Cyber security in the Netherlands: a responsibility we share Progress towards a Dutch cyber security ecosystem
SURVEY AMONG MORE THAN 500 CYBER SECURITY PROFESSIONALS IN THE NETHERLANDS Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
“We need to exchange knowledge and collaborate together in order to keep our Dutch digital hub safe, to protect the privacy of our stakeholders and to safeguard the very functioning of our society.“
Niels van de Vorle Partner Cyber Risk Services
02 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Preface
The general domain of security used to In this ecosystem, we envision that be up to the government, but national organisations learn and progress by governments lack the reach to effectively engaging in an ongoing discussion. To counter threats in a globalised world – let provide useful input for that discussion, we alone in cyberspace. Keeping our systems have performed a sweeping study into cyber and data safe also requires the engagement security practices across our country, polling of businesses and other organisations. 544 respondents (comprising of 70% CxOs Accordingly, we have seen cyber security and 30% holding various other information rapidly climb the agenda of organisations technology and management positions). across the public and private sector, a trend While the importance of cyber security driven either by their CISO or by arising is universally felt, the approach to cyber business necessity. security challenges is extremely varied. The differences between sectors, between In just a few decades, digital technology has But how do we ensure that all these parties large and small organisations and between changed our world beyond recognition, maximise their impact and avoid reinventing seniority levels within organisations show delivering a fabulous array of benefits. This the wheel? In other words, how do we that there is much to be gained by learning certainly applies for the Netherlands. We shape the future of cyber security? This is a from each other. And the fact that so many have grasped the opportunities offered by complex task, which we can only accomplish have taken part in the survey reflects a digitalisation to consolidate our role as a by collaborating together. Deloitte has willingness to do so. major financial, digital and trade hub for taken up the challenge to make this happen the global economy. Just look, for example, here in the Netherlands. Our experts strive This report is a must-read for leaders who at our central role in global high-frequency to connect government, businesses and manage cyber security challenges, but let’s trading on financial markets. Our global citizens in ecosystems and translate security do more than just read it. Now is the time champion in semiconductor technology. challenges into solutions to future-proof to take our conversations on cyber security Our highly efficient, highly automated port our country’s cyber security. Deloitte is to the next level. We need to exchange of Rotterdam. actively collaborating in the cyber security knowledge and collaborate together in ecosystem with public and private parties. order to keep our Dutch digital hub safe, Success comes at a price, however: the to protect the privacy of our stakeholders digital infrastructure we have built has In fighting cybercrime, however, it’s essential and to safeguard the very functioning of our become far too important to fail. By to maintain the trust of stakeholders and society. targeting payments, supply chains and society as a whole. Trust is the cornerstone utilities, cyber criminals can bring society of every relationship. It’s the foundation of Niels van de Vorle to a standstill. The number of ransomware each interaction an organisation has with Partner Cyber Risk Services attacks has been rising steadily in employees, vendors, supply chain partners, recent years, shutting down dozens of customers and the broader community. organisations in the Netherlands, from local From this basis of trust, the ways authorities to service providers and from organisations work, collaborate and engage universities to logistics and transportation with stakeholders remain sustainable and companies. They give us just a taste of the secure as they grow. Losing that trust means impact of a cyber attack and the chaos it losing their license to operate. Therefore, can cause. Besides ransomware attacks, security must be designed to respect privacy supply chain attacks are also becoming and other basic rights. This, too, is an area increasingly common. All this illustrates how where Deloitte has deep expertise and relatively easy it still is to compromise our great ambition. This is part of our broader digital infrastructure. Keeping the digital goal to help organisations become more infrastructure secure is a huge responsibility responsible in doing business. shared by various stakeholders.”
03 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
04 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Contents
Executive Summary 06 1. Organising cyber security 08 2. Moving up the maturity curve 14 3. A recipe for CISO success 22 4. Cyber security in a changing landscape 28 5. Responsible cyber security: all for one, one for all 35 Conclusion 40 About Deloitte Cyber Risk Services 41 Acknowledgements and contact details 42
05 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Executive Summary
Cyber security is 1. The ultimate goal of cyber security “A cyber security strategy must first be of the realistic and workable for the rest of the continuously in motion. respondents organisation. For next-level maturity, it It has to be in order to believe the must be embedded in primary processes ultimate goal and the overall strategy.” keep up with constantly of cyber security is to protect people and changing cyber threats. assets from harm, misuse and abuse. - Robbin van den Dobbelsteen, 22% opined that protecting the vital assets Director Cyber Risk Services At Deloitte, we were keen of the company is the most important to know where Dutch objective. For at least one out of ten, the 3. Cyber security on the executive ultimate goal of cyber security is making board’s agenda and the allocation organisations currently the digital ecosystem a safer place. of cyber security budget stand with respect to of executive “The Financial Sector agreed not to boards discuss cyber security. What they compete on cyber security years ago. cyber security are worried about, what Instead, banks are sharing information at least every and helping each other with best quarter, but 25% of them do so once their goals are, and what practices. Other sectors have been a year or less. The survey shows that is needed to achieve following this example. By doing so, all the larger the organisation is, the more can offer clients, themselves and society frequently cyber security is discussed at success. How they see the the best possible protection.” board level. Comparing sectors, providers future. And above all, their in Financial Services are champions - Kevin Jonkers, in board-level engagement on this thoughts on making the Director Cyber Risk Services topic, while public sector awareness is Dutch digital ecosystem significantly lower. Interestingly, our 2. Strategy survey shows that for an average of 8% safer. of organisations of our CxO respondents the ultimate goal stated to have of cyber security is not always clear. an up-to-date cyber security “If CISOs start focusing more on securing strategy, which (based on our survey) emerging technologies, they can act as is usually a separate annual plan with business enablers and strengthen the a roadmap (80%). Conversely, 6% of position of the company compared to organisations are starting to set up their competitors.” strategy, while 15% are already working on a next-level mature strategy. The - Dana Spataru, most frequently cited success factors Partner Cyber Risk Services for achieving cyber security goals are increased operational excellence, clear Our survey shows that 61% of cyber security communication, training organisations allocate up to 11% of the organisational workforce to become the information technology budget to more aware of cyber security matters, and cyber security, and 73% of organisations meeting various compliance requirements. increase this budget annually, although Meanwhile, organisations seem to struggle not exceeding 15% on an annual basis to mitigate all cyber threats and invest in overall. If we compare sectors, cyber every single department, thus, the general security budgets are relatively high in the practice is to make calculated choices Energy, Resources & Industrials sectors and strengthen their most important and and among Life Science & Healthcare valuable business areas and controls. organisations, while 43% of the Public Sector do not know exactly how much they actually spend on cyber security.
06 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
”Cyber security budgets are not unlimited, In case of a ransomware attack, less than 6. Towards a Dutch cyber security especially in Small and Medium-sized a third (30%) of the respondents are sure ecosystem Enterprises, so you have to understand they would pay to get their data back. But of respondents where your investments will be most opinions vary widely on this topic. The from large impactful and make choices.” positions that most often choose to pay organisations are CEO, CIO, and CRO (52%, 48% and 46% with more than - Jurrien Mammen, respectively), while 29% of CISOs would 10,000 employees see opportunities to Partner Cyber Risk Services pay. Large organisations are also less likely contribute to a more resilient sector and to pay, with only 15% of organisations a safer digital ecosystem. The surveyed 4. Deep diving into our most commonly with 10,000 employees or more agreeing CISOs leave little room for interpretation: feared threats with this statement. The same is true for 100% of these respondents agree with this Part of our survey focused on anticipated organisations in the Public Sector; only 17% statement. The creativity, confidence and developments in cyber security, (potential) believe that paying is the best option, while positivity in this regard seems to grow with cyber threats and the organisation’s organisations from Financial Services (40%), organisation size. These results highlight confidence in handling them.The most Technology, Media & Telecommunications the evolution towards a safer and more commonly feared threats are: (38%) and Energy, Resources and resilient digital society. Industrials (38%) are more convinced. “We need to exchange knowledge and 5. The development of the CISO role collaborate together in order to keep our data leakage Nowadays CISOs predominately report to Dutch digital hub safe, to protect the privacy (40%) the CIO (49%) where only 13% report to of our stakeholders and to safeguard the the CFO. Our survey shows that the very functioning of our society.” three challenges most felt by CISOs are: - Niels van de Vorle, Partner Cyber Risk Services phishing, malware, managing too many or vulnerability organisational exploits priorities Methodology (35%) simultaneously Deloitte Cyber Risk Services, in (31%) conjunction with Markteffect (one of the leading market research extortion or companies in The Netherlands), lack of integration of destruction of the polled 544 professionals who oversee cyber risk priorities organisation’s data cyber security at organisations in an with business (25%) online survey. Those professionals priorities (28%) are CISO (19%), other CxO-level The largest organisations (>10,000 executives (51%), and professionals employees) have an above-average fear holding various other information (27%) of security breaches involving inadequate technology positions (30%), working third-party organisations. governance across across six different sectors: Financial organisation (26%) Services (13%), Energy Resources & “I don’t believe digital threats are Industrials (13%), Technology, Media & becoming more sophisticated overall, as Telecommunications (30%), Consumer easy hacks are still effective and lucrative. “The role of the CISO is changing from (17%), Public Sector (20%) and Life It’s organisations themselves that are being perceived as ‘the department of no’ Sciences and Healthcare (4%). The becoming more complex and losing track to being a business advisor and enabler. organisations they work for range in of their vulnerabilities.” A CISO no longer needs to rely on a deep size from up to 1,000 (60%), 1,000 to technical background. It’s more important 5,000 (19%), 5,000 to 10,000 (6%) to - Frank Groenewegen, to be a people person.” more than 10,000 employees (15%). Partner Cyber Risk Services The fieldwork took place between - Martijn Knuiman, September and December 2020. Partner Cyber Risk Services Note: The graphs in this report show rounded figures. Due to rounding differences, it may happen that they add up to 99% or 101%.
