Written by Laurent Dupont

Security Leader Insider Newsletter

May 2025 Edition

Welcome to this edition of our Security Leader Insider, your trusted source for the latest developments, expert guidance, and strategic insights in the world of cybersecurity leadership.

We kick off with a thought-provoking guest article by Nathalie Claes, “Cybersecurity starts with you – not IT,” which challenges traditional notions of ownership and accountability in digital defense. Our Toreon blog dives into how to align EU DORA with ISO 27001, offering practical insights for CISOs aiming to stay both compliant and resilient.

And that’s just the beginning, so let’s dive in!

Welcome!

Welcome to this edition of our Security Leader Insider, your trusted source for the