The security landscape is changing rapidly. Whereas IT security used to be a topic exclusive to technicians, it has now reached virtually every boardroom on the globe. What should IT decision-makers actually discuss when it comes to security? And what is the state of security in organizations? We discuss this in an extensive roundtable discussion with experts from Barracuda Networks, Fox-IT, Tesorion, Trend Micro, Visma, and Wiz.
Protecting your organization is a hellish task. We often hear that organizations should at least implement the most basic security measures. Erik de Jong, Chief Research Officer at Tesorion, is clear about this: “Getting the basics right is already extremely complex.” Think of setting up multi-factor authentication (MFA), pentests, security awareness training, patching vulnerabilities… the list goes on. Outsourcing your IT infrastructure, or cloud transition for short, is therefore an obvious choice for many organizations. Cindy Wubben, Chief Information Security Officer Public Segment at Visma, believes that moving to the cloud “is still the right path for most companies.” She mentions the option for Visma’s customers to run their IT solutions in a Visma data center within Europe, rather than in the public cloud. As is always the case, the security architecture differs from that of the public cloud. That is why many companies can still turn to AWS, Azure, Google Cloud, or other cloud providers without any problems.
No one-size-fits-all
Wubben acknowledges that there is widespread introspection about the use of these clouds. Raynaud Schokkenbroek, Manager Solution Architects Western Europe at Barracuda Networks, also sees that the geopolitical relationship between Europe and the United States has changed. To give one national example, members of the Dutch House of Representatives regularly talk about the need to find an alternative to the US hyperscalers, Schokkenbroek emphasizes. He recognizes an administrative risk in taking too complacent an attitude in this area. What if your organization could, in principle, make a ‘cloud exit’, but after years you have a Total Cost of Ownership (TCO) that is unsustainable? These costs arise mainly from the fact that you have to protect your own environment, as opposed to when you can (largely) outsource this via the cloud. “You arrange security with one motive: your business continuity. If your implementation is too expensive, that too threatens your continuity.” This shows that there is no one-size-fits-all answer.
Christo Butcher, Executive Consultant at Fox-IT, senses a certain pessimism on our continent that has led to American digital dependence. “Europe has dug itself a hole in accepting that Big Tech is here to stay.” In other words, this trend is much broader than just the adoption of the public cloud from the US. Those who shift to solutions from Europe put themselves in a “completely different risk situation,” according to Butcher. Suddenly, one is responsible for many more architectural decisions as cyber threats and defenses are less mature or integrated than is the case with American big tech, which has many years of experience.
The cloud: a different story
Wiz was created in the cloud, with the aim of better protecting organizations in that IT environment. Steven de Boer, Senior Solutions Engineer at the company, sees that the discussion about cloud adoption has changed significantly. “Due to geopolitical tensions and growing awareness of data location, some organizations are considering distancing themselves from the major international cloud providers,” he says. “Nevertheless, we see that many companies are now looking for a balance. They recognize the benefits of scalability and innovation, but remain critical of where their data is located and who has access to it. This is increasingly leading to a hybrid approach, whereby organizations apply cloud technology in both public and private environments. This allows them to retain the flexibility of the cloud without losing control.”
“The transition from an on-premises environment to the cloud requires a fundamentally different approach to security,” points out Pieter Molen, Country Director Netherlands at Trend Micro. It is not enough to simply migrate existing systems (“lift and shift”) without thoroughly analyzing the cloud-specific risks and opportunities.
“At Trend Micro, we see that organizations often underestimate how dynamic and complex the cloud environment is. The cloud offers powerful tools for automation and monitoring, which organizations can use to improve their security compared to traditional environments. But this requires a good understanding of shared responsibility, continuous risk assessment, and the active use of cloud-native security solutions. This is only achieved by making security an integral part of the migration process and continuously investing in knowledge and tooling,” says Molen, “Only then can an organization fully reap the benefits of the cloud without compromising security.”
