Customer since 2022
Municipality of Waadhoeke uses CISO as a Service
Sybrand Doevendans of Waadhoeke on interim CISO Jeroen Koster: 'Good match with both organization and people'
Municipality of Waadhoeke
In addition to audits, data analytics solutions and planning and control software, Inergy also helps organizations with observing information security functions. This year, for example, information security consultant Jeroen Koster strengthened the team of the Waadhoeke municipality as interim CISO. He worked closely with Sybrand Doevendans, then the FG and now the municipality's new CISO.
"Our municipality is located in the northwest of Friesland and was created in 2018 by merging the former municipalities of Franekeradeel, Het Bildt, Menaldumadeel and four villages from the municipality of Littenseradeel," Sybrand explains. "The municipal organization is characterized by down-to-earthness and short lines of communication. The roles of FG and CISO are both well positioned and, partly due to support from management and board, have a lot of clout."
"When it became clear that we were without a CISO, they indicated that they could fill that role ad interim. They then suggested bringing in Jeroen Koster for this purpose. That was a good match with both the organization and the people."
Sybrand Doevendans, CISO of the Municipality of Waadhoeke
Good match
Waadhoeke uses the LIAS ISMS and also has Inergy conduct audits. Sybrand: "It's an accessible company and the employees think along with their customers. When it appeared that we were without a CISO, they indicated that they could fill that role ad interim. Then they proposed to engage Jeroen Koster for this. That was a good match with both the organization and the people."
"From the moment Jeroen came to work here, we worked together. His knowledge of information security and my knowledge of the organization came together like in a well-managed two-man-bob. Personally it clicks well, Inergy managed to make the right combination there as well."
Day dynamics vs. long-term vision
Because he was there only two days a week, Jeroen focused mainly on day-to-day dynamics such as managing the line organization. "Think, for example, about testing security measures of new applications and picking up incidents. He also supervised the ENSIA audit and further set up the LIAS ISMS."
Sybrand, who has been with the municipality for many years, brought in the long-term vision. "For example, I made an advance start on filling my new position as CISO by also putting the organization's needs and strategic interests on the agenda already. "
Broader scope
"As a CISO, you have a broader scope than as an FG," he observes. "After all, information security goes far beyond the security of personal data. The advantage is that as CISO you can act more forcefully than as FG, also when it comes to choosing certain software and implementing technical solutions. But it is important that you guard the boundaries: as CISO you observe and advise. You don't execute."
"As a CISO, you observe and advise. You don't execute."
Sybrand Doevendans, CISO of the Municipality of Waadhoeke
Integral safety
Together with his colleagues, Sybrand first wants to further identify the risks that still exist and can arise. "The BIO and similar frameworks are important here, but integral security is much broader. After all, how do you prevent employees from becoming victims of social engineering? What happens if someone enters the building? How do you ensure security then? So I regularly take the time to test whether and how to break through that security. I also follow trends closely, in part by listening to podcasts that provide insight into the - sometimes murky - world of information security and highlight best practices. Think for example of Darknet Diaries, Hacked and CISO Tradecraft."
Last line of defense
As long as everything goes well, by no means everyone sees the importance of the - preventive - measures. "As a result, the CISO is not always the most popular official," Sybrand says with a laugh. "I then try to explain it by translating the risks we face as an organization into the personal. You often hear people say they have nothing to hide. But everyone has information that needs to be protected, such as passwords, personal information and photos of yourself or your children. When someone realizes that, when it comes to information security and privacy, you can often intrinsically motivate them to be more aware and competent with municipal information. I therefore do not see my colleagues as the weakest link, but rather as the last line of defense."
Seeing is believing. Request a free demo.
In a conversation and demonstration, everything becomes so much clearer.
Ask Joost
