Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Interviews With CISOs

Tessian Spotlight: Johan Kestens, former Chief Information Officer at ING Belgium and Luxembourg

Tuesday, March 12th, 2019

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney.

What are the greatest challenges you overcame while you were CIO at ING?

There were several challenges. Firstly, we increased collaboration between the Belgian and Dutch IT operations to create a single IT organization and adopted the same agile way of working. We also brought IT professionals much closer to other teams in the business and removed as many coordination barriers as possible, which made the IT team more efficient and cost-effective. Another challenge was gaining more control of the IT change portfolio. There is always more demand than there is capacity so we changed it from a demand-driven organization to a capacity-driven one. This helped get many more things done and we had some very positive results in areas such as big data. The final challenge was creating better risk awareness and control in the business and enhancing the level of discipline in the organization.

What needs to change about how most organizations are handling their IT strategy?

I noticed that in many companies there is sometimes a distance between the business and IT people. This might be because of the different business jargon, personalities and delivery goals but this divide needs to disappear. Many parts of the economy are being disrupted through digital businesses and IT is increasingly becoming the main driver of business. The IT strategy for many is starting to become the strategy. For this to work effectively, you need to bring non-technical teams and IT teams closer. Improving communication and understanding between teams will help them work together most effectively.

How should CIOs ideally work with the rest of the board?

If you look at most company boards, I would say a lot of them are likely struggling to understand what is going on in IT. Many of them know that their digital business is becoming more important but it is like watching a soccer game; it is different when you are sitting in the stadium than when you are playing in the field. I have also sensed a mixture of fear and distrust regarding IT because some people feel that they do not have the expertise to really assess it. Most boards are made up of professionals with a commercial or finance background. An area where this is especially clear is cybersecurity, it is very frightening for board members to ultimately carry responsibility but not understand all techniques used to attack their business. Constantly reading about the newest data breaches in the news will likely do little to assure them. CIOs should do their best to address all of these concerns.

What are the greatest information security issues to the banking industry and how would you address these?

The biggest security incidents often happen from within, so integrity of staff must be a prerequisite. At the larger organizations, security becomes much more of a numbers game. Even with very good employee screening procedures, data breaches will likely happen either by accident or through malicious employee intent. Another important issue is adopting the right mindset when dealing with information security. I think about it in a similar way to healthcare, a new variant of flu comes out every winter and the medical industry is quite fast to respond to this but it never goes away completely. You have to adopt a framework where you understand you are never going to be completely immune as cyberattacks are always evolving. Even if you have never had a data breach before, you can never be completely sure that an employee will never fall prey to a spear phishing email. The best you can do is remain vigilant and constantly stay abreast with the newest developments. This is why I am a big fan of collaboration between industry participants or even governments. Cybercrime is like a virus, it tends to go from country to country, so by working together, you can be aware of it ahead of its arrival. All parties benefit when they collaborate together against a problem like cybercrime.

What do you read/listen to stay on top of advancements in IT?

Gartner reports are a very good source of information as they cover different trends well. I also follow a few networks such as CIONET to understand what is going on in the industry right now. Finally, small CIO events like dinners or breakfasts with only 10-12 participants is amazing for knowledge sharing. The size of the audience allows everyone to participate and every once in a while you get a nugget of gold. Keeping in mind that what might be very esoteric today could become very important tomorrow is key.