The past 5 years have been anything but quiet. As crises followed one after another and geopolitical tensions escalated, Aart Jochem served as CISO for the Dutch Government to strengthen the public sector’s digital resilience. On 1 January 2026, he steps down from this role. In this retrospective, he reflects on his time in office: what did he learn, and where should we focus more? “Routine isn’t my thing. A well-managed crisis demonstrates why this work is important.”
As the first Chief Information Security Officer (CISO) for the Dutch Government, Aart Jochem has led the national approach to information security and privacy since 2020. Digital resilience was at the core of his work, which is why he chaired the recent Government-wide Cyber Exercise (Dutch). Reflecting on the experience, Jochem explains: “That’s when you truly see how crucial it is for a crisis team to get a grip on the situation quickly. What’s happening right now? What could unfold next? And what actions should we take in response?”
No time to spare
For Aart Jochem, an effective crisis team must meet several key conditions. “You need people from different disciplines, a clear process, and team members who understand how crisis management works. Experience is invaluable, not because anyone wants to face real crises repeatedly, but because practice builds familiarity with the process. If everyone knows the steps, you can conclude the first meeting quickly. With inexperienced people, it takes much longer. And in a crisis, time is something you don’t have.”
New insights
The focus on recovery during the Government-wide Cyber Exercise brought fresh perspectives. “Recovery demands different decisions than acute crisis management. How do you get processes back up and running quickly? It’s valuable to practise this; it really adds something.” Collaboration also stood out to him. “National government, municipalities, provinces, safety regions, everyone brings something different. That’s why it was so relevant for the Caribbean Netherlands to participate. If we invest in resilience, we need to apply those investments more broadly.”
Preparedness is a myth
Jochem believes you can never be fully prepared for a crisis. “Even after years of experience, you’re always learning new things. That’s not a weakness, it’s reality. That’s why exercises remain essential, if only to check whether the basics are in order. Do we have the right contact details? Are the agreements still up to date? These are practical details, but they make a huge difference.” Crises can’t be entirely prevented, he emphasises. “But practising responses, decision-making, and communication is crucial.”
The real damage lies in society
The need to anticipate becomes truly clear when you consider the consequences of a crisis. As CISO, he explains: “The government serves society. When things go wrong for us, the damage is felt in society. A data breach in a population study doesn’t just mean there are costs for recovery, security, and postage; it also leads to a loss of trust. If people disengage, it directly impacts public health. The societal damage is far greater than the investment needed to do better.”
5 years of crisis dynamics
Reflecting on the past 5 years, he notes, “It’s been nonstop, and that can be exhausting. However, understanding the significance of our work fuels my motivation. I began during the pandemic, quickly deploying secure digital solutions nationwide, such as WebEx. This was followed by new threats and a shifting geopolitical landscape, including evolving relations with the United States. Consequently, governments must continually anticipate developments and ensure their capacity to adapt remains strong.”
The need for speed
For Jochem, adaptability isn’t just an abstract idea; it demands effort. “We know where the vulnerabilities are and that we need to move faster. The plans are in place. But those plans must be supported by the right resources. That’s not yet guaranteed, especially at a time when the government is also facing budget cuts. It makes this a puzzle we really need to solve.”
Working as 1 government
The tension between ambitions and resources also shapes legislation and national strategies, such as the Cybersecurity Act and the Dutch Digitalisation Strategy (NDS). “Legislation always lags behind practice, but it helps enforce necessary steps. It demands great adaptability from the government, accelerating as the context keeps changing. The NDS supports this by explicitly emphasising collaboration as a single government. I believe this makes us more efficient and effective. Reporting is also part of this. When something goes wrong, you need to be able to share that, precisely because the consequences extend beyond your own organisation.”
It is possible
Reflecting on his 5 years as CISO for the Dutch Government, his most important lesson is inspiring: “We can do it! But it takes energy. In my first week, I created a slide about why security is so important. The government has a unique role in society. We safeguard identities, property, and sensitive information for our security tasks. People don’t just entrust that to any other party. Protecting, organising, and accounting for this is what you should expect from the government. The points on my slide gave direction to my work. And it turned out we can take significant steps, such as the national cloud policy and the red-teaming programme.”
Digital autonomy
As of 1 January, Jochem will start a new role as CISO at the IT firm Centric, which works closely with government organisations. There, he will continue to focus on protecting and strengthening digital independence. “This theme has increasingly occupied me over the past few years. You see how dependent we’ve become on external parties and how difficult it is to break free from that. Not all dependencies are bad, but there are areas where the government must retain control.”
Watch the exercise and more
Footage from the Government-wide Cyber Exercise, with Aart Jochem as chair, is available on the Government-wide Cyber Programme‘s website. Here you will also find a wide range of webinars on cyber resilience, including 5 tailored to the Caribbean context.
