A recipe for CISO success

Article

Responsible cyber security: all for one, one for all

A Deloitte perspective by Kevin Jonkers

What are the challenges of sharing “threat intelligence”? What could be the role of our government? And what requirements should a new national strategy meet? In this blog, Deloitte expert and director Kevin Jonkers shares his take on the current and future cyber security landscape, based on our 2021 report “Cyber security in the Netherlands: a responsibility we share”.

Cyber security: a joint responsibility

Cyber security is a joint responsibility between private organisations and government. Just as in the physical world, we are all expected to take some necessary precautions to secure our IT infrastructure. At the same time, we expect our government to play a role in preventing, investigating, prosecuting and punishing criminal activities. Balancing and aligning responsibilities, and ensuring the best possible cooperation between various stakeholders, is all still very much in development. We are progressing step by step, but we quickly need to learn to walk and then run.

The challenges of sharing threat intelligence

A key topic for discussion is sharing so-called “threat intelligence” such as information about threat actors, their modus operandi, their motivation, (potential) targets, infrastructure and the malware they use. Government institutions, private organisations and cyber security specialists are sitting on an enormous pile of such intelligence, but we are not sharing that information yet at the scale we need for it to be really effective. Currently, the Dutch government is running a nationwide system for sharing information on cyber threats (also known as Landelijk Dekkend Stelsel). The reach of this network is, however, still rather limited. On the one hand, this is a matter of organisational and legal obstacles that our government is ironing out. On the other hand, private organisations have a bigger role to play in solving this problem, too. Many organisations are still reluctant to share information about cyber threats and incidents with peers and partners, as it might be commercially sensitive or even damage their reputation when it would be disclosed. However, going at it alone in cyber security carries risks as well – and often bigger ones, as you might be unaware of lurking threats or impending danger. Ideally, intelligence sharing networks will offer organisations a safe environment where openness on cyber security related matters does not backfire.

 

The role of our government in securing cyber space

Based on discussions with our clients in the private sector, it seems that the more cyber-mature organisations (often large corporates and financials) have understood that cooperation in their sectors and supply chains, and with governments (e.g. intelligence agencies, National Cyber Security Centres and Police) is crucial to stay on top of the threats they are facing. However, that’s only the tip of the iceberg. Dutch SMEs usually don’t have the time or budget to achieve the same level of maturity on their own. Since even large corporates rely heavily on smaller organisations in their supply chains, this poses a problem for our society as a whole. Some of the bigger organisations are already trying to support their smaller suppliers or even competitors, but we need a step-up by our government as well. They can help enforce security requirements for hard- and software and a default level of security that must be built into IT services. After all, would you buy a car without all the required safety features such as seat belts and air bags? So why do we accept insecure IT in the market?

In need of a new national strategy

Overall, we are in need of a more strategic and structured approach to tackle this problem at a national level. In fact, this is already happening in various places, but we can and need to do more. Both within our country and abroad there are a number of inspiring best practices when it comes to cyber security cooperation. The rapidly changing cyber threat landscape requires a future-proof approach that tackles some of the currently existing core issues. Such an approach should cover at least the following elements:

  1. A joint approach, consisting of public and private partners in a flourishing ecosystem, where we leverage the best of both worlds and define clearly what our roles and responsibilities are.
  2. Improved sharing of threat intelligence (between public as well as private partners) by means of an ecosystem and platform that also reaches organisations that are as of yet to a large extent left “in the dark”.
  3. A smart approach to talent, not based on the needs of a particular organisation, but on a national level. This requires cooperation with public and private parties in the field of education, traineeships, and acquisition. For instance, Israel offers cyber security classes to all educational levels, from secondary school to universities, creating cyber security awareness in all types of jobs and organisations. Also, we need to make sure that talent is not merely supported in the field of expanding their expertise, but also when it comes to building strong intelligence-sharing networks.

About the Dutch cyber security survey report

Recently, Deloitte Netherlands launched “Cyber security in the Netherlands: a responsibility we share”, a report based on a survey with 544 respondents (CxO executives, including CEOs, CISOs, CSOs, CTOs, CIOs, 70%), and IT professionals (30%). The report dives into several questions, such as: where are Dutch organisations currently when it comes to cyber security? What do CISOs worry about? How do they envision the future? How do they feel about making the Dutch digital ecosystem more secure? Part of the survey is dedicated to the perspectives of Deloitte’s experts, including the writer of this blog: Kevin Jonkers.

About Kevin Jonkers

Kevin Jonkers is a director at Deloitte Cyber Risk Services. He has worked in cyber security for almost 15 years. Besides his role as public sector lead in the Deloitte Cyber team, he is also a board member at industry association Cyberveilig Nederland. Kevin also actively contributes to public-private partnerships like Hack_Right and the Cyber Security Alliance.

Did you find this useful?