldwide, by implementing baseline security controls as a default, and on EU and US governments to facilitate a self-regulatory discussion towards this goal.
This paper aims to share 10 key insights from organizations that have implemented strategic cyber metrics so that the community can build on these learnings and adopt them in their own environment. The insights are summarized in crisp and thought-provoking summaries to facilitate uptake.
Summary and conclusions of a workshop on strategic cyber metrics and board reporting, hosted by Eurocontrol, 16 September 2022.
The next level of the use of MITRE ATT&CK in an enterprise environment is what this session is about: linking threat informed defense with controls and control frameworks. This session will explore how to make sure relevant risks are mitigated in an effective and efficient manner and how to link this to controls and reporting.
This paper provides a concise overview of the results of the CSR study on digital autonomy and illustrates our strategic assessment framework by applying it in the field of artificial intelligence.
This paper presents an overview of the recommended approach for Boards when dealing with cyber risk, and of good starting points for Board cyber metrics. It is a complementary paper to one addressed to Chief Information Security Officers (CISOs) on how to best control, measure, and report cyber risk to their Boards and should be read in conjunction with that paper.
This paper presents actionable guidance for CISOs to report cyber risk and its context to their senior stakeholders, such as their Board. It describes methods that help CISOs engage in cyber risk management, communicate this effectively, and facilitate proper oversight. It is the outcome of a group of seasoned practitioners sharing their best practices in a CISO Metrics Working Group.
The Cyber Metrics Model shows building blocks and processes to collect cyber metrics, transform them into cyber risk and report them at Board level.
Government and business community must make conscious choices when it comes to dependence on ICT products and services. This assessment framework, co-authored with Paul Timmers, supports taking appropriate measures to safeguard digital autonomy.
Digital autonomy is a topic of discussion at both national and European level. The Dutch Cyber Security Council (CSR) commissioned an in-depth study of national digital autonomy. The report, co-authored with Paul Timmers, provides insights into the complex issue, illustrating it with examples and a novel assessment framework.
Short story of adapting a planned cybersecurity conference to a new reality of a travel-less, contact-less, remote working environment. We hope that some of these practical insights and experiences can be helpful for other organizations which are facing the same questions: cancel, delay or persist.
MITRE ATT&CK has become very popular. This presentation helps to put the framework into practice, using realistic examples, demonstrating available community tools and showing how to use analytics to identify adversarial techniques in your network.
CISOs spend almost half of their time on compliance activities, addressing similar concerns but tailoring responses to slightly different requests. This presentation provides guidance to avoid duplication of efforts and to become more effective in managing cyber-risks, using mappings and implementing metrics.
Summary and conclusions of a workshop on frameworks, mappings and metrics, hosted by Eurocontrol, 23 January 2020.
The MITRE ATT&CK framework has gained a lot of traction in the security community. This presentation provides an introduction to the framework at its use.
This guide explains how to comply with the GDPR while performing log management and analysis for the purpose of cybersecurity.
This paper, co-authored with Lokke Moerel, summarizes the cyber risks in ports and provides concrete and pragmatic proposals to increase substantially the cyber maturity and resilience.
Presentation on intelligence-led defence in which i pitched the idea that ISPs and Cloud providers should deliver built-in security to all their clients, by implementing baseline controls by default in the user infrastructure.
This presentation at Splunk .Conf 2017 explains the impact of GDPR on cybersecurity log file collection and goes through a breach investigation and response scenario.