Risk scores
Who knows how secure their own organization is? Cindy Wubben of Visma is the only CISO at the table and assesses vendors’ solutions on a daily basis. In actual implementation, she says that these solutions often overlap and therefore reinforce each other. Visma companies therefore have some freedom of choice for their IT infrastructure, in line with the fact that they differ. Visma does use its so-called Risk Score, says Wubben, based on five themes. Security is one of them, but also risk factors such as legal issues and sustainability objectives. The lower the score in each area, the better. As a CISO, however, Wubben can translate this to the management level by means of a single Risk Score. This example shows how security can indeed be quantified, and according to your own standards.
This is not something that an SME can do easily, and with a larger company, you are quickly confined to your own departments. And even then, to make matters even more precarious, you should not count your chickens before they hatch. “Even within your own silo, it is sometimes difficult to explain where you are spending your money,” says De Jong of Tesorion. The requests for quotes from organizations constantly reveal how little those parties know about what they actually need to purchase, he continues. “If the impact of a particular service failing is minimal, then you shouldn’t want to cover all the risks.” Obviously, that’s not an easy conversation to have if you lose a customer because of this warning.
Costs versus benefits
Raynaud Schokkenbroek of Barracuda Networks agrees that the expected costs versus the benefits are difficult to estimate. After all, what is the value of avoiding a cyberattack or minimizing the impact of a compromise? “Another problem is that there are no universal solutions from vendors. They are also too technical to be understandable for business operations.” For example, a non-technical board member does not know whether an expensive security service will save their organization or drive it into unmanageable costs.
Steven de Boer of Wiz emphasizes the importance of clear communication between organizations and their suppliers, so that suppliers fully understand the business context in which security strategies are determined. In addition, he and his colleagues regularly see friction between security teams and application teams, for example when a vulnerability is discovered in a system that is not connected to the internet.
“The question then is: how critical is such a vulnerability really?” says De Boer. “What you often see is that security teams take all responsibility for IT security upon themselves, while application teams focus primarily on functionality. But they too must develop their solutions secure by design, with an eye for both the risks and the business objectives.”
The perception of cybersecurity is often stubborn: it is sometimes seen as a simple checklist of measures. In reality, effective cybersecurity requires a coherent approach that focuses on technology, processes, and people, says Pieter Molen of Trend Micro. Essential to this is continuous insight into current risks, so that priorities can be set in a well-founded manner. The shift from a reactive to a proactive attitude is crucial to structurally increase the level of security, according to Molen.
This can be achieved by using solutions that not only identify incidents and risks, but also provide insight into possible attack scenarios. Suppliers also bear responsibility in this regard: when requesting a quote, it is important that they identify the question behind the question and do not just fill in the questions literally. Only then can they offer a solution that actually contributes to strengthening the whole, Molen concludes.
Conclusion: think beyond just the rules
Legislation forces organizations to take security seriously. “Just doing what you have to do at the security level will get you a long way,” says Christo Butcher of Fox-IT. “But you want companies to go beyond compliance; they also need to be truly secure.” It is impossible to summarize this in an NIS2 translation to the Cybersecurity Act or any other law. “That’s why managers need to think beyond generic rules and demand insight into how vulnerable their organizations are to the real dangers.” Ultimately, it’s all about the real dangers, such as ransomware, data leaks, downtime, and legal risks.
We will discuss these dangers in 2025 in a later discussion with the experts at the table. For now, we have identified the security risks that exist in practice. It is striking how broad this can be nowadays, beyond vulnerabilities and their exploitation. Cloud adoption, the interaction between organization and vendor, between security and application teams, they jointly build a risk profile. Organizations can choose to use a score to make security a topic of discussion in the boardroom, but how you build this score is a technical issue. For this, you need the expertise of your own employees and your partners.
Read also: Cloud security cannot be outsourced – it’s up to your organization