07 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem 1. Organising cyber security
08 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Organising cyber security A Deloitte perspective by Jurrien Mammen
% of respondents that agree with the Among these smaller organisations, statement: 'The Executive Board of my 39% see cyber security as their organisation doesn’t have a current own responsibility. In my view, the and accurate understanding of the government also has a responsibility cyber landscape': to make the overall operational environment safer, for example, by taking higher-level measures to reduce CEO 54% the attack surface, or by stimulating innovation and providing shared
CISO 13%38% infrastructure. Larger organisations (50%) realise that cyber resilience is a responsibility they share with the CIO 10% 53% government. They are aware of the fact Jurrien, partner Deloitte Cyber Risk Services, that combating cyber threats effectively has over 20 years of experience in risk and CFO 10%31% requires stakeholders from various strategy consulting and currently leads the domains (e.g. Cyber Crime and Fraud). Dutch Cyber Strategy Team. CTO 8% 39% In the past year, working from home has “The survey looks at how often the erased a lot of status and hierarchy. The CRO 8%23% board discusses cyber security, but more way we organise work today is much discussion isn’t necessarily better. Indeed, more fluid and adaptive, accelerating a significant percentage of respondents CCO 5%21% knowledge sharing, both within and (54% of CEOs, 38% of CISOs) say that their between organisations. Today’s CISOs can board doesn’t have a current and accurate Other roles 5% 27% be more agile in responding to immediate understanding of the cyber landscape. threats, and instead of big projects, they’ll On the other hand, where cyber security be handling more projects, but smaller is well organised and understood, it hardly ones.” needs discussion at all. What interests successful. Unsurprisingly, then, some me more is the quality of that discussion. 40% of respondents feel that protecting Are the right issues being discussed? everything is unaffordable, and have made Are tough questions being asked? Like, choices as to what to recover and what to whether the people taking the decisions let fail. know enough about the subject and the latest threats. Or whether product Cyber security is indeed costly, and innovation teams keep cyber security in as threats increase in sophistication mind. Whether the right investments are and number, there’s a risk that further being made. investment isn’t economically feasible, especially for smaller organisations. So Talking about investments, the survey either they achieve more effective cyber shows that cyber security budgets security for the same price, or they go out are significant and growing. But here, of business. This may explain the trend too, more budget is not necessarily we see among smaller players to insource better. The survey shows that 31% of cyber security. Either to save costs, or CFOs realise that understanding the because they cannot find an external areas where security investments are party willing to serve them, given their most impactful is important to being tight budget.
09 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
In our survey, we asked least once a month. And yet, at 13% of the organisations cyber security is rarely to questions on how often never discussed in the board room. Larger cyber security is discussed organisations seem to include cyber security more frequently in their executive in the executive board, board’s agendas, compared to mid-sized and how much budget is and smaller organisations. allocated to cyber security • 29% of the large organisations related to the overall IT (with > 10,000 employees) discuss cyber security at least once a month; however budget. nearly 2 out of 5 are unaware of the frequency. 1.1 Cyber security discussed in the executive board • About a quarter of the organisations Cyber security appears to be fairly well with 1,000-5,000 employees discuss on the radar of executive boards. Cyber cyber security related matters once a security is discussed at least every quarter quarter, while in the category 5,000- at 42% of the organisations, while 17% of 10,000 over a third agree with this executive boards discuss cyber security at statement.
How often is cyber security a subject in the executive board?
By organisation size
25%
11%
23% 3% 26% 24% 3% 7% 2% 2% 1% 18% 3% 3% 17% 3% 5% 15% 11% 16% 6% 17% 13% 11%
12% 23% 9% 21% 31%
7% 24% 25%
3% 3% 29% 17% 20% 13%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
At least once a month Rarely/on an ad hoc basis Once a quarter Choose not to be informed Twice a year Never Once a year I don’t know
10 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
1.2 Cyber security budget: the trend Further specifying the allocation of cyber “Budget doesn’t indicate of the spend security budget by industry, the graph Allocating sufficient budget is an important below presents us with the following: how secure a company factor for success in any field of activity, is. Compliance-based and this is also true for fighting and • At least 50% of organisations across defending against (potential) cybercrime. Financial Services, Consumer, Telecom, frameworks also have 63% of our survey’s respondents are of Media & Technology and Energy, their limitations. In fact, the opinion that you need to constantly Resources & Industrials spend 3%-8% of invest in the most advanced technology their IT budget on cyber security. success and maturity in if you want to mitigate cyber risks. This is security are very hard to partially due to a rapidly changing cyber • 17% of Energy, Resources & Industrials environment. and Life Science & Healthcare measure.” organisations spend 8%-11% of their Within large organisations (> 1,000 IT budget on cyber security – which - a respondent employees), cyber security budgets seem is slightly higher if compared to to range from 3% to 11% or more of the organisations in other sectors. total IT budget, where about 40% of this group are unaware of the cyber security • 43% of public sector organisations budget’s share. are currently not aware of their cyber security budget.
Cyber security budget as percentage of the overall information technology budget
By organisation size By industry
16% Consumer 11% 31% 21% 13% 5% 19%
3% 34% 37% Energy, Resources 7% 25% 26% 17% 4% 20% 43% & Industrials 12%
Financial Services 7% 38% 32% 9% 3% 10% 6% 5% 28% 13% 3% 6% Life Science 13% 13% 21% 17% 8% 29% & Healthcare 14%
19% 13% 14% 16% 11% 4% 43% 23% Public sector 11%
29% Technology, Media 13% 26% 28% 8% 3% 21% 19% & Telecommunications 20% 17% Others 20% 7% 33% 13% 27% 13% 13% 8% 9%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
Less than 3% 8% to 11% 3% to 5% 11% or more 5% to 8% Not applicable / I don’t know
11 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Development of security budget More interestingly, if we take a closer look Moreover, as society and organisations year-on-year into characterising the year-over-year trend have been affected by COVID-19 they Cyber security budgets seem to be rising by industry, we see that organisations from need to prepare for the potential steadily year-on-year: Financial Services, Energy, Resources & aftermath. Our surveys show that Industrials and Consumer witnessed an surprisingly enough, only 8% of CISOs • 35% of our survey respondents said that overall higher year-over-year growth in their of organisations bigger than 1,000 the annual security budget had grown by cyber security budgets (up to 15%) compared employees fear that COVID-19 is a 1% to 5%. to organisations in other industries. threat to the prioritisation of cyber- related investments. • 27% of organisations have seen a larger Only 3% of the respondents said their cyber increase of 6% to 10%. security budget had decreased compared to last year. They also indicated the reasons • 12% of organisations saw their cyber for this, which were mostly because their security budget increase by 11% or more. organisation had been forced to reduce its total costs.
Characterise the year-over-year trend in your cyber security budget Reduced Increase 11 - 15% Increase 1 - 5% Increase >15% 35% By industry Increase 6 - 10% Not appicable/ I don't know
1% 27% Consumer 1% 32% 36% 12% 18% 23% 1% Energy, Resources 3% 22% 36% 20% 17% & Industrials 1%
Financial Services 1% 43% 26% 15% 13% 10%
Life Science 3% 33% 21% 46% 2% & Healthcare
Public sector 1% 33% 20% 3% 4% 39%
By organisation size Technology, Media 5% 38% 27% 10% 4% 16% & Telecommunications
16% Others 13% 47% 13% 27% 1% 32% 29% 40% 12%
3% 6% 5% 12% 3% 33% 9% 17%
20% 17%
41% 35% 29% 31%
1% 3% 4% < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
12 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Embracing emerging technologies A Deloitte perspective by Dana Spataru
to improve operational efficiency, increase are likely duplicating costs and efforts. health and safety, boost automation and More collaboration and clear governance reduce costs. And those are only some are required between IT security, of the benefits. Telecom organisations manufacturing security and product are developing new 5G-based products security to manage security risks and and services, and manufacturers have capitalise on opportunities. developed many connected products or have enriched their existing machines The role of a CISO should be to share with connectivity. his or her experiences and connect the dots in a security strategy that If CISOs turn their focus on securing covers the entire organisation. A good these new aspects of business, they can example is using security as a driver for act as business enablers and strengthen increased operational efficiency and cost Dana, partner Deloitte Cyber Risk Services, the position of their companies vis-a-vis reductions, which in turn covers the cost currently leads Deloitte’s Global Emerging competitors. If CISOs address privacy and of security. We recently implemented Technologies security team. Her focus security risks more proactively, they can an integrated security operations on emerging technologies brings new give their organisation’s business side centre at a large pharmaceutical perspectives to digital transformations, more confidence to venture into these company. This centre helps to increase where secure products and processes create novel areas. automation and operational efficiency new value streams and enable future growth. while decreasing health and safety risks This discussion should start in the in the manufacturing environment. It “Security can be a business enabler and boardroom. Our research shows also creates products with embedded active driver of future growth. For this that cyber security is discussed in the security and privacy, while simultaneously to happen, though, CISOs must take boardroom at a minimum of once per covering the costs of security. This helps emerging technologies into consideration. quarter in only 42% of organisations. the CISO to get buy-in from—in this “Emerging technologies” is a label applied This means that CISOs at the other 58% specific case—manufacturing teams. to relatively new technologies such as have work to do. This topic should be connected products, cloud, 5G, and on the agenda at least monthly. If CISOs There’s much we can learn from the most brownfield areas such as operational don’t move quickly, they will be cut out successful digital organisations — not just technology. Traditionally, emerging of the digital decision-making of other the tech giants but also the upcoming technologies have not been part of departments. technology companies offering only digital security strategies, but they are now products and services. They have built-in increasingly converging with IT. This would be a missed opportunity. security in the core of their products, Organisations can look at security and because they know that if they don’t, Instead of reaping the benefits of design their future growth paths in an they won’t sell them. They have coupled emerging technologies, some CISOs still integrated way. What we often see is that security KPIs to business KPIs because struggle with them and view them as manufacturing departments who use new they are inextricably linked. complicating factors. 10% of CISOs in technologies are already making decisions our research indicated that emerging about their own security, and that digital Our research shows that the role of technologies give them headaches. departments run their products with their the CISO is developing in the right own established security processes. While direction: from a purely technical to a The term “emerging” might be confusing it’s positive to see that security measures more business integrated role. In the in this context, as these technologies are are being embedded, if security is siloed, coming years, I hope this development not really emerging but are already here. it’s hard to learn from the experiences of accelerates, and that CISOs get and take Clients today use emerging technologies other business units. These organisations the position they deserve.”
