Skip to content

The Fallacy of the CISO: Why “Chief INsecurity Officer” is More Apt

Once revered as knights in digital armor, Chief Information Security Officers (CISOs) now find themselves lost in a quagmire of ever-increasing security breaches. From household names to startups, data breaches have become commonplace, almost a rite of passage. Has the digital bastion fallen, or did the guardians of our information kingdom fail to adapt? During the Global Cybersecurity Conference 2023 in Zürich, thoughts were exchanged, concerns expressed and a path forward for the knights in armor was discussed.

Three formidable storms cloud the horizon, further testing the mettle of us so-called protectors.

  • First, the asymmetric digital warfare we’re grappling with. In traditional warfare, you knew your adversaries. Today’s digital warfare, however, sees nation-states and rogue actors with resources that often dwarf those of entire corporations. CISOs are essentially bringing a knife to a gunfight. They’re no longer defending against script kiddies in basements but against sophisticated adversaries that view digital realms as the next battleground.
  • Second, the non-linear digital global transitions have thrown predictable evolution out the window. Our digital landscape doesn’t transition smoothly; it hops, skips, and leaps, often leaving security frameworks outdated almost as soon as they’re implemented. Just when CISOs think they’ve gotten a grip on one technological wave, another crashes in, each more potent than the last.
  • Lastly, the exponential legal cyber requirements are engulfing us like a tsunami. Legislative bodies, in a well-intentioned but often ill-informed bid to bolster cyber defenses, inundate businesses with myriad regulations. GDPR, CCPA, and their international siblings mean well, but often, CISOs find themselves navigating a labyrinthine legal maze, detracting from their core mandate—securing the digital fort.

Many CISOs remained lost in their silos, making patchwork quilts of security, which, while impressive in patches, remained dangerously frayed in others. They armed themselves with the latest tools, technologies, and buzzwords, often missing the forest for the trees. They’d rave about the newest firewall, endpoint security, or machine learning AI solution, while often missing foundational issues like human error, insider threats, or basic cybersecurity hygiene. It’s no wonder then that we’ve seen gargantuan breaches involving millions, if not billions, of personal records. The Equifax breach of 2017, the Microsoft certification incidents, the MGM breach of last month, or the countless unreported accidents that only insiders would whisper about—all stark reminders of the failing status quo.

Enter the Double-Edged Sword of AI

In a landscape riddled with cyber threats, artificial intelligence (AI) emerges as the most provocative wildcard. There’s a looming irony here: AI can be the very force that powers security solutions, yet it’s also the ammunition in the arsenal of sophisticated cyber adversaries. Advanced algorithms that can predict and counteract cyber threats in milliseconds are the same algorithms being weaponized to devise new, unforeseen methods of intrusion. We’re caught in a digital arms race. As AI-driven security tools become more adept, so too does AI-fueled malware that can outsmart conventional defense mechanisms. While we marvel at AI’s potential to be the savior in the cybersecurity realm, we must remain vigilant against its insidious dark side. For CISOs, the challenge is monumental: How do you wield a weapon when your adversary has access to the same firepower? The answer is not just in the technology, but in the strategy. AI can’t just be a tool; it must be an ally, an integral part of the evolving defense blueprint. If not, CISOs might find themselves outsmarted by the very tech they hoped would be their salvation.

Beyond the Castle Moats: Embracing the Zero Trust Doctrine

In the annals of cybersecurity, the concept of Zero Trust stands out like the gleaming sword of a seasoned knight. Rooted in the philosophy of “never trust, always verify,” it challenges the age-old notions of the digital fortress. Once, our digital knights, the CISOs, built towering walls and deep moats, believing that threats largely existed outside the castle. But alas, the world has changed. Traitors lurk within, and external foes have mastered the art of disguise. Zero Trust tells us that the concept of an inner sanctum, free from threats, is but a fairy tale. Now, our knights must become vigilant sentinels, scrutinizing every individual, be it a familiar face or a stranger, every time they seek entry. The gates of the kingdom are many, and the traffic is ceaseless, but with Zero Trust, every passage becomes a checkpoint, every request an opportunity to validate. It’s not about mistrust, but about relentless vigilance. The days of blind faith are over; the age of perpetual verification has dawned. And in this era, the CISO’s role is not just to defend, but to perpetually question and verify.

Let’s call it as it is: Instead of “Chief Information Security Officer,” perhaps “Chief INsecurity Officer” is more apt.

It’s not just a cheeky play on words but a stark reflection of reality. No enterprise today can claim to be 100% secure. The goalposts have shifted. It’s no longer just about defense; it’s about resilience. Resilience—the ability to anticipate, withstand, recover from, and adapt to adverse conditions—is what the modern digital landscape demands. Cyber threats have become an inevitability, not a possibility. CISOs, or perhaps now Chief Resilience Officers (CROs), need to pivot their focus from merely “protecting” to “adapting and recovering.” The dogmatic belief that we can fully prevent breaches is antiquated. We will see if next year’s Global Cybersecurity Conference keynotes, where “Cloud meets A.I.” will be the theme, will reflect on this paradigm shift.

Because it’s time for the CISO community to face the uncomfortable truth. While prevention is commendable, an exclusive focus on it is myopic. Investing in resilience, incident response capabilities, and recovery strategies should occupy equal, if not more, mindshare.

To the knights of the cyber realm, the onus is upon you: It’s time to sharpen your resilience swords and adapt, lest you become a mere whisper in the legends of digital defense.

BIO: Dimitri van Zantvliet is the Cybersecurity Director and CISO of Dutch Railways (NS). He’s also Co-Chair to the Dutch and European Rail ISAC and Rail CISO Forum, a cyber columnist, and a regular speaker at international conferences.

Passionate about technology, innovation, cybersecurity, and data privacy, Dimitri’s experience spans three decades and includes senior positions (e.g. CIO, CTO, and CISO) at multinational organizations, in local government, on the Dutch Olympic Committee and (since 2021) at Dutch Railways. Dimitri holds an international master’s degree in business administration and cyber certificates such as CISSP, CRISC, CISA, CISM, CDPSE, CIPP/E, CIPM, and FIP.

Personal LinkedIn