In 2022, nFuse got ISO27k certified. Of course, this called for a Chief Information Security Officer. Koen Leys, one of our most experienced technical consultants, was offered to be CISO. We’ve asked him a few questions about his role… Here’s his story!

Koen: “The job of CISO at nFuse entails different subjects, such as security strategy, risk management, policy development, incident response, compliance and regulation, and awareness and training.

Together with the Managing Partners and our ISO 27k implementation partner, I developed and implemented a security strategy, appropriate to the objectives and risk tolerance of nFuse. I identified, assessed and am constantly managing potential risks regarding our information security. I ensure that nFuse complies with relevant data protection and information security laws and regulations.

We have installed policies and procedures, and I am responsible for responding to security incidents, coordinating responses, minimising damage, and communicating risk and impact.

Lastly, I am the biggest promotor of information security awareness within the organisation, and I organise monthly trainings (by and for) employees on security practices.”

“I really must stay on top of things. Hackers and other malicious people find new ways to invade our technology solutions daily. I follow the news and official informational instances, and read security blogs, whitepapers, and research reports about recent incidents.”

“Thanks to our ISO certification, we have standard security measures in place”
– Koen Leys, CISO nFuse

“My role is mainly directed to the security strategy for nFuse itself, not our customer. But that doesn’t mean I’m not at all concerned about them. nFuse offers OWASP Top-10 scans. From time to time, we do advise our customers concerning certain DevSecOps matters. We are glad our advice is rarely ignored.

As with most roles, there are fun and less fun aspects. We are, of course, ISO-certified, which comes with administrative obligations (reporting and so on). This is a part I like somewhat less, but it is part of the job. I enjoy helping to build on nFuse’s security strategy and making a difference for my employer. Besides, solving incidents is also something I like to do because of the pressure it brings. Thanks to the ISO certification, though, we have set procedures to follow, which often support solving incidents. The first thing is to contain the attack. The faster we can block the attack, the less damage can be done. Afterwards, we can assess the damage and make sure a breach will not happen again. My task is also to inform the necessary instances about a breach!”

“When asked to explain security issues, I mostly rely on analogies. An example: An attacker gained access to the application server via a buffer overflow shell and could read the database password from the app server config, thus dumping the passwords of all clients. I explain this to a non-technical public as: a thief was able, through a fault in the lock mechanism of the back door, to it without a key, thus gaining access to the building. There, he found the key to the archive room in the janitor’s key box, and in the archive, he was able to photocopy and take the customer records of all customers. This type of analogy rings a bell with people. 

Mostly, people are not interested in how or why a data leak could have happened. They are interested, though, in the consequences of a leak for their company, how much damage there is and how much it will cost them to mitigate further risks. Combining my soft skills (being able to explain a technical issue in a non-technical manner) with my extremely technical hard skills is ideal. I can quickly assess the situation and give clear and on-point advice. Besides, it’s easier to convince someone to invest in their own security when you are passionate about it yourself!”