‘Security by design needs to be even more of a given’
Glyn Jones has been working at RINIS Foundation as the organisation’s Chief Information Security Officer (CISO) since November. Glyn comes with a wealth of experience in IT and information security. His aim: to embed security even more firmly across the organisation as a whole, from projects to managed services and from start to finish. What is his take on his first hundred days in the job?
You joined us just as RINIS had obtained its ISO 27001 recertification. That sounds like great timing.
“I have to admit, this was the perfect time for me. Compliance with ISO 27001, the international information security standard, is as important to us as it is to our Participants. My predecessor and several other RINIS colleagues put in a lot of time and effort to land this certification. It allows us to show the world that our information security processes are properly organised. This certification provides a solid foundation for me to build on.”
You’ve come into the job with a lot of experience.
“That’s right. I was always fascinated by the world of IT from a very young age. I grew up in the eighties, which was when I spent a lot of time on my Commodore 64. I subsequently managed to turn my hobby into my job. I previously served as a systems engineer and IT & Security manager at a petrochemical company, as a security manager at a telecom provider and as a Business Information Security Officer at a major bank. My interest in security was kindled in the late 1990s, when Y2K - the ‘millennium bug’ as it was known at the time - became a thing. Those early years were mainly about availability. Nowadays, redundancy and 24/7 system availability are taken for granted, but back then these were still new. Since then, the threats have increased significantly, but this has also led to much greater support for the need for information security and the role of the CISO.
"Over the years, I obtained a number of key certificates in the field of information security: ISO 27001, CISSP and CISM. CISSP focuses on technical and organisational security, whereas the emphasis in CISM rests with governance and risk management. I also have extensive experience with ITIL, a tried and test method for organising IT services in a structured and reliable manner. These certificates and my broad-based experience in IT project management enable me to effectively assess risks. The guiding principle here is the people-process-technology principle. To me, information security is about a lot more than merely technology. IT and security solutions can prove effective only if people know what their role is, if the processes are clear and workable, and the technology is supportive and reliable.”
You spent time working at large multinational organisations. What was it that appealed to you in the vacancy with a relatively small organisation such as RINIS?
“To large multinationals, the security challenges are obviously of a different order, but by the same token there is less scope to have an impact as an individual. Which is why I was on the look-out for an environment where I’m not only able to implement good policy, but also have an actual impact. RINIS is fast developing, with security high on the agenda. Their tag line resonated with me: secure, reliable, guaranteed. This also includes the strategic position of the CISO role within the organisation. In many organisations, security comes under IT. Here, I report to the Director of Operations. This gives me independence – and it signals that information security is taken seriously here. During the application process, I was also impressed by the informal and transparent dynamics of the organisation. I had enjoyable interactions with the people at RINIS and I noticed that the organisation is innovative, runs short lines of communication and has a team that is open to change.”
So did this prove to be the case during your first 100 days as CISO?
“Definitely. I was made to feel welcome from day one. The handover with my predecessor was thorough, and the conversations I’m having with colleagues are open and pleasant. They are receptive to what I have to say, which is obviously a great starting point.
What are you focusing on right now?
“As the CISO, I’m responsible for RINIS’ information security strategy. As such, I not only ensure compliance with applicable laws and regulations, I also actively contribute to building a security-aware culture. I work closely with IT and management to identify risks and put appropriate measures in place. In addition, I supervise projects where security is a key element. My role is not just to draw up rules, but above all to get staff on board when it comes to the importance of security by design and to help them integrate this into their everyday duties. We are already getting a lot of things right, but we are not always able to demonstrate this effectively. This means we need to do an even better job of documenting things so we can structurally demonstrate that our systems and processes are secure. This will also help with a number of important upcoming events. Such as the next ISO 27001 audit for instance, which is due in October 2025. The NIS2, the new European Cybersecurity Act, will also have an impact on RINIS. This requires us to set up a number of new processes, for example.”
When we see each other again next year, what is it you will have achieved?
“By then I want security and privacy by design to be structurally embedded in our operations. This means that we factor in security, privacy and compliance from the very outset of each project. I also want to see a clear security roadmap in place that details the concrete steps for us to take as an organisation. I’m also hoping to see raised awareness of ISO27001 and the cyber security measures needed. I want employees to not only be aware of the risks but also to know what they can do themselves to contribute to mitigating these risks. If we manage to do that, we will have taken an important step towards becoming a more secure and resilient organisation.”