Blogs

The importance of critical evaluation of technologies to strengthen cybersecurity (podcast) - Eddy Willems

Eddy Willems in conversation with Brenno de Winter, information security and privacy expert.

In the latest episode of the podcast series ‘My Precious Data’, Eddy Willems, Security Evangelist at WAVCi, talks to Brenno de Winter, a leading expert on information security and privacy. Brenno is known for his in-depth knowledge and experience, including through his involvement in the hacking of the OV-chipcard and his work as Chief Security & Privacy Operations at the Ministry of Health, Welfare and Sport in the Netherlands.

Better every day: but for real now

In a time of rapidly evolving digital threats, a culture of continuous improvement is crucial for effective information security. Companies cannot suffice with a one-off risk inventory or a stack of security policies; they need to constantly sharpen their processes. The Plan-Do-Check-Act (PDCA) cycle - often called Plan, Do, Check, Act, or Plan, Execute, Check, Adjust - provides a structured approach to doing this. This PDCA cycle is at the heart of many quality and security programmes, and is explicitly recommended in standards such as ISO 27001 for information security.

Holistic security thinking: more than just technology

Cybersecurity is high on the agenda in almost every organisation. Yet many companies remain vulnerable because information security is not always deeply embedded in business operations. Often, measures are only taken after the fact, for instance in case of incidents or under pressure of new laws and regulations. At the same time, we see that organisations that do take a proactive, holistic approach are less likely to experience serious problems. In this article, we show why an integral vision on cybersecurity is so important, where things often go wrong in practice and how companies can raise their security level sustainably.

Holistic security

Recent ransomware attacks on European companies demonstrate that cyber threats are inevitable; organizations must prepare proactively rather than reacting after an incident occurs.

On January 11, 2025, a Dutch technology company specialising in sustainable waste processing was forced to halt operations due to a ransomware attack by the BlackBasta group, which encrypted over 500 GB of critical data. The same day, a Belgian manufacturing company suffered a similar attack, losing 600 GB of sensitive information. These incidents, while not directly impacting individual users’ personal data, disrupted supply chains and caused significant financial and reputational damage. Cybercriminals are targeting not just high-profile corporations, but critical industries. It’s no longer a matter of if an organisation will be attacked, but when, and whether it is prepared.

Communication in The Oval Office

In the now infamous conversation in the Oval Office between President Donald Trump, Vice President JD Vance and President Zelenski, one particular part was very striking. In crucial conversations where someone is being addressed, you usually pick a line: content, pattern or relationship. If you mix up too much then the conversation goes nowhere.

What was striking yesterday with JD Vance in particular is that he jumped from content, to pattern and then relationship and back again. With that, it was actually impossible for Zelensky to respond or say anything back at all. Because any response will then be met by an attack based on the other level of conversation. If it is about something substantive then you switch to relationship and if you respond to relationship then you address someone on pattern.

How managers must balance technology and control

In a world where technology increasingly determines our decisions, the call for critical reflection is greater than ever. Blind trust in technology leads to mistakes with far-reaching consequences, he writes in his book The. ICT managers hold the key to using technology effectively and securely, but they can only succeed if they understand how data, systems and processes affect each other.

A central theme in The Validation Crisis is the importance of data. A good example is an artificial intelligence (AI) experiment in which an AI system is fed data from previous hiring decisions, which can reinforce biases. In this case, the model was trained on a dataset in which men were hired more often than women. When the AI was deployed in practice, it reproduced this bias without the users’ knowledge. As a result, men were hired faster than women.