13 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem 2. Moving up the maturity curve
14 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Moving up the maturity curve A Deloitte perspective by Robbin van den Dobbelsteen
buy-in right from day one. This is done by customers alike, and as such actually shaping the case for change as laid out contributes to better performance. This in the cyber plan, explaining in lay terms should lift organisations to an even what the goals are and asking the CIO and higher level of maturity, where effortless, managers from the business for input top-of-class security is a unique selling and feedback. That way, solutions can be point that ensures customer trust. found that do the trick, but fit more easily into daily practice. The other managers will Another way to move up the maturity feel ownership and help create awareness curve is to collaborate not just internally, in their teams. All this will result in broader but also with similar organisations, supply acceptance and cooperation. chain partners and external experts. It’s far better, in terms of effectiveness Cyber security has multiple dimensions as well as efficiency, to share cyber Robbin, director Deloitte Cyber Risk Services, – human, process and technology – and best practices than to keep reinventing has been advising on cyber security for multiple goals – prevention, detection the wheel in the isolation of your own 15 years, and has fulfilled several CISO and response. The better the balance organisation. Recycling best practice positions on an interim basis with larger between all these in relation to the cyber cyber security solutions is often very well global organisations. risks, the more mature an organisation possible, as it doesn’t involve sensitive is or can become in cyber security terms. business intelligence. So even keen “It’s good to see that almost every What counts is not only maturity, but competitors can work together to make respondent’s organisation has a cyber also how consistent the security plan their sector safer as a whole.” security plan, but whether it’s effective is implemented throughout the entire depends on the perspective it was written organisation. Maturity increases with from. A plan solely written by cyber organisation size, as the figures show. security experts is likely to be quite short, However, there’s a significant “but”. directive and focused overwhelmingly Larger multinational organisations often on risks, rules and sanctions for non- have to deal with increased complexity, compliance. However, no matter how cyber security strength can vary sensible the rules are, they must also be considerably between subsidiaries and realistic and workable for the rest of the locations. In our current hyperconnected organisation. Otherwise, compliance will world, ultimately, the cyber defences of be low, and the plan will have little impact. an organisation are only as strong as its In fact, the success of the plan depends on least protected entity or asset. how effective the organisation is desired (cyber) changes. Beyond organisation-wide basic hygiene, next level maturity means that A more promising approach involves cyber security is embedded in primary CISOs coming down from their “ivory processes and the overall strategy. tower” and working hand in hand with Embedding security properly is a matter the rest of the organisation to mitigate of successfully changing people’s mindset the potential current and future impact as well as their ways of working. Security, of cyber threats on critical value chains by being both robust and user-friendly, and operations. It starts with getting is easily accepted by employees and
15 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
A cornerstone of effective resulting in the protection of services and products. Such a strategy includes organisation of cyber a plan of action designed to improve the security is a good strategy. organisation’s cyber security and its overall resilience. With this in mind, our survey One that is linked to the shows that the majority of organisations organisation’s overall claim to have an up-to-date cyber security strategy in place. The likelihood of a cyber strategy and to its digital security strategy being in place seems to strategy. In other words, depend on the size of an organisation, notably, relatively smaller organisations a framework and plan either have no cyber security strategy in of action designed to place or one that is not up to date. improve the organisation’s In order to support the prioritisation cyber security and of their cyber security strategy, organisations can choose to embed their resilience. In this chapter cyber strategy into and align it with their we describe what progress organisation-wide strategy, or they can keep it information technology oriented, organisations have made or they can tailor it to a specific market. towards such a strategy. Our survey shows that the larger an organisation becomes, the more often an organisation-wide cyber security strategy 2.1 The status quo of the cyber is in place, compared to relatively smaller security strategy organisations where we see a mix of all The fundamentals of an organisation’s the above-mentioned approaches. cyber security strategy should enable them to elevate their overall security,
Does the organisation have an up-to-date cyber security strategy?
By industry
8% 5% 4% 4% 12% 13% 13%
87% 95% 96% 96% 88% 87% 92%
Consumer Energy, Resources Financial Services Life Science Public sector Technology, Media Others & Industrials & Healthcare & Telecommunications
By organisation size
9% 11% 3% 4%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
91% 89% 97% 96%
Yes No
16 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
On which level is a cyber strategy in place?
By organisation size By industry
3% 7% Consumer 58% 15% 15% 12% 11% 13% 9% 4%
Energy, Resources 30% 35% 24% 11% 18% 14% 20% & Industrials
38% Financial Services 38% 34% 18% 9%
33% 37% Life Science 48% 38% 10% 5% & Healthcare
Public sector 40% 39% 12% 9% 69%
Technology, Media 50% 42% 34% 12% 11% & Telecommunications 38% 36%
Others 46% 46% 8%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
Global – organisation wide IT Market(s) Business line
However, a cross-industry close-up reveals Which statement best describes the progress of implementing the cyber stagnation in the implementation of cyber strategy within your organisation? strategies, as 22% of organisations are progressing slower than expected and By industry 4% are just starting. This could indicate a disconnect between prioritisation of cyber security as a topic and the inhouse Consumer 37% 28% 15% 17% 3% capabilities and resources to implement necessary cyber security measures. Energy, Resources 32% 32% 27% 6% 3% & Industrials To excel in cyber security, organisations need to dedicate resources and invest in Financial Services 43% 23% 22% 12% expertise. Understandably, it is not core business for every organisation, given Life Science that 45% of our respondents said that it is 33% 19% 29% 14% 5% & Healthcare challenging to dedicate enough financial resources to protect all assets. This leads to tough decisions, even in industries Public sector 36% 21% 22% 12% 9% considered to have a mature cyber security environment. Technology, Media 39% 15% 19% 19% 9% & Telecommunications
Others 31% 15% 15% 38%
Moving along as expected Developing a new (next level) strategy Progressing slower than planned Just starting Finishing implementation and evaluation of results 17 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
An annual plan and roadmap can help Level of cyber security strategy an organisation to elevate their overall security, resulting in the protection By industry of services and products. Zooming in on an industry view regarding the characterisation of a cyber security Consumer 37% 29% 10% 13% 10% strategy, our survey shows that:
Energy, Resources 41% 32% 6% 11% 11% • The Public sector and ER&I industries & Industrials have the highest focus on an annual cyber strategy plan with a roadmap for Financial Services 35% 35% 9% 9% 11% the entire organisation.
Life Science • Technology, Media & Telecommuni- 33% 29% 5% 5% 29% & Healthcare cations and Financial services equally favour annual plans for the entire organisation and the entire IT function. Public sector 46% 24% 11% 9% 9%
• Notably, 29% of the respondents from Technology, Media 34% 34% 16% 9% 8% Life Sciences & Healthcare characterise & Telecommunications their cyber strategy as part of the overall enterprise risk management framework, Others 46% 38% 15% the highest among all the industries.
Annual plan and roadmap for the entire organisation Annual plan and roadmap for entire IT function Annual plan and roadmap for security team Business centric, strategic plan and roadmap including HR, Finance, operations, jointly executed Part of overall enterprise risk management
18 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Which trends do you see in your 2.2 The success of cyber security • The development of the IT workforce, in security organisation? strategies terms of attracting talent and achieving Trends in the cyber security more diversity, remains a concern. On By organisation size organisation average only 17% of the respondents The main trends that make respondents seem to be satisfied with trends in the IT
1% optimistic are on the one hand growing workforce. 3% 18% maturity of their cyber security 11% organisation (46% of respondents), and on Success factors in achieving cyber 7% the other hand stronger alignment with the security goals 17% business (39% of respondents). Growing Achieving cyber security goals, according 4% 40% 36% maturity in the cyber security organisation to respondents, depends primarily on 20% 27% is particularly highlighted by the larger compliance with industry and market organisations (59% of organisations with standards. Organisations are aware of more than 10,000 employees). external threats, but a trend is seen in 25% 34% 36% protecting oneself from possible internal 37% Other trends reflecting the growing threats. One solution which could 26% success of cyber security strategies include contribute to limiting internal threats 31% integration of cyber security in business is the implementation of Identity and 49% teams (DevOps), innovation, improving Access Management (IAM) processes and 36% 33% compliance and an improved IT workforce. technology. 46% of large organisations express that this is a critical mechanism to Areas for attention achieve their cyber security goals. 59% The survey has revealed problems which 37% 40% 40% in our view require attention, given the Our surveyed CISOs (59%) agree that rapidly changing cyber environment. the following key success factors These may derive from internal or external contribute significantly towards < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 mechanisms. achieving cyber security goals: employees employees employees employees monitoring, incident and vulnerability • 60% or our respondents feel that the management, third party cyber Maturing security organisation cyber security maturity of third parties risk management, supply chain risk (strategy, governance, IT/OT integration, operations) is increasingly difficult to manage. management, disaster recovery and Stronger alignment with the business Specifically, for organisations in the business continuity. Integration in business teams (DevOps) and innovation efforts Life Sciences & Healthcare sector, 68% Improved compliance (ISO, GDPR, data, privacy, etc.) believes this is the case. Cross industry, the majority consider Improved IT workforce (talent, diversity, geography) compliance with industry standards None of these • 48% or our respondents feel that new (including privacy) to be among the most technologies like quantum computing important factors to achieve their cyber and artificial intelligence make it difficult security goals. Second and third in line are to defend the organisation against future operational and communication & training threats. activities. These three areas combined are considered to be the most critical success • 43% or our respondents say it is factors to achieve cyber security goals. becoming difficult and costly to secure their environment in a way that ensures their organisation is less targeted than others. This is perceived as less of a challenge within the Life Sciences & Healthcare sector (27%), as their business model inherently requires adherence to more stringent laws and regulations due to the fact that these organisations process sensitive data of patients.
