Cybersecurity: Are Belgian Directors and Boards Ready? Building the Dream: 'It Comes from Belgium, so it Must Be Safe'

Alex, welcome. Could you briefly introduce yourself?

Certainly, Chris, and thank you for the invitation. My main role is CEO of Toreon, a Belgian consultancy that aims to accelerate the transition to cyber-trusted organisations and products. Toreon’s consulting branch has two primary activities. First, we help organisations manage their cyber challenges in an economically responsible manner. We primarily do this in Belgium, serving clients ranging from SaaS startups and scale-ups to industrial and energy companies, and even large parts of the federal government.

Second, we help teams that develop software organise themselves in such a way that they almost automatically produce secure software or digital products without exploding development costs or slowing time-to-market. In this area, we’ve built a global reputation, working with international giants such as J&J Medtech in Boston, Costco in Seattle, Accenture US, a top UK bank, and even the intelligence service of one of our neighbouring countries.

We are also active in training, under the brand DPI. We've trained over 3,000 DPOs and CISOs, contributing to addressing the talent shortage in this field. Additionally, we train smaller target groups (such as board members), guiding them through the context of NIS-2.
At Toreon, we are also quite involved in the broader community. Personally, I founded the GUBERNA Sounding Board Committee on Cybersecurity, which advocates for better cybersecurity preparedness among directors. I lead the Cyber Made in Belgium steering committee within Agoria, which represents the interests of the cyber industry in Belgium. Several of my colleagues lead working groups in other organisations, such as the Cyber Security Coalition in Belgium, and globally at OWASP, the organisation aiming to eliminate insecure software from the world.

Why did you establish a Sounding Board Committee on Cybersecurity from the GUBERNA Directors’ Community? What is the mission?

Cyber is becoming increasingly important for directors. Boards must ensure that their organisation operates within the 'sustainability' zone, which is the intersection of three lenses:

• 'Law': What are the legal requirements?
• 'Ethics': What should you do? What is the right thing to do?
• 'Economics': How do I ensure that actions make economic sense and are sustainable?

Today, cyber exerts pressure on each of these lenses. For example, the regulatory burden on the 'law' lens, like NIS2, impacts organisations and the responsibilities of directors. Societal pressure on 'ethics' arises because people no longer accept that their data as customers might end up in the wrong hands or that services may become unavailable when software or suppliers fail to function properly. From an economic perspective, the cost of a breach can be enormous. Consider the NotPetya cyberattack on Maersk, which left them unable to track containers globally, costing around €400 million. Similarly, TNT's case involved damages of around €300 million, and the city of Antwerp suffered losses reportedly up to €100 million. Even more important than the cost of a breach is the growing pressure from customers to ensure that suppliers are sufficiently secure. They can often be the source of a cyberattack, as was the case with accounting software. This is something you wouldn't expect at first glance.

Awareness among directors is indeed important. They need to inform themselves and acquire knowledge about cyber. How does your committee approach this?

Assembling the group was easier than I had expected. People realise that a lack of solid cybersecurity not only affects companies and directors but also hinders the speed of digitalisation. This could risk preventing the necessary productivity gains in our region. This awareness is strong in the cyber community. I’m very pleased that we’ve been able to bring together a good team of experts with an affinity for board-level governance: Marc Vael from Veralto, Iwona Muchin from Ageas, Jochen Maertens from ConXion, Dirk Schilders, former ICT Director at the The Council of the European Union, and until recently, Olivier Braet from GUBERNA.

With them, we can create content by directors, for directors. We started with a survey: Where do boards stand, and do individual directors feel comfortable with cybersecurity? From there, we want to develop a roadmap for directors, with the goal of eventually sharing best practices between boards and individual directors. Who knows, there might even be a specific course at GUBERNA to provide expertise.

The survey results were somewhat more optimistic than what we see daily in practice. This is likely due to a selection bias, where those with more knowledge of cyber feel more compelled to respond. You can also see clusters emerging in four quadrants. On one axis, you have the 'regulated industries', which likely have their affairs in order, and on the other, the 'non-regulated industries', where it varies. On another axis is whether cybersecurity is seen as a ‘necessity’ or as a differentiator, which affects how it is approached. You could compare this to the topic of sustainability in governance. This presents the opportunity to share what the less experienced can learn from the best in class.

For example, you can evaluate the extent to which the cyber approach is aligned with the business strategy. You establish cybersecurity within a certain framework, not just for the sake of cyber itself. The organisation’s activity indicates what’s important to secure. For an airport, this would be availability, for a payroll company, confidentiality, and for a bank, integrity.

Another factor at play is the lifecycle of an organisation. In a start-up, there’s initially no pressure to implement cybersecurity because the 'minimum viable product' needs to be built first. When you encounter your first corporate prospect, they’ll likely have cyber-related requirements. Then you start working on it, and can grow towards certification. As a scale-up, you continue working to ensure secure software is developed without lengthening time-to-market, but still secure and economically viable.

An additional important aspect of aligning cyber with business strategy is whether you will use cybersecurity as a differentiator in the market. For example, we have a tech player in additive manufacturing that went public on the Nasdaq, and on the ‘Times Square billboard’ for their IPO, they chose the slogan: ‘The most secure platform’. Think about this in advance in your strategy, as well as proactive risk management.

