Research | 3 mins
CISO Conversations: ICT Group's Kelvin Rorive Says Absolute Security an Illusion
It’s the World Cybersecurity Awareness Month. Hadrian’s mission to help cybersecurity decision makers stay a step ahead using proactive cybersecurity capabilities has built us a stream of allies. Kelvin Rorive is one such valuable ally.
Kelvin Rorive is the Chief Information Security Officer (CISO) at ICT Group and co-founder of the Cyber Chain Resilience Consortium (CCRC). With over a decade of experience in cyber crisis management, Kelvin has a strong background in both public and private sectors. His expertise spans cybersecurity governance, red teaming, security architecture, and risk management. He has held various strategic roles, including at Rabobank, where he led the global Red Team and advised on security resilience.
In our first installment of CISO Conversations, Kelvin shared valuable insights from his extensive experience across public and private sectors with Chandu Gopalakrishnan. Here are the excerpts of the conversation:
What are the experiences that shaped your CISO perspective?
During my career in information security, I’ve fulfilled various roles. Initially, my focus was on technical security, later shifting to managing security departments. Many view security as an IT problem, but tech is only a small part. My technical background, combined with the ability to communicate its importance at the management level, helps me convey security’s relevance to senior leadership. This is essential at ICT Group, where technology flows through the organization, and our services to large, vital organizations require absolute certainty in our security.
How do you bridge the cybersecurity boat between the CISO and company boards?
At CCRC, we’ve helped over 400 organizations prepare for cybersecurity crises. Many still view cybersecurity as an IT issue, and our training courses often attract IT specialists, even though they’re aimed at management. Boards still largely think security is the IT department's concern, but new NIS2 legislation holds management accountable for security failures. We spend more time now explaining that security doesn’t have to be complicated and getting it on the board’s agenda.
You handled the security operations at Rabobank for over a decade commendably. What do you think could have been done differently to improve your work?
Absolute security is an illusion. As manager of the Red Team at Rabobank, I learned that determined attackers will always find a way in. Organizations must regularly practice response scenarios to reduce the impact of attacks and expose security weaknesses. Unfortunately, there’s still too little focus on cyber exercises, despite their effectiveness in boosting resilience.
With the increasing threat of supply chain attacks, how do you see the industry responding?
Incidents like the MOVEit vulnerability help raise awareness of such threats among directors. I believe in storytelling as a powerful tool, and in recent years, I’ve noticed security gaining prominence on agendas beyond IT departments. However, my main concern is the hyper-connected world. Managing the risks from supply chain partners is more challenging than within one’s organization, and a significant number of attacks originate from partners. In the OT sector, this risk is even greater, as traditionally isolated systems are now exposed due to increased digital links.
Looking ahead, what challenges and opportunities do you foresee in managing cyber crises?
The field is growing more complex, and compliance challenges are increasing. Offensive security, such as red teaming, is highly effective in testing resilience and targeting weaknesses. However, I often joke that vulnerability management is a wasted effort if we still leave passwords exposed in public code libraries.
Having led teams in red teaming and security operations, what changes do you wish businesses would adopt in their approach to cybersecurity?
Simply put: test your resilience from a real threat actor’s perspective.
Finally, what advice would you give to emerging security professionals or CISOs navigating complex environments?
Security is a collective responsibility. Everyone in the organization must contribute to resilience. The CISO and security team should offer support but avoid implementing controls for departments behind schedule. Additionally, security must operate independently from IT to foster collaboration and innovation. Regular testing of cyber defenses and resilience exercises are essential to maintaining strong defenses.