19 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
An explanation for this could be the • Besides goals to increase the cyber • Having an understandable case for importance of preventing reputational maturity of an organisation, the cyber change alongside the cyber plan or and financial damage when a data breach change efforts should be aimed at strategy, as well as a clear business case occurs or when the organisation is found people: increasing a (cyber) risk aware and resource plan, helps to focus efforts out not to be compliant. mindset, embedding cyber as part of to increase cyber maturity and will more normal working routines, and nurturing a likely result in efficient and effective Having a cyber plan and strategy is one culture of informed and responsible risk realisation of cyber capabilities. aspect, but making sure the implementation taking. of the plan results in a structural cyber change is what really counts. • Cyber risk needs to be seen as an enterprise wide topic that matters, and Key takeaways to consider are: is not only the responsibility of the CISO. • To achieve a structural cyber change Early buy-in of relevant leaders in an in your organisation, it’s a good idea to organisation is crucial for an effective explicitly plan for the anticipated change implementation of a cyber plan or as part of your cyber strategy. strategy.
Which of the following will be the success factor(s) in achieving the cyber security goals?
By industry
Consumer 33% 36% 32% 31% 22% 19% 17% 10% 10%
4% 1% Energy, Resources 32% 32% 22% 22% 30% 17% 17% 9% & Industrials 4%
Financial Services 35% 31% 28% 22% 28% 38% 21% 6%
4% 4% Life Science 29% 29% 17% 25% 29% 17% 25% 13% & Healthcare 3%
Public sector 31% 27% 35% 33% 26% 16% 10% 12% 7%
2% Technology, Media 38% 37% 25% 24% 22% 19% 15% 17% 7% & Telecommunications
Others 40% 53% 33% 47% 20% 27% 13% 13%
Compliance (ISO, GDPR, data, privacy, etc.) Operations (monitoring, incidents, vulnerability management, 3rd party, supply chain, disaster recovery, business continuity) Communication & Training (end users, customers, PR) Identity & Access Management General Management (strategy, budgeting, reporting, governance, sizing) Fraud management (customer, employee) Business product security Physical and insider security OT/ICS manufacturing security None/not applicable
20 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Privacy and cyber security efforts strengthen each other A Deloitte perspective by Annika Sponselee
and marketeers working closely together, Privacy and cyber security should not meaning it can cover a campaign’s legal be viewed as separate issues. The more aspects at an early stage. Some banks are privacy-sensitive the data is that an communicating with their clients about organisation handles, the more urgent data considerations, giving them control cyber security is. Measures to better over their data and, by extension, gaining protect privacy strengthen cyber security, their trust. and stricter cyber security measures also strengthen privacy. As trust is If an organisation properly and so vital to a data-driven organisation, responsibly handles data, then consumer protecting confidential data, and thus trust grows, adding significant value privacy, is a top priority. Its encouraging beyond simple compliance. When to see, therefore, that as organisations consumers know their personal data is mature, cyber security is increasingly Annika, partner Deloitte Risk Advisory kept safe and is not irresponsibly shared being addressed at board level, and the and head of Deloitte Privacy & Digital with others, they are more willing to cyber security strategy is becoming more Ethics Practice, has more than 15 years of share their information. integrated into the overall strategy.” experience advising clients on the legal, technical and organisational aspects of If consumer trust cannot be achieved, privacy. or if that trust breaks down, it is very difficult to regain. A data breach or the “Some one-third of respondents perceive misuse of data, for example, can negate compliance as the most important factor trust and damage brand reputation. for successfully achieving their cyber This is why it is so important to handle security goals. And they’re right: data carefully. The organisations that compliance is important when it comes to maintain a consumer-centric approach privacy. However, my hope is that in the know what consumers want from them: coming years, more organisations realise to stick to the rules and come up with that privacy goes deeper than just unique strategies for creating consumer compliance. In many organisations, trust. Responsible data use is the future, privacy is often still seen as a where organisations also have their own showstopper. In reality, privacy in 2021 moral compass. They must move beyond should be a business enabler. It is laws and regulations and ask themselves something that concerns consumers, important questions: What do we, as an making it a unique selling point. organisation, want to do with the data we collect? How do we ensure that we I’m glad to see some organisations deal with that data responsibly? How are already shifting towards handling do we handle technology responsibly? personal data responsibly and How do we make sure that we move ethically — not simply because of rules beyond regulations and follow our own and legislation, but because of the moral compass? Trust comes when an opportunities that doing so presents. organisation proves it can manage and They have privacy by design as a starting use data ethically and that it is looking point. One of our clients, a multinational beyond the law. company in consumer goods, has lawyers
21 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem 3. A recipe for CISO success
22 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
A recipe for CISO success A Deloitte perspective by Martijn Knuiman and Esther Schagen-van Luit
Having the right talent on the key topics Esther, Chief Information Security Officer reduces the challenges by at least half. at Deloitte Netherlands, is responsible for It struck me that managerial and non- keeping the data of Deloitte’s clients and managerial respondents give a different employees secure. ranking to the problem of “cyber risk alignment on senior stakeholder “As a former consultant in the cyber level”. In other words, CISOs and other team and having served many CISOs executives don’t always have the same throughout my years with the firm, I risk perception - and apparently the thought I understood exactly what was Martijn, partner Deloitte Cyber Risk Services, CISO is the last to know. That’s a matter needed from a CISO. However, stepping has been a cyber security advisor with of communication. CISOs are good at into the role, understanding the challenges Deloitte for 16 years. He now leads the talking to other CISOs at conferences, and effectively navigating through them Cyber Risk Vigilant & Resilient team. but explaining cyber challenges such as proved to be two very different beasts. I emerging threats in such a manner that think my main added value is in helping “At Deloitte we organise CISO Transition they’re easy to digest by board members our culture in IT better resemble our and Onboarding Labs, and in my is a point of improvement. Again, a culture in the consulting business – in experience the issues CISOs struggle with non-technical and very basic challenge: other words, we are there to serve our are mostly business oriented, and far managing your relationships and most clients first and foremost. It’s just that now from technical: they have to do with time, influential stakeholders. the consultants, my former colleagues, are talent and relationships. The survey my clients. Going from the ‘department results confirm that. It’s no surprise that This touches on the role of the CISO, of no’ to the ‘department of know’ takes CISOs are often distracted by firefighting which is changing from being ‘the time, as we need to develop an advisory the latest internal issues, while they also department of no’ to being a business mindset. We cannot say yes to their need to keep up with the latest external advisor and enabler. For years, CISOs requests if they’re a mismatch with our threats. Meanwhile, their organisation have had to shout to get the attention security requirements, but we should is constantly changing. They have a role of the board, but now that they have always look for creative solutions together, to play in major transformations, but that attention, they need to show what solutions that still allow them to pursue sometimes get called in too late. Amid their added value is by delivering their ambitions. all this, they need to set cyber security a meaningful contribution to the ambitions of their own and try to make conversation. And to do so, they also Having a great team in place that can deal progress towards them. In our labs, CISOs need to listen. Successful CISOs are able with security operations and management learn to divide their time across issues to translate security technicalities into autonomously, expertly and with a keen based on urgency and importance, and to business language, making them better eye for the client’s interests, is another delegate. advisors. In our labs, we let CISOs practise priority. In return I try and enable them doing a pitch for stakeholders in the by automating, standardising and Many respondents highlight emerging business in 30 minutes, then 3 minutes simplifying security where possible. Their technologies as a challenge. There’s and then 30 seconds. proficiency enables me to free up time always new malware to watch out for, to chart a strategic course and engage and as businesses evolve, this also Today’s CISO is therefore a different my local and international stakeholders. introduces new cyber threats. For personality type. A decade ago the The sheer range of stakeholders I need to example, manufacturers are building CISO was very technically focused, interact with in order to effectively drive connectivity into their production lines to whereas nowadays the CISO needs to my security initiatives is tremendous, monitor and adjust processes. A fantastic communicate with the business and and as such I’ve made it a core priority in innovation, but each access point could manage a diverse and inclusive team. A my role as CISO to get in touch and build be a back door to the company’s IT CISO no longer needs to rely on a deeply relationships.” infrastructure. CISOs need to be involved technical background. It’s more important in these projects from an early stage. to be a people person.”
23 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
How is the role of CISOs to 36% of our surveyed CISOs, the ultimate In the past CISOs often reported solely to goal of cyber security is to protect people the CIO, a role that has started to shift to a changing? What are they and assets from harm, misuse and abuse. board-level executive. This gave the CISO struggling with? And what And as mentioned before, the nature a sponsor who can influence the executive of their role has changed, from a purely board members. In our survey 49% of the do they need to succeed? technical to a more business integrated CISOs working in organisations with more Respondents share their role, in which they operate and find than 1,000 employees directly report to the solutions within their organisation while CIO. The shift can be seen in the other 51%, observations. keeping an eye on emerging threats. Where where 15% report directly to the CEO and/ in the past the CISO was considered to or the Board of Directors, 13% to the CFO 3.1 The CISO: no more “department be the “department of no”, the CISO has and the remaining 28% to the CRO, CTO, of no” transitioned to a valued business advisor COO or CCO. The CISO is the senior-level executive and an enabler for business strategy. responsible for protecting information The greatest attraction of the office of The reporting line shift could be an that the organisation handles. The CISO CISO (cited by 38%) lies in the rapidly indication of more effective and direct directs staff in identifying, developing, growing importance of the role. This communication with the board, as a direct implementing and maintaining processes offers opportunities to have an impact on line has been established. Similarities across the enterprise to reduce risks the organisation while at the same time among perspectives can be found, as 36% related to information and information moving up the ladder. In second place are of CEOs and CISOs felt most strongly about technology. They respond to incidents, the dynamics of the field and the constant setting the right security ambition in the establish appropriate standards and opportunities to develop one’s skills. context of the organisation’s goals in order controls, manage security technologies, to be successful. and direct the establishment and Who does the CISO resport to? implementation of policies and procedures. The evolution of the CISO is not limited to The CISO is also usually responsible for the subject matter. Their position within information-related compliance. According organisations has also undergone changes.
A CISO's personal priority Who does the CISO typically report to in your organisation?
Cyber is a becoming a key aspect in IT and it 38% CIO 49% is an opportunity for me to grow my career
Cyber is a dynamic field and there 27% CFO 13% are constant opportunities to learn
Meeting (CISO) peers from 12% CEO 10% across the industry
Cyber security is a relatively new domain, 11% CRO 10% so I want to focus on drafting procedures
None/not applicable 10% CTO 8%
COO 8%
CCO 5%
Board of Directors 5%
24 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
What mandate does the CISO have? Which statement applies best to the CISO’s mandate? As the evolution of their role sets in, the mandate of CISOs has been adjusted. By organisation size Almost half (44%) of the CISOs have a mandate to prioritise and fix problems as 44% 4% they see fit. This gives them the opportunity 6% 7% 14% to advocate for security solutions that fix or flag cyber threats that are not on the 26% agenda of other board-level executives. 33% 30% 49% A third (33%) of all CISOs have access 39% to the decision-making process in the organisation. This is especially true in 27% 24% smaller organisations with fewer than 21% 1,000 employees (39%), while in larger organisations (1,000 or more employees) 20% 27% or less indicate having access to such processes. 48% 42% 39% “The role of a CISO is clear 26% 2% today. But what that role < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 will look like in the near employees employees employees employees future is unclear.”
Mandate to prioritise and fix problems immediately - a respondent Mandate to access the central decision-making process Mandate to participate in executive-level decision-making conversations Others
25 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
3.2. Main challenges CISOs face challenges for a CISO to overcome, for currently respondents indicate that they rarely The increased attention to cyber incidents example: finding good professionals, have challenges on this topic, this might change and their aftermath has raised the executive support, sufficient budget or a in the near future.” priority of cyber security among high level mandate to participate in decision-making professionals besides CISOs. After all, conversations at the right level. Interestingly, - Jan-Jan Lowijs, Director Deloitte Cyber protecting the cyber environment means our respondents indicated that they rarely Risk Services protecting an organisation’s production have challenges resulting from changing environment and crown jewels. international laws and regulations, or from The most cited challenge faced by data management complexities in general. organisations and CISOs when it comes Therefore, it is no surprise that 54% of This could be an indication either that our to managing cyber security is the overload organisations admit that news of major respondents have bigger challenges to of priorities that need to be managed attacks is increasing the pressure on the tackle at this stage, or that these upcoming simultaneously, 31% of CISOs (1,000+ cyber security maturity of their organisation. challenges are well under control. Our employees) agree with this compared This is especially true for larger organisations assumption is that it is not the latter. to 21% of the general population. - 66% of organisations with 5,000 to 10,000 employees and 68% of organisations with “We see that more and more international laws A cross-industry perspective shows that more than 10,000 employees. and regulations demand that data is properly Financial Services, Technology, Media & protected and properly managed. It’s also fair Telecommunications, and Energy, Resources What are the challenges that CISOs face? to say that this is an emerging field: not so and Industrials face challenges with emerging CISOs have to balance the needs and many laws that demand proper data protection technologies hindering their execution and capabilities of their organisation while and data management are on the books so far, implementation. Public Sector and Consumer keeping up with emerging technologies however many more are being proposed right industries struggle with handling too many and threats. There are also various other now. So this could be an indication that while priorities within the organisation that need to be managed simultaneously.
What gives you headaches in executing your role?
10% 15% Emerging technologies 26% Lack of sufficient budget Inadequate governance 31% across organisation Too many priorities within the organisation 10% Lack of mandate to participate that need to be managed in decision-making conversations simultaneously 13% Lack of executive support 8% Lack of cyber risk alignment 21% on senior stakeholder level Inadequate availability managerial roles 16%, non-managerial roles 8% of professionals 13% Lack of support from 0% business lines 28% Data management complexities Lack of integration of cyber risk priorities 21% Inadequate competency 10% 10% with business priorities 10% of professionals Differing international laws Focus of the business on other and regulations (digital)Differing priorities international (shifting priorities) laws and regulations
26 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
3.3 CISO success: what are the capable and equipped with knowledge fit in their role. Other success factors ingredients? to face organisational cyber challenges. mentioned are (36%) activating business/ To be successful, according to Besides, the CISO must be good at IT stakeholders to act on their respective respondents, a CISO needs to be a jack of handling budgets and investments. The security responsibilities and configuring all trades. Above all, they must have the diversity of desired skills is particularly the security organisation in order to talent to align the constantly changing notable. In short: a good CISO must above effectively build and deliver the right priorities of business and IT. Meanwhile, all be a good — all-round — manager. security capabilities. the cyber security ambition also needs to be set and kept up-to-date at the right 54% of CISOs are of the opinion that In this area there are few differences level, as discussed in the second chapter, setting the right security ambition in the between sectors, except in the case of Life where we surveyed the success factors in context of their organisation’s goals — in Sciences & Healthcare, where 38% believe achieving cyber security goals. The CISO other words, definining when good is good it is even more important to align the has to attract team members that are enough — is paramount to succeeding changing priorities of business and IT.
What do you need to be successful in your role?
26% 33% Showcasing the relevance of security to business 36% Securing sufficient and IT stakeholders (e.g. through Activating business/IT budget to execute plans a compelling narrative) stakeholders to act upon their respective security responsibilities 54% 23% Structurally aligning Setting the right security to changing priorities ambition in the context of business and IT of my organisation’s goals 31% Understanding where 18% 36% security investments Designing and managing an effective Configuring the security are most impactful security (change) programme organisation in order to effectively build and deliver the right security capabilities 18% 3% Recruiting and retaining people Personal development, opportunities with the right security expertise to learn and grow
27 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem 4. Cyber security in a changing landscape
28 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Cyber security in a changing landscape A Deloitte perspective by Frank Groenewegen
I share the worries that 50% of surveyed place, the time it takes for organisations organisations have with respect to to detect it is still too long. In recent cases managing cyber risks introduced by the victims had no idea until they were third parties. The SolarWinds incident tipped by a cyber security company or a has hopefully opened eyes once again law enforcement agency. and brought the whole third-party risk discussion back on the table. It’s a good So rather than prepare for future threats idea to offer suppliers help in improving like quantum computing, organisations their cyber security, but it’s impossible would do well focus on the basics first. to fully control what’s happening outside And organise regular cyber ‘fire drills’, your own organisation. A zero-trust with ethical hackers, not to only keep approach remains best if that’s possible, staff aware but also to test and improve besides having mature detect and their digital resilience. Frank, partner Deloitte Cyber Risk Services, respond capabilities. has over 15 years of experience in the field Even when the basics are mature for of cyber. From a position of Chief Security Respondents are right in perceiving the risk profile and risk appetite that Expert at his previous employer he recently increasing proliferation of threats. an organisation has defined, sooner or joined Deloitte. He is a well-known media Criminals can earn far more with hacking later every organisation will experience a presence, who is frequently invited to in cyber space than burgling homes and cyber security breach. So, it’s also smart discuss various cyber security topics. businesses in the physical world – and to think about your response. My advice the risk of getting caught is far lower. But I is not to dwell on reputational fears but “The ranking of cyber threats that don’t believe digital threats are becoming to share information and lessons learned. respondents give is different from what more sophisticated overall. Some attacks The sooner society knows about a cyber I would choose. In my list, the number are very clever and sophisticated, and I threat, the easier it is to eliminate. The one digital threat to protect against is enjoy analysing and responding to them. aviation industry sets a great example a ransomware attack, with criminals In most cases, though, there’s no need for in this respect: after a crash or near- stealing and encrypting data and sophistication, since easy hacks are still crash, all the information is immediately demanding huge ransoms to restore. effective and lucrative. shared, and an independent institution Our survey shows that 40% of our investigates. That’s the mindset that will respondents state that ‘data leakage’ is In my view, it’s organisations themselves make cyber space a safer place.” their number 1 digital threat. Attacks that are becoming more complex. like this pose an immediate threat to They create, change and upgrade their your business continuity. Second on infrastructure repeatedly with new my list is an attack from a nation state, systems, interconnections and patches. Spies today are not only breaking into Meanwhile, they lack a clear overview government entities to steal classified of which systems they have, what their information. They also attack corporates patch level is, or which accounts have to steal confidential (customer) data, steal access to what data. Attackers only need intellectual property or even destroy to find one vulnerability or mistake to their network and bring their business to gain access, and in a labyrinth like this, it’s a halt. not hard to find one. Once a hack takes
29 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
This chapter focuses on Possibly due to this constant pursuit, 26% from our survey show that the increasing of the CISOs of organisations with more importance of employee awareness, training the results from our survey than 1,000 employees see the increasing and behaviour is the most anticipated regarding anticipated importance of employee awareness, development within the Public Sector; with training and behaviour as a key anticipated 44% of our respondents from the Public developments in cyber development in cyber security. There is an Sector marking this as such. This same security, (potential) upward trend in this perception among perception is also witnessed in the Life the IT professionals that were surveyed Science & Healthcare industry (42%). One cyber threats and the when compared to the size of their might ask whether this has something to do organisation’s confidence organisation, with 34% of respondents with the employees’ responsibilities and/or from an organisation with 5,000 - 10,000 handling of particular data. in handling them. employees and 40% of respondents from an organisation with more than 10,000 4.1 Envisioned cyber security employees marking this development as developments key. These numbers are significantly higher “For us, the most valuable Cyber security attracts loads of attention, when compared to respondents from development of the not only from the media, but also from smaller organisations, as can be seen in the internal and external stakeholders. following graph. past year was managed Meanwhile, the cat-and-mouse-game detection and response.” continues between on the one hand cyber The envisioned cyber security developments developments within organisations and on can also be analysed based on industry, as - a respondent the other hand the evolving cyber threats. highlighted in the next graph. The results
What developments do you anticipate?
By organisation size By industry
14% Consumer 48% 31% 34% 22% 23% 19% 14% 7% 9% 14% Energy, Resources 25% 39% 39% 20% 23% 22% 14% 16% 34% & Industrials 40% 27% 33% Financial Services 25% 43% 25% 31% 25% 13%
40% 27% Life Science 47% 25% 29% 29% 42% 13% 21% 41% & Healthcare 26%
60% Public sector 37% 28% 39% 44% 9% 11% 29% 38% 32% Technology, Media 30% 33% 33% 25% 36% 17% & Telecommunications 43% 32% 34% 38%
Others 47% 47% 60% 40% 27% 13% < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
Increasing sophistication and proliferation of threats Increasing importance of employee awareness, training and behaviour Increased importance of identity and access management Separation of IT and OT automation and security Increasing utilisation of cloud technology Increased importance of OT security
30 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
4.2 Threat perceptions There is significant agreement on to improve an organisation’s cyber security When regarding the previous two this vision, with 67% of CISOs (>1,000 and resilience is improving basic internal graphs on anticipated cyber security employees) deeming this evolution of security processes. developments, there is one category threats to be the key development that among the answers that is fairly out of an organisations need to be aware of in order In our survey, we asked the respondents organisation’s control. Our survey shows to anticipate and to be resilient. to what extent they agree with several that 36% of the CxOs foresee an increasing statements about cyber security. The results sophistication and proliferation of threats When taking a closer look at the industries, are visualised in the following graphs. in the upcoming future as key development we see a similar pattern. For example, most in cyber security. of the respondents (48%) mention that increasing sophistication and proliferation “I don’t believe digital of threats is their foremost anticipated threats are becoming Threat perceptions development in cyber security. Also the respondents from the Energy, Resources & more sophisticated By role Industrials acknowledge this (39%) overall. (…) In most
However, as Frank Groenewegen cases, though, there’s no CxO 36% stated, threats posed by organisational need for sophistication, complexity should not be underestimated. CISO 37% The fact that organisations’ lack a clear since easy hacks are still understanding of their infrastructural Other 35% effective and lucrative.” environment and, for example, packing of patch management gives threat - Frank Groenewegen actors relatively easy entrance into the organisation’s systems. The starting point
To what extent do you agree with the following statements about cyber security?
In case of a ransomware attack, I would certainly pay to get my data back I’m getting more concerned about security maturity of the third parties my organisation digitally collaborates with than our own resiliency The security maturity of third parties is increasingly difficult to manage The attack surface of all organisations is rapidly increasing I’m confident that my organisation has built up enough stamina and fortitude to stand up after an attack
By organisation size By industry
Consumer 21% 55% 55% 62% 56%
57% 68% 64% Energy, Resources 65% 38% 45% 65% 64% 59% & Industrials
Financial Services 40% 59% 69% 65% 76% 71% 76% 58% 68% Life Science 29% 46% 71% 71% 46% & Healthcare
56% 71% 56% 73% Public sector 17% 39% 54% 65% 61%
Technology, Media 38% 54% 58% 60% 72% 51% & Telecommunications 46% 46% 51%
Others 20% 33% 67% 67% 60% 34% 27% 29% 15%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
31 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
As can be seen in the previous graphs, As mentioned by Frank Groenewegen in “We don’t know which in addition to the discussed evolving the introduction of this chapter, a particular threats, many respondents of our survey threat that is becoming more widespread next-gen threats we will believe the attack surface of organisations these past few years is ransomware. We be up against, neither do is rapidly increasing. Between 60% and have asked the respondents of our survey 71% of our respondents from several whether they would certainly pay the we know which next-gen industries mention this. ransom in order to get their data back in opportunities we will get the case of a ransomware attack. There The belief in rapidly increasing attack is a descending trend in the results from to protect ourselves.” surfaces particularly resonates within the our survey when regarding the size of the larger organisations: organisation (results can also be seen in - a respondent the previous graphs): • 71% of IT professionals within organisations of 5,000 - 10,000 • 34% of IT professionals within smaller employees state this. organisations (<1,000 employees) agree with this statement. • 76% of IT professionals within organisations of more than 10,000 • 27-29% of IT professionals within employees state this. organisations of 1,000 - 10,000 employees agree with this statement; The results show an ascending trend in this regard; the bigger the organisation, • 15% of IT professionals within the higher the percentage of respondents organisations of more than 10,000 who believe in this rapidly increasing employees agree with this statement. attack surface. However, among the CxO respondents, 83% agreed with the It is a positive development that statement that the attack surface of all organisations are becoming less willing organisations is rapidly increasing. One to pay criminals to get their data back, as might assume that bigger organisations this could imply that organisations are have a larger attack surface, but there incorporating solutions to restore their might also be a lurking lack of awareness own data and become more resilient within smaller organisations. towards ransomware attacks.
In addition to these numbers, the vast majority of CxO respondents disagreed with this statement; 61% said “no” to certainly paying the ransom to get the data back. When regarding industries, IT professionals within Public Sector, Consumer, Life Science & Healthcare, and Other are least likely to pay in the case of a ransomware attack.
32 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
4.3 Concerns with managing third 61% of our respondents express more Top three threats: party cyber risks concerns about the security maturity of As mentioned by Frank Groenewegen third parties than about their own resilience earlier in this chapter, numerous against cyber threats. A remarkable 72% of organisations are dealing with concerns CISO respondents with 1,000+ employees Data leakage regarding third parties which could feel that the security maturity of third parties impact resilience. As can be seen in the is increasingly difficult to manage. A large graphs in the previous paragraph, 51% number of organisations participated in of respondents from large organisations this study, of which many might be part of (10,000+ employees) say that they are each other’s supply chain. With all this in getting more concerned about the mind, 59% of CISOs with 1,000+ employees Phishing, malware, security maturity of the third parties nevertheless feel that they are resilient or vulnerability their organisation digitally collaborates against cyber threats, which might indicate exploits with. Financial Services organisations a trust gap in the supply chain. resonate most with this statement; 59% of respondents from this industry made Other threats that can keep us up at night the same remark. In addition to these Beside third-party concerns, the following concerns, 73% of respondents from large graphs illustrate that there are other threats Extortion or organisations (10,000+ employees) state that can keep IT professionals up at night. destruction of the that the security maturity of third parties is Respondents from bigger organisations organisation’s data increasingly difficult to manage. (1,000-10,000+) mentioned the same top three of threats:
Feared cyber threats
By organisation size By industry
12% Consumer 63% 69% 59% 61% 60% 63% 56% 56% 52% 46% 12% Energy, Resources 13% 68% 70% 67% 57% 64% 59% 72% 67% 57% 54% 20% 27% & Industrials 11% 13% 11% 10% 16% Financial Services 76% 71% 72% 60% 59% 59% 57% 68% 44% 49% 11% 14% 5% 6% 21% 13% 17% 11% Life Science 12% 67% 58% 54% 63% 50% 54% 58% 50% 46% 42% 26% & Healthcare 18% 23% 21%
25% Public sector 70% 50% 52% 58% 49% 49% 42% 44% 31%33% 16% 29% 29%
Technology, Media 23% 72% 66% 64% 64% 68% 67% 62% 62% 59% 51% & Telecommunications 47% 40% 44% 28% Others 67% 87% 67% 73% 53% 53% 53% 20% 53% 47%
35% 50% 49% 45% COVID-19 impact on prioritising cyber investments Data leakage
21% Phishing, malware, or vulnerability exploits, making us an easy target 11% 13% 10% Extortion or destruction of the organisation's data < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 Employee abuse of IT systems and information employees employees employees employees Espionage or theft of our IP or financial assets Differing cultural interpretations of security positive behaviour (millennials, lax behaviour) Security breaches involving third-party organisations Supply chain attacks Zero days attacks None/not applicable Another threat, please specify: 33 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Confidently responding to threats Respondents from companies with I am confident that my organisation has In the previous section, we identified the 5,000-10,000 employees have the most built up enough stamina and fortitude top three threats that keep people awake confidence in handling data leakage, to stand up after an attack at night. Interestingly, respondents also differing cultural interpretations of indicated that they feel confident they can security positive behaviour, and espionage By role handle these threats. or theft of their IP or financial assets. Results from organisations with fewer It is also interesting to note that all IT than 1,000 employees can be viewed in All 64% professionals, no matter the size of the the corresponding graphs, along with CxO 70% organisation, have the biggest confidence industry-specific results. in handling the impact of COVID-19 on Other 64% prioritising cyber investments. This Finally, we asked our respondents whether confidence seems to grow with the size of they are confident that their organisation the organisation; from 74% of respondents has built up enough stamina and fortitude By organisation size from organisations with 1,000-5,000 to stand up after an attack. Our survey employees to 85% of respondents from shows that 68% of IT professionals in organisations with over 10,000 employees. large organisations (10,000+ employees) Nevertheless, this leaves the question have confidence in this regard. This aligns what the actual prioritisation or resource with 70% of the CxO respondents that allocation for cyber investments will be, expressed the same confidence. Based on particularly during the prevalence of the results of our survey as discussed in COVID-19. this chapter, chances are that this number 68% 65% will rise with the envisioned increase in 63% 57% Confidence in handling other threats is the importance of employee awareness, more varied across organisation size. training and behaviour, especially when Interestingly, IT professionals from paired with the will to develop or opt for companies with 1,000-5,000 employees solutions to mitigate the risk of threats and IT professionals from companies with like data leakage, phishing, malware (e.g. over 10,000 employees have the most ransomware), vulnerability exploits, or < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 confidence in handling the same top three the extortion and destruction of the employees employees employees employees threats that were just mentioned as the organisation’s data. most severe:
Data leakage
Phishing, malware, or vulnerability exploits
Extortion or destruction of the organisation’s data
34 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem 5. Responsible cyber security: all for one, one for all
35 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Responsible cyber security: all for one, one for all A Deloitte perspective by Kevin Jonkers
the malware they use. Government government as well. They can help enforce institutions, private organisations and security requirements for hard- and cyber security specialists are sitting on software allowed on our markets and a an enormous pile of such intelligence, default level of security that must be built but sharing is not happening at the scale into IT services. After all, would you buy a we need for it to be effective. Currently, car without all the required safety features the Dutch government is setting up a like seat belts and air bags? So why do we nationwide system for sharing information accept insecure IT on the market? on cyber threats (also known as Landelijk Dekkend Stelsel). However, work is in the Overall, we are in need of a more strategic start-up phase. Partly this is a matter of and structured approach to tackle organisational and legal obstacles that this problem at national level. Many our government needs to iron out. On organisations would like to contribute, Kevin, director Deloitte Cyber Risk Services, the other hand, organisations have a role but simply don’t have the right channel has worked in cyber security for almost 15 in this problem, too. They don’t feel safe or means to do so yet. A national strategy years. Besides his role as public sector lead yet to share information that might be can help. This could include lessons in the Deloitte Cyber team, he is also a board commercially sensitive or reputationally learned from sectors, like our banking member at industry association Cyberveilig damaging. On the other hand, going it sector, where various successful initiatives Nederland. Kevin also actively contributes to alone in cyber security carries risks, too — on sharing intelligence, broad security public-private partnerships like Hack_Right often bigger risks. Ideally, the nationwide testing and combating fraud together have and the Cyber Security Alliance. system will offer organisations a safe already proven valuable. environment where openness on cyber “My activities in various public-private security related matters does not backfire. The survey shows variation according partnership initiatives really build to organisation size and sector, but on the broadly supported view that When speaking with clients in the managerial and non-managerial cyber security is a joint responsibility private sector, we tend to see that the respondents are remarkably in agreement. between organisations themselves and more cyber mature organisations (often In itself this is good news, as it means that our government. Just as in the physical large corporates and financials) have both at a strategic and an operational world, we are all expected to take some understood that cooperation in their level, agreement can be found that necessary precautions ourselves to secure sectors and with governments (e.g. cooperation between public and private is our IT infrastructure. At the same time, we intelligence agencies, National Cyber of vital importance.” expect our government to play a big role Security Centres and Police) is crucial in preventing, investigating, prosecuting to stay on top of the threats they face. and punishing criminal activities. Balancing However, that’s only the tip of the iceberg. and aligning responsibilities and ensuring the best possible cooperation between Small and Medium Enterprises in the various stakeholders are all still very much Netherlands usually don’t have the time in development. We are progressing step or budget to achieve the same level by step, and we quickly need to learn to of maturity on their own. Since even walk and then run. large corporates rely heavily on smaller organisations in their supply chains, A key topic for discussion is sharing this poses a problem for our society as so-called “threat intelligence” such as a whole. I already see some instances information about threat actors, their where larger organisations are trying to modus operandi, their motivation, support their smaller suppliers or even (potential) targets, infrastructure and competitors, but we need a step-up by our
36 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
This chapter focuses on responsible in ensuring that people To what extent do you agree with the pursuing a career in cybercrime face legal following statements about cyber the results from our survey repercussions. One way for organisations to security? regarding a sense of duty, take responsibility is sharing information on (potential) attacks with other organisations shared responsibilities and and with the government by reporting the contributing to a safe (attempted) cyber attack. A further step for the organisation is to chase and uncover 49% and secure cyber the cybercriminals and actively work with 45% 41% resilient society. the police in bringing them to justice. As the 41% following graph shows, the vast majority of IT professionals support this view; between 5.1 Doing one’s duty 65% and 71% (depending on organisation According to 25% of the respondents, the size and industry) of our survey’s ultimate goal of cyber security is to protect respondents agree with the statement that people and assets from harm, misuse and an organisation has such a duty of care 71% abuse. 22% opined that protecting the vital and must ensure that cyber criminals are 66% 67% 65% assets of the company is the most important criminally prosecuted. CISOs are in even objective. For at least one out of ten, the stronger agreement; 74% feel responsible ultimate goal of cyber security is making the in this regard. digital ecosystem a safer place. Besides actively responding to cybercrime, < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 This being said, each organisation is detection and prevention are responsibilities employees employees employees employees responsible for its own cyber security. At that organisations are encouraged to take. the same time, however, they are asked to However, as can be seen in the following As an organisation, you have a duty of care and contribute to a secure Dutch cyber society. must ensure that cyber criminals are criminally graph, some respondents of our survey prosecuted All should contribute towards a society state that effectively preventing cybercrime Effectively preventing cybercrime comes at the in which it is safe to do business, live and comes at the expense of privacy. 70% expense of privacy consume electronically. of IT professionals that are in the role of CEO (or equivalent) and 54% that are in “It’s very interesting to see the widely diverging In line with this vision, we have asked our the role of CISO (or equivalent) agree with responses to this question. But they’re not respondents whether they experience this statement. This differs from the other contradictory per se. On the one hand there this call of duty and whether they feel surveyed CxOs and IT professionals; 67% is the realisation that preventing cybercrime said “no” to this statement. would probably benefit from the ability to analyse more data – some of which will What in your opinion is the ultimate goal be personal data. On the other hand it is of cyber security? Effectively preventing cybercrime comes acknowledgement of the fact that when at the expense of privacy (% agree) analysis is done properly, and within the To protect people and boundaries set by privacy rules, preventing assets from harm, 25% cybercrime does not necessarily come at the misuseand abuse CEO 70% expense of individuals’ privacy. Adding to To protect the vital assets 22% that is the fact that preventing cybercrime is of our company CISO 54% also beneficial for individuals’ privacy, as less To make the digital Other CxO 33% 12% personal data is leaked or stolen. So the appeal ecosystem a safer place Other IT 33% to every CISO and every CxO is: if you do want professionals to use personal data for preventing cybercrime, To help grow responsibly 11% actively align that intended use with privacy To build trusting considerations. Can we use less personal data? relationships between 10% These diverging opinions can also be Can we pseudonymise or anonymise that stakeholders witnessed when comparing the surveyed data? Do we make sure we destroy that data To recover rapidly from industries. It seems there might be various 7% as soon as possible? In other words, design adversity and disruption perceptions of the impact on privacy (and your systems optimally, balancing cybercrime To make our business indeed of privacy itself). Moreover, it is up prevention with individuals’ privacy. This needs harder to target 6% for debate to what extent a potential breach than others to be full-sum, not zero-sum.” of privacy can be justified, for example for I don't know 6% the greater good of sharing information and – Jan-Jan Lowijs, Director Deloitte Cyber lessons learned. Risk Services
37 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
“The details of security attacks; respondents across all industries “What we need is fewer and organisation sizes have the least incidents and their causes confidence in handling zero day attacks political restrictions are often kept secret. That and/or supply chain attacks (as can be to share incident seen in the threat graphs in the previous makes it more difficult to chapter). information, creating learn from each other and more transparency. Besides corporate responsibility, many improve security.” respondents from various industries That paves the road to commented on the governmental sharing best practices and - a respondent and societal aspects of this shared responsibility in creating a cyber resilient learning from each other.” 5.2 A shared responsibility society. As can be seen in the graph (by As highlighted by Kevin Jonkers in the organisation size), the bigger the size of - a respondent introduction of this chapter, creating the company, the stronger the belief it’s a cyber resilient society can only be the responsibility of both organisations effectively achieved together rather than and government(s) to achieve a cyber alone. It is vital to mature cyber security resilient sector. 72% of surveyed CISOs throughout the organisation’s supply chain. (1,000+ employees) share the opinion 59% of surveyed CISOs (1,000+ employees) of the respondents working with large stated that operations, including third organisations. These results highlight the parties, are a key success factor in call for improved alignment and closer achieving cyber security goals. This cooperation among all parties that play a pairs with a perceived lack of confidence part in our society‘s cyber resilience. regarding how to handle supply chain
Who is responsible to achieve a cyber resilient sector?
By organisation size By industry
7% 6% 14% 5% Consumer 48% 38% 11% 3% 7% 17%
13% 17% Energy, Resources 28% 42% 20% 10% 17% & Industrials 33%
Financial Services 50% 25% 10% 15% 32%
Life Science 50% 21% 17% 13% & Healthcare
72% 66% Public sector 62% 17% 7% 13% 53% 41% Technology, Media 48% 30% 9% 12% & Telecommunications
Others 67% 13% 13% 7% < 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
Companies and government Companies themselves Companies together Government
38 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
5.3 Contributing to a cyber resilient “Structural cooperation society It’s great how our survey shows that between organisations many organisations have a deep feeling and industries is the of responsibility and actively think about what they can do to contribute road to a safer, cyber to a more cyber resilient society. We resilient society. Examples asked our respondents whether they see opportunities for organisations to include sector-specific contribute to a more resilient sector and consultations or a cyber resilient society. The creativity, confidence and positivity in this regard knowledge bodies, in seems to grow with organisation size (as which there is no room can also be seen in the following graph). For example, IT professionals from large for mutual competition.” organisations (10,000+ employees) are the most positive in this regard, with 63% - several respondents seeing these opportunities. The surveyed CISOs leave little room for interpretation in It is heartening to see such broad support, this regard; 100% of these respondents especially in the upper echelons of see opportunities for organisations to organisations, for more collaboration and contribute to a more cyber resilient partnership to ensure a cyber resilient society. These results seem to highlight society. The results underline that over the evolution towards a safer and more the past years, stakeholders in all kinds resilient digital society. of roles and positions have started to see that the only way to successfully combat cyber threats is by working together. This is an important step towards actually Do you see opportunities for delivering on such ambitions. companies to contribute to a more resilient sector and a safer digital The key challenge for the coming years ecosystem? will be to channel all this positive energy and activity in a structured and efficient By organisation size way. This requires a more integrated and centralised consensus and direction, in which both public and private organisations are well represented. Let’s 31% bring down the barriers that we still face 40% in our efforts to increase collaboration in 52% 51% this space, be they legal, organisational 6% or cultural. By doing so, we can combine national and sectoral cyber resilience to 6% build a truly cyber resilient society.
8% 12%
63% 54% 41% 35%
< 1,000 1,000 - 5,000 5,000 - 10,000 > 10,000 employees employees employees employees
Yes No Don’t know
39 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Conclusion
More than fifty years ago today, the first with opportunities to learn and grow. That a more secure sector. This indicates that a message was sent over the internet. said, a similar number of them also feel vision of working together is shared across Digitalisation has since then managed to they have too much on their plate already, the Netherlands. Going forward, cyber impact our lives in ways that we couldn’t while they must also keep their organisation security will only become more important, have dreamed of at the time. It enables our future proof and ready for next-generation as both basic and advanced threats are societies to strive and continuously reinvent threats. Boards must understand that cyber on the rise. We will need to leverage each themselves. But great progress has also security is a shared responsibility and that other’s wisdom and support in the coming brought new risks. The digital infrastructure they must make joint decisions on realistic years, across academia, government and that our societies rely on has become and pragmatic goals. This requires not only the private sector. This may mean sharing alarmingly complex. A variety of actors pose awareness of problems and solutions, but information on threats and incidents more a threat to our digital world. Security experts also commitment to make tough decisions. effectively, but also exchanging ideas and across industries and from organisations big It’s difficult to prepare for the threats lessons learned. The government needs to and small work to keep their organisation, of tomorrow if you’re not ready for the take a leading role in converting the energy and our society, cyber secure. This report threats of today. and goodwill in the security sector into has provided insight into what they think clear and effective initiatives that make the and feel. Because the current threat landscape Netherlands more cyber resilient. is already challenging. Just one key More and more organisations nowadays vulnerability is often all attackers need. If we can define shared cyber security goals have at least a basic understanding of the The sheer size and complexity of modern and work together to achieve them, we importance of cyber security investments. organisations raises the question to can reap the benefits of digitalisation in Most have translated this into cyber security what extent organisations can, and dare the Netherlands for the next fifty years and plans or strategies, and almost half have to, rely on their defensive capabilities. beyond. We already have our key role in seen a rise of more than 6% in budget per Risks also lurk in complex supply chains, global high-frequency trading on financial year. This indicates that boards understand in which organisations depend on each markets, our champion in semiconductor the importance of a cyber secure other’s cyber security measures but are technology, and our world-class automated organisation and the necessity to invest. not able to exert significant influence over port of Rotterdam. What will be next? The many examples in the news of Dutch them. Organisations can go a long way in organisations hit by cyber attacks in the past managing their risks by focusing on basic Deloitte is committed to the cause of years has likely added to this understanding. cyber security hygiene and detection helping our clients build responsible mechanisms, and exercising risk-based businesses that play their part in a cyber Effectively executing cyber security initiatives control over suppliers. As a society, we resilient society. In order to do so, we want is hard. Almost a quarter of the respondents should focus on enforcing standards that to help facilitate the next steps by: are behind on their planning. What helps raise the expected security level to a shared is engaging with the business, forming minimum. Defining this level is a complex • Organising round tables and sessions that partnerships and communicating security as issue, given that cyber risk is just one of bring key stakeholders on cyber resilience an enabler rather than simply a cost item. the many risks our society faces, and can together to discuss concrete and We increasingly understand that the ability require significantly more investment meaningful actions we can take collectively of CISOs to influence the security maturity of depending on our ambition. their organisations is based on their ability • Bringing our expertise to CISOs to help to influence people. Being cyber secure is not enough, however. them grow in their role and accelerate Either for individual organisations or for their journey as leaders Our respondents are often optimists. society as a whole. To continue our digital They are confident that they can handle journey with confidence, we need to be • Being an active voice and contributor to cyber security threats, are not worried able to take a blow and stand up again. In the public debate around cyber resilience about the impact of COVID-19 on their other words, we need to become cyber in the Netherlands budgets, and a large majority think their resilient. Making our society more cyber organisation can withstand a cyber attack. resilient is a shared responsibility. The With a culture of understanding, connection More than sixty percent of CISOs chose response rate of our survey is high, and and trust, we help create opportunity and the role because they think it will become most respondents see a role for themselves enduring success. With cyber everywhere, increasingly important and provides them and their organisations in contributing to it’s a shared responsibility. Are you in?
40 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
About Deloitte Cyber Risk Services
The Deloitte difference Accolades In this digital world, your reputation begins and ends with cyber. As a worldwide Ranked #1 globally in Security leader in cyber strategy consulting and Consulting, 10 consecutive years cyber intelligence, Deloitte offers a fully based on revenue by Gartner1 customisable suite of cyber solutions and managed services. Deloitte named a leader in Managed Security Services 2020 With a commitment to technological Vendor Assessment2 innovation and broad industry expertise, our Deloitte global network gives us Deloitte named a global leader in the insight and experience to face any Cybersecurity Consulting by ALM3 scenario. Because we listen to your needs, Deloitte Cyber is uniquely equipped to help you navigate the evolving landscape for a 1Source: Gartner, Market Share: Security Consulting Services Worldwide, 2020, Elizabeth Kim, April 2021 successful and more responsible future. 2Source: IDC MarketScape: Worldwide Managed Cyber capabilities Security Services 2020 Vendor Assessment by Martha Vazquez, September 2020, IDC #US46235320e 22,000 Cyber practitioners 3Source: ALM Intelligence; Cybersecurity Consulting worldwide 2019; ALM Intelligence estimates © 2019 ALM Media Properties, LLC. Reproduced under license 30+ Years in providing Cyber Risk Capabilities
Ongoing projects include Detect and respond, Identity Access Management, Strategy, Application Security, and Data and Privacy for OG&C clients
2000+ certified information systems security specialists globally
41 Cyber security in the Netherlands: a responsibility we share | Progress towards a Dutch cyber security ecosystem
Acknowledgements and contact details
Acknowledgements Contacts We wish to thank: Niels van de Vorle Hokkie Blogg Marco Kanis Partner Cyber Risk Services Partner Cyber Risk Services Senior manager Cyber Risk Services Email: [email protected] Email: [email protected] Tel: +31 (0)88 288 2186 Tel: +31 (0)88 288 5465 Yhennifer Cornelia Consultant Cyber Risk Services Jurrien Mammen Guus van Es Partner Cyber Risk Services Partner Cyber Risk Services Iris Rieff Email: [email protected] Email: [email protected] Junior manager Cyber Risk Services Tel: +31 (0)88 288 2507 Tel: +31 (0)88 288 6677
Casper Stap Dana Spataru Taede Rakhorst Senior consultant Cyber Risk Services Partner Cyber Risk Services Partner Cyber Risk Services Email: [email protected] Email: [email protected] Jan-Jan Lowijs Tel: +31 (0)88 288 6623 Tel: +31 (0)88 288 0718 Director Cyber Risk Services Annika Sponselee Rob Stout Esther Schagen-van Luit Partner Cyber Risk Services Partner Cyber Risk Services Chief Information Security Officer Email: [email protected] Email: [email protected] Deloitte Netherlands Tel: +31 (0)88 288 2463 Tel: +31 (0)88 288 2398
Robbin van den Dobbelsteen Martijn Knuiman Rob Wainwright Director Cyber Risk Services Partner Cyber Risk Services Partner Cyber Risk Services Email: [email protected] Email: [email protected] Kevin Jonkers Tel: +31 (0)88 288 2941 Tel: +31 (0)88 288 0032 Director Cyber Risk Services Frank Groenewegen Bob Derix Partner Cyber Risk Services Research specialist Markteffect Email: [email protected] Tel: +31 (0)88 288 1938 We would also like to thank the rest of the survey team, and the many others who contributed their ideas and insights into this report.
42
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organisation”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organisation”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 330,000 people make an impact that matters at www.deloitte.nl/about.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organisation”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2021. For information, contact Deloitte The Netherlands.
Designed by CoRe Creative Services. RITM0611847