Compliance matters, but risk sets the direction
For Beynaerts, compliance and risk-based security are not opposites. “They are actually complementary,” he asserts. Frameworks, controls and regulations such as NIS2 provide a useful baseline, helping organisations recognise where they stand. But compliance alone is only a snapshot in time. A risk-based approach focuses on a different perspective: what happens to the business if something fails? If a store server goes down, can the store continue serving customers?
That thinking shapes Colruyt’s investment model. The company works with a top-down risk model that translates security initiatives into measurable risk reduction. Beynaerts gives a simple example: As long as there is a gap between where we are and where we want to be, every initiative must help close the gap. Network segmentation, for instance, can be linked to a percentage of risk reduction and an equivalent business value. This makes cybersecurity easier to discuss with the CEO. “If I ask for substantial investments,” Beynaerts explains, “I need to be able to show our progress.”
Simplify before you secure
Complexity is one of the biggest enemies of control. Like many large organisations, Colruyt has accumulated between 70 and 90 security tools. But more tools do not automatically mean more security. “We’re not using them as effectively as we could today,” Beynaerts admits.
With this in mind, Colruyt made several specific technology choices: embrace cloud where it makes sense, opt for platforms instead of multiple best-of-breed solutions, and reduce the number of tools to what can be managed. Speed matters when security needs to improve continuously rather than through slow, one-off projects.
Security is everyone’s responsibility
Beynaerts is clear about ownership: “Only 20% of the security work is done by the security team.” The other 80% happens in IT, development, operations and the business: a reality that requires a cultural shift. Developers need to deliver secure code, not just functionality. Infrastructure teams have to think beyond uptime. Security cannot be added afterwards through a pentest.
To drive this shift, Colruyt has invested in communication and change management, adapting the message for leadership, IT teams, developers and store co-workers across many languages and cultures. “If you cannot find a way to explain it to everyone,” Beynaerts said, “then your story is probably not good enough.”
Identity became the frontline
Identity and access management is one of Colruyt’s biggest long-term priorities. As incidents increasingly start with accounts — often external or partner-related –— Beynaerts calls identity “the new perimeter.” Colruyt recently strengthened 55,000 accounts with stronger passwords, MFA and extra controls: a process that took two years. Beynaerts stresses that technologies including biometrics, badge-based logins and simplified kiosk access make security easier for employees, which improves buy-in. It’s an important consideration, because security that creates too much friction will eventually be bypassed.
The CISO role: pressure and perspective
The role of CISO, especially in such a complex environment, is not always comfortable. There are late-Friday calls, constant tension between innovation and protection, and moments when everyone looks to security for answers. But Beynaerts also sees the beauty of the job. Few roles connect so many parts of the organisation: stores, IT, operations, legal, data, risk, leadership and innovation teams.
His closing message to fellow CISOs is direct: make sure you have real executive backing. Without senior management support, he warns, the role quickly becomes frustrating and ineffective. “If you don’t have a mandate, find another job,” he says bluntly. At the same time, he also encourages CISOs to collaborate more openly: “Sharing is caring”. After all, with the scale and speed of today’s threats, no organisation can solve cybersecurity alone.
