CISO in the spotlight: Luc Van Gompel

In this section, we want to put a CISO in the spotlight by asking them a handful of questions posed by DPI.

Luc Van Gimpel, IT Program Manager at Lantis, is happy to answer them.

Interview

Who are you, and in which organization do you assume the role of CISO?

My name is Luc Van Gompel. I have been working in IT for more than four decades in various roles and sectors. I am eager to learn and enjoy taking on challenges that add value to an organization. I am currently helping Lantis to increase its cyber resilience and compliance with NIS2 regulations. Lantis is the organization responsible for realizing the Oosterweel connection in Antwerp.

Where does your interest in security come from?

For much of my career, I have been active in IT in the banking and insurance world, and security has always been an aspect that I have come into contact with. Given the increasing cyber threats that organizations face today, the ever-increasing complexity of technology, and the ever-growing regulations surrounding cybersecurity, I find the topic of security quite exciting and challenging. The topic itself is also multidisciplinary and intertwined with all aspects of automation in our companies and governments. For someone who likes variety, security is a dream topic, although this expression is still at odds with the perception of security that prevails in our companies. As a result, the necessary (further) awareness-raising of the topic of security is an additional challenge.

The CISO role can be extremely multifaceted. Which tasks or responsibilities appeal to you most in your role as CISO?

My interest lies mainly in governance tasks. Security is a complex issue. Organizations need simple control mechanisms that indicate how secure or insecure they are operating today and what needs to be done to increase their cyber resilience. And cooking costs money, so the next challenge is to determine exactly those extra security measures that will bring an organization to a level of resilience that is in line with its risk/cost appetite. A nice assignment, right?

As a CISO, what do you spend most of your time doing?

Currently, most of my time is taken up with finalizing the security policy and getting the organization on board with it. But once this exercise is complete, we will have a solid foundation on which to build. You can think of the policy as the foundations of security.

What qualities are essential for a CISO?

Understanding what is critical for the organization and being able to link this to cyber resilience measures is extremely important in order to develop a realistic improvement plan. Furthermore, your ability to understand deeply technical discussions, convey messages to C-level executives in an understandable way, and dive into business process risk discussions is definitely an asset. In addition, you need to keep your eyes and ears open to what is happening in the outside world in terms of cybersecurity and keep up with new technological developments.

Developments in security are happening at breakneck speed. How do you, as a CISO, stay up to date with the latest developments?

If you are new to cybersecurity, a good CISO training course can help you acquire basic knowledge relatively quickly and give you a structured overview of what is going on in that world. This is extremely helpful in identifying where you need to step up your efforts to expand your knowledge.

I find a lot of information to keep up to date on the internet and social media or in a good book, which is often more efficient, but if you want to zoom in on a specific topic in a short period of time, I still think a training course or seminar is a great idea. The advantage is that you can ask questions or exchange ideas with like-minded people.

I have also discovered that reading industry standards can be very instructive. It allows you to familiarize yourself directly with the ideas and techniques as formulated by experts, who have carefully considered them, often after much thought and deliberation. Updates to standards are usually clearly formulated so that you can quickly get up to speed.

It is a classic challenge for the CISO to obtain the necessary resources and support from management. How do you approach this?

Europe has given itself a godsend by imposing the NIS2 Directive on member states. By making NIS2 compliance mandatory for critical service providers in the EU, organizations will automatically have to invest in order to at least obtain their NIS2 certificate. In itself, this is no guarantee that all these companies will suddenly become super cyber-resistant, but it does lay a solid foundation for cyber resilience, which is valuable in itself.
Good communication about security within an organization will also open the eyes of many, which, together with NIS2, can create a positive spiral in the long term that will enable continued investment in cybersecurity.
For organizations that do not fall within the scope of NIS2 and do not have to comply with other cybersecurity regulations, it remains important to map out business risks and the current level of security as accurately as possible. It is then up to the decision-makers to assess whether these are in line with the organization’s cost/risk appetite and whether money and time need to be made available to increase cyber resilience.

What are some of the most significant threats that a CISO needs to be vigilant about at this time?

Some threats are universal, but others depend on the sector or organization in which you perform a security role.
The general threats can often be found in technological developments that also offer hackers more opportunities, such as AI. But social engineering attacks, in which people are manipulated into unknowingly giving away money, access, or simply information, should not be underestimated either. Topics such as sovereign cloud and quantum computing are also worth following.
More specific or sector-based threats in these times are often related to geopolitical instability and hacktivism.

What advice would you give to people who, like you, have just started as a CISO in an organization?

This was a question from the CISO exam! My answer was along the lines of: form your own picture of management’s appetite for increasing cyber resilience, of the current situation in practice and on the work floor, do a self-assessment, and propose an action plan.

In the CISO training I took, we were told that many CISOs throw in the towel within 18 months because they feel like they are “fighting a losing battle” with no prospect of improvement. What this meant was that proposals and improvement plans put forward by a CISO are often not accepted because management is unwilling to make the investment and prefers to accept the risk. My second piece of advice would be: try to present the risks and the resources needed to mitigate them as clearly as possible and link them to the activities that the organization stands for.