Training on this is very useful, even for independent directors. They need to be able to challenge management on these issues. It also affects their responsibilities (liabilities) as a director. There are frameworks relevant to various sectors that you can base your approach on. It’s now clear that cyber is not something entirely separate from business operations; it is an integral part and affects everyone in the organisation. The rule of the weakest link applies here: your vulnerability determines your overall exposure. Cyber roles and responsibilities must be well defined. Weave this into the company’s culture and into the organisation of good governance. This was one of the key findings of the recent survey by the Sounding Board Committee.

And perhaps the most important question: What’s in place regarding the recovery and response plan in the event of a major incident? Who are the team members for incidents, the communications team, how to handle ransom requests, the roles of individual directors, etc.? Determine this in advance because when the house is on fire, there’s no time left. Most importantly, test and simulate regularly and update the plan as needed.

Cyber is becoming more regulated in Europe. For example, the NIS-2 Directive (Network Information System) comes into effect on 18 October in Belgium. Could you tell us a bit more about that?

Europe wants participants in our societal fabric to operate more securely. Given that we are heavily dependent on the digital world and the 'attack surface' (the amount that is accessible from the outside) has increased, this makes us more vulnerable. The combination of many more entry points and dependence on them can result in an explosive cocktail. It's logical that Europe wants to secure this more robustly.

NIS-1 was limited to the most critical sectors, such as nuclear power plants. NIS-2 has greatly expanded the scope of organisations. It’s a combination of which sector you're active in on one axis and the size of your company on the other. In some sectors, everything is included, and in others, only large companies are affected. But it doesn't stop there. Suppliers in the supply chain of such companies must also meet a set of rules. If you extend this, eventually almost the entire society is impacted.

The new regulations include a reporting obligation and penalties. Fines are now firmly introduced, comparable to GDPR regulations (up to €10 million or 2% of global turnover). There is also explicit reference to 'personal liability' of directors and management. You must, among other things, demonstrate that you have been trained. So, check your ‘liability’ insurance policy and be alert to these risks in your policies. Therefore, act as a responsible guardian in this matter, both as an organisation and as an individual.

The intensity will depend on where you operate within the global chain. There is quite a bit of complexity in these regulations. Fortunately, we have the CCB in Belgium, the Centre for Cybersecurity Belgium. Based on their expert and practical experience, they provide a lot of tools within the framework of these regulations. For example, they have a list of seven steps with a timeline. The CCB has also developed a framework: 'cyber fundamentals' with four categories, depending on whether you belong to a supercritical sector (such as a nuclear power plant) or a low-critical one (like a bakery, for example). They offer a very practical framework to ensure you meet the various regulations.

Don’t make the mistake of thinking that by being NIS-2 compliant, the job is done. There are other regulations on the horizon. In addition to the regulations for organisations to which NIS-2 applies, the CRA (Cyber Resilience Act) is also coming soon. The latter is about the cybersecurity of products. If you develop digital products for use in the EU, this will also require your attention.

How are we doing in Belgium? 

Actually, we’re not doing too badly in Belgium. The CCB, led by Miguel de Bruycker, has managed to assemble a fantastic team over the last 10 years with highly motivated cyber experts. Together, they have succeeded in making Belgium the least cyber-vulnerable country in Europe by:

• Proactively scanning companies for potential system vulnerabilities,
• Contacting these companies, even with traditional letters,
• Intervening with telecoms, IPs, regarding suspicious matters to prevent these from reaching companies or end-users, etc.

However, we should not stop here, in my view. Belgium has the potential to grow into a Cyber Power House, where our country can build an international reputation for being 'top class' in cybersecurity. How can we achieve this? Among other things, by adopting strict standards for the security of both organisations and the products we create, thus elevating our organisations to a higher level. The dream is to eventually achieve a position where ‘It comes from Belgium, so it must be safe’ becomes a global differentiator. This would be a remarkable advantage in the international arena. We have the talent, we have institutions that are world leaders in research in this domain, such as COSIC (Computer Security and Industrial Cryptography) and DistriNet at KU Leuven, and we have the CCB. Other countries are now looking to the CCB for inspiration. In any case, this dream is what drives my passion in this community.

Any final recommendations for directors?

Ensure balance. Make sure your cybersecurity is aligned with your overall business and corporate strategy. Don’t do too little, but don’t do too much either. Just enough for what your business requires, or else you’re wasting resources. Very practically, keep an eye on the CCB publications on their website. Their 10 topics already make 80% of the difference without significant effort. Very basic but practical as a starting point. And of course, follow the publications from GUBERNA and our Sounding Board Committee. Most importantly: take action. Prevention is cheaper than recovery, and it helps your business move forward. Whether to maintain your 'table stakes' or to use it as a differentiator.

Background information

We recommend that directors consult the following external objective sources for practical arrangements and tools relevant to board members:

• https://www.guberna.be/en/guberna-sounding-board-committee-cybersecurity

• https://safeonweb.be/en

• https://ccb.belgium.be/en

• https://www.cyfun.be

• https://atwork.safeonweb.be/tools-resources/policy-templates

• https://www.enisa.europa.eu/

Regulations impacting cybersecurity decisions and monitoring responsibilities:

• EU NIS2 directive: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive  Are you an important or an essential business in Europe?

• EU AI Act: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

• Are you in a high-risk activity or a limited-risk category?

• EU Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyberresilience-act  - Will you still be able to sell and maintain your technology-enabled products in the EU?

• EU CSRD: https://finance.ec.europa.eu/capital-markets-union-and-financialmarkets/company-reporting-and-auditing/company-reporting/corporatesustainability-reporting_en#legislation  - Is your cybersecurity service provider in your scope 3 emissions?

• DORA - Digital Operational Resilience Act (DORA) - European Union (europa.eu)