The debate, moderated by Henk Dujardin, CEO of the Cyber Security Coalition, featured prominent panellists Dolores Seoane (Director Innovation & Information Technology at the European Economic & Social Committee / European Committee of the Regions), Rik Bobbaers (Tech CISO at ING Global), and Jan Paredis (CISO at VUB – Vrije Universiteit Brussel). Through a series of live polls addressing critical questions, the audience’s perspectives fuelled a lively panel discussion, providing a snapshot of the current state of cyber security concerns.
The evolving threat landscape and emerging technologies
The luncheon kicked off with a crucial question regarding the impact of emerging technologies on the digital threat landscape. The panellists and audience grappled with identifying which emerging technology would have the most significant impact on the digital threat landscape for organisations in the next five years.
The audience poll not surprisingly revealed a strong lean towards Generative Artificial Intelligence (GenAI), with 52% of the audience identifying it as the most impactful technology. Quantum Computing followed with 33%, while Low/No-code software development garnered 9%.
Jan Paredis kicked off the debate: “For me, quantum computing will be the most important disruptive force in the cyber security landscape. It is not only about quantum-safe encryption; quantum computing will empower hackers to optimize and broaden their attacks”.
Rik Bobbaers, countered, stating, “I do not believe quantum computing is there yet in the next five years. A lot of claims about it have been debunked, and little has actually been achieved. So, for now, at this time, GenAI is the key technology to reckon with”. The moderator interjected, citing an article that warned about the urgency of preparing for quantum computing. Bobbaers acknowledged the eventual arrival of quantum computing, emphasising that for him the most important thing to solve is encryption.
Dolores Seoane underscored the dual-use nature of GenAI, stating, “For me, GenAI and its dual use will be a challenge: it can be used for both good and bad, because it is now easily accessible to everyone”. Bobbaers offered a more optimistic outlook on GenAI, suggesting, “If as an organisation you can use GenAI to secure and debug, then you will win. First, the criminals will gain the upper hand, but later we will reap the benefits for the power of AI for the good”. Paredis, however, expressed concern that “cyber criminals will apply GenAI and Quantum computing quicker than the defenders because they are not bound to regulations. They can try and fail and try again. We are lagging behind with our defences”.
The moderator noted the recurring theme of regulations. Seoane emphasised that regulations are essential to provide structure and protection, and they must continue evolving to effectively safeguard European companies and citizens.. Bobbaers concluded this point by stating that “proper security is still more important than regulations”.
Adapting to change: organisational challenges
The discussion then shifted to the internal struggles organisations face in adapting to emerging technologies. The panellists and audience addressed the question of what the biggest challenge an organisation faces today in adapting to emerging technologies is.
Via the poll, the audience identified the “Rapid pace of technological changes” as the biggest challenge (31%), followed by “Lack of skilled personnel” (21%). “Complex integration with existing systems” and “Lack of executive management buy-in” both registered 15%, while “Regulatory and compliance issues” came in at 12%.
Rik Bobbaers shared a personal perspective on the lack of skilled personnel: “My opinion may not be a popular one. I see two types of security people: those who truly know what they are talking about, and those who do not possess the proper skills, yet both are called security professionals”.
Dolores Seoane highlighted the asynchronous nature of governance cycles with technological change, noting, “Cycles of governance often lag behind technology change. It is difficult to adapt, but we are improving. The good news is that we have good people to address this. Cyber security is also at the top of the EU agenda”.
Jan Paredis acknowledged the difficulty, but stressed that for him, “it is very much about lack of staff, more than a lack of skills. New technologies such as AI appear so quickly, and researchers are eager to jump on them, but we simply do not have the personnel and the time to track the changes”. Bobbaers concurred, “All these new things pop up, and it is only when you see what is going on that it is sometimes too late, and you get hacked”.
Strategic investments in cyber security expertise
The conversation moved to the critical area of targeted investments in cyber security expertise, emphasising the need for organisations to possess the necessary knowledge and resources to protect products and services in line with international standards. The first specific question posed was which area of cyber security expertise requires the most investments to ensure an organisation can protect its products and services in line with international standards.
In the audience poll “Security Architecture” emerged as the clear frontrunner for investment, with 49% of the audience’s votes. “Incident & Crisis Management Response” received 23%, followed by “Cyber Security Training and Awareness” at 14%. “Security Automation” earned 9%, and “Cyber Threat Intelligence (CTI)” received 6%. “Compliance and Regulatory Automation” received 0%.
In the following panel debate, Dolores Seoane emphasised that for her, “Architecture is important because it is foundational in order to be scalable and compliant. Security training is key as well”. Rik Bobbaers, however, prioritised incident and crisis response, remarking, “In the last 25 years, I do not think we have really fixed a lot, and a lot is still to be done in terms of incident & crisis response. Although I do agree with architecture as well”.
Jan Paredis concurred on the importance of architecture and incident response but advocated for security automation, asserting, “While architecture and incident response are essential. I would invest in security automation, as it is the way to cover both the lack of staff and the pace of incidents at the same time”.
Following this, the debate shifted to how organisations measure the effectiveness of their cyber security investments, starting again with an audience poll. “External Penetration Testing Results” topped the list with 27% of the votes. “Incident Reduction Results” came in at 21%, while “Incident Response Times” (Mean time to detect (MTTD), mean time to resolve (MTTR), and mean time to contain (MTTC)) received 18%. “Compliance & Regulatory Audit Results” secured 15%, and both “Return on Investment (ROI) Results” and “Employee Training and Awareness Results” received 6%.
Dolores Seoane agreed with the audience’s top choice of external pen testing coming out on top. Jan Paredis presented a more nuanced view, explaining, “You cannot pick only one of the proposed measures; you ‘ll have to consider them all. It really depends on the maturity and characteristics of the organisation. For me, it starts with a combination of self-assessment with external checks. If you have the right level of maturity, you can move to a dashboard, and there my view is: less is better. Five to ten KPIs maximum, things the board understands”.
The moderator noted the low ranking of employee training and awareness. Paredis clarified, “Training and awareness is a way to get results but not a result in itself. How many people you trained says basically nothing. You must look at the outcome, for example, phishing: how many people actually entered their credentials when being phished”.
Strengthening supply chain cyber resilience
The discussion then turned to the critical importance of comprehensive supply chain protection, acknowledging that vulnerabilities in a single link can endanger entire networks. The question was posed: What is considered today the most significant vulnerability in an organisation’s supply chain that could impact its cyber resilience?
“Successful major cyber attack on a critical third party” was identified as the most significant vulnerability with 36% of the votes. “Excessive third-party access into our organisational systems” followed closely with 33%. “Lack of visibility into third-party activities” received 21%, while “Third-party digital vulnerabilities” garnered 6%.
Dolores Seoane chose “lack of visibility,” explaining that, “you cannot prepare for what you do not know. We need to have a strong partnership with vendors. We need to apply a certain hygiene in how you group vendors and take tailored action”. The moderator then asked about collaboration experiences. Jan Paredis commented, “When you visit the suppliers, they will all say they are compliant, so you have to be critical about it. The combination of vendor access with a successful cyber-attack can have severe consequences. “I have seen hacks occur via the air conditioning system, ” Paredis concluded.
The panellists then delved into the most effective strategies for mitigating identified major supply chain vulnerabilities based on another audience poll.
“Have all suppliers audited on a regular basis” was the top strategy with 32% of the votes. “Classify every supplier based on risk levels and importance,” “Use supply chain vulnerability detection software tools,” and “Foster open communication and collaboration with suppliers” all received 19%. “Execute real-time third-party security analytics” garnered 10%.
Rik Bobbaers agreed with the audience’s outcome but highlighted the role of the size of the supplier, stating, “It is easier to discuss with smaller vendors. The big vendors are not always keen on being audited, so I believe an open conversation is key”. Dolores Seoane: “Classifying on risk is my choice as you need a targeted approach. Regular open communication is of course important as well”. Jan Paredis concluded the topic: “Two answers for me. First is you have a risk per supplier and that risk level defines how many audits you do. But you must be a huge organisation to spend resources on supplier audits. When you are smaller, open communication is the way to go. As a vendor, you need to be able to demonstrate how you approach security to establish a good relationship and that requires open communication”.
Addressing the cyber talent gap
The final topic of discussion tackled the global challenge of recruiting and retaining cyber talent, particularly CISOs, aiming to bring this issue to the forefront of Belgian organisations. The initial sub question explored the biggest challenge today in recruiting and retaining cyber talent within an organisation.
“Competitive salary and benefits” was identified as the biggest challenge, receiving 30% of the votes. “Job satisfaction” garnered 21%, followed by “Availability of skilled candidates” at 18%. “Appreciation and recognition of work performed” received 15%, and “Work-life balance” received 12%. “Opportunities for professional development and career growth opportunities” came in at 3%, and “Positive work environment” received 1%.
Dolores Seoane highlighted the specific challenge for government entities, noting, “The challenge for the public sector is that, like other organisations, we do not have enough people. We need to attract them – and in doing so, we compete with the corporate sector”.
Jan Paredis agreed, adding, “Non-commercial entities are not competitive on salary, so other non-salary-related benefits are more important there, including work-life balance and job satisfaction”. Rik Bobbaers added, “Availability is indeed a big issue. Job satisfaction and appreciation are also key. A lot of the work we need to do is unfortunately not security work, and that scares away good security people”.
Dolores Seoane passionately advocated greater recognition of cyber security professionals, emphasizing, “We really need to praise the work of all cyber security people more because it is a tough job. They are subject to stress. We need to be very thankful”. The moderator noted the diverse views among panellists and the audience on the skill question.
The final sub question explored the most effective strategies for overcoming the challenge in recruiting and retaining cyber talent.
“Enhancing work-life balance initiatives” was the top strategy with 32% of the votes. “Improving organisational culture and support” received 29%, and “Offering competitive salary packages and benefits” garnered 23%. “Increasing efforts to attract skilled candidates through targeted recruitment campaigns” received 10%, and “Expanding professional development programmes” received 6%.
Dolores Seoane commented: “For me, it is all about the purpose. In our area of work, it is about protecting the citizens of Europe”. Jan Paredis echoed this sentiment, confirming, “It is indeed about a purpose; people are engaged for their organisation”. Paredis also offered a generational perspective on compensation, suggesting, “When you are young, you will probably choose an attractive salary and benefits. But when you reach a certain maturity in your career, you start to think differently and value work-life balance more”.
The Secure Bites CISO VIP Luncheon provided a valuable platform for cyber security leaders to openly discuss the dynamic challenges and opportunities facing the industry. The insights gleaned from both the audience polls and the expert panel’s debate offer guidance for organisations striving to bolster their cyber resilience in an increasingly complex digital world.
On the picture: Marc Vael (SAI vzw), Dolores Seoane, Jan Paredis, Henk Dujardin, and Rik Bobbaers
