It’s the World Cybersecurity Awareness Month. Hadrian’s mission to help cybersecurity decision makers stay a step ahead using proactive cybersecurity capabilities has built us a stream of allies. Kelvin Rorive is one such valuable ally.
Kelvin Rorive is the Chief Information Security Officer (CISO) at ICT Group and co-founder of the Cyber Chain Resilience Consortium (CCRC). With over a decade of experience in cyber crisis management, Kelvin has a strong background in both public and private sectors. His expertise spans cybersecurity governance, red teaming, security architecture, and risk management. He has held various strategic roles, including at Rabobank, where he led the global Red Team and advised on security resilience.
In our first installment of CISO Conversations, Kelvin shared valuable insights from his extensive experience across public and private sectors with Chandu Gopalakrishnan. Here are the excerpts of the conversation:
{{quote}}
With the increasing threat of supply chain attacks, how do you see the industry responding?
Incidents like the MOVEit vulnerability serve as crucial reminders of the growing cybersecurity risks organizations face today. As security becomes a priority beyond just IT departments, there are several key concerns to address:
- Security is gaining prominence on leadership agendas, and storytelling is an effective tool for raising awareness and driving action among directors.
- Managing risks from supply chain partners is more challenging than within an organization, with many attacks originating from external partners.
- In the operational technology (OT) sector, traditionally isolated systems are now exposed to higher risks due to digital connectivity.
How do you bridge the cybersecurity boat between the CISO and company boards?
At CCRC, we’ve supported over 400 organizations in preparing for cybersecurity crises. However, many still consider cybersecurity primarily an IT issue, which creates challenges in engaging the appropriate stakeholders. Here are some key insights:
- Cybersecurity is often seen as an IT-specific concern.
- Our training courses, aimed at management, often attract IT specialists instead.
- Boards generally believe security is solely the responsibility of the IT department.
- New NIS2 legislation places accountability for security failures on management.
- We spend increasing amounts of time clarifying that security is manageable and should be prioritized by the board.
{{related-article}}
What are the experiences that shaped your CISO perspective?
During my career in information security, I’ve fulfilled various roles. Initially, my focus was on technical security, later shifting to managing security departments. Many view security as an IT problem, but tech is only a small part. My technical background, combined with the ability to communicate its importance at the management level, helps me convey security’s relevance to senior leadership. This is essential at ICT Group, where technology flows through the organization, and our services to large, vital organizations require absolute certainty in our security.
