Simon Sibma is chairman of the board of the Social Insurance Bank (Sociale Verzekeringsbank, SVB) and Arnoud Bakker is CISO there. As a board member, Sibma needs specialist knowledge in-house to fulfil his role in strengthening digital resilience. “Cyber resilience starts with awareness, knowledge and expertise at the top of the organisation,” he says.
Sibma explains that the importance of digital resilience for the SVB is evident. “The SVB contributes to the subsistence security of 5.7 million Dutch citizens. We pay out various insurance schemes for citizens.” That service provided by the SVB must always continue. “Citizens must be able to trust blindly that they get what they are entitled to. Problem-free and punctual. Because our payment traffic is entirely digital, the digital resilience of our organisation is a top priority.”
Program
Every year, the SVB produces a risk overview of threats to its operations. Cyber security has been part of it for several years. This top priority has been translated into a Digital Security Programme with various projects on cyber security, cyber awareness among employees as well as on monitoring and responding to cyberattacks. A key area of focus, in Sibma’s view, is the SVB’s ability to recover: “If we are attacked, can we quickly get payments up and running again?” The programme involves all organisational units. “It is driven by our CIO, who reports regularly to the board. We also report on it to the Ministry of Social Affairs and Employment (SZW), our owner.”
Continuous learning and development
Such a large programme is needed for two reasons, Sibma says. “On the one hand, we have much to do to stay digitally secure. On the other hand, the technical world is changing rapidly, so you have to keep up with that pace.” Bakker adds: “Continuous improvement and learning is part of that. You never finish monitoring, you always keep looking at the market. We are always fine-tuning, sometimes just by looking: what goes wrong with others? Sometimes you replay that, how would it go with us?”
Cyber resilience involves the entire organisation, says Sibma. “Every employee is a potential guardian of data and sometimes a potential risk. We put much effort into that with education, information, training and courses. You can see in society and within our organisation that cyber security has become more of an issue. That doesn’t mean we are there, but I see a desirable development.”
Practice
The SVB regularly exercises with cyber incidents, within its organisation and government-wide. Sibma thinks this is important: “From practising, you learn. The reality differs from practising, but if you don’t practice, you’re not prepared for anything.” What does regular practice bring directors? “You realise how close something like this can get and how different the situation is during a crisis than in the regular governing process; it requires different skills.” Besides practising crises, he believes practising the organisation’s resilience is also very important. “If you never practise that, you don’t know that maybe small important things are not properly managed,” he says.
The balance between implementation and security
With cybersecurity as a top administrative priority, the subject is also a matter for the board. There is a clear division of roles, says Sibma. “The board’s task is to set frameworks, maintain an overview, check whether decisions have been implemented and adjust processes where necessary. The SVB boards are jointly responsible for increasing digital resilience. The CIO Office helps the boards to set digital resilience policy and report on it.” It takes time to get that interplay right on track, says Bakker: “When you start, the interests of the implementation and cybersecurity people are often still opposed.” This is where he sees an important role for the director: “To bring implementation and security together. Once that comes together more, this connection becomes much more logical and natural.”
What the director needs
Sibma: “Directors need support to handle their role well. You need specialist in-house knowledge. All my colleagues at the top of the SVB need to know the necessary things about cybersecurity. It is also important that the ministry – our owner – is aware of this importance and organises itself in this field. So that our CISO and CIO have a peer group within the ministry with which they can interact on a substantive level.”
The involvement at the top of the organisation is also pleasing for Bakker. “By now, cyber security is built into the organisation everywhere and tools are in place. Then you can talk about the underlying challenge, help make the problems visible and solve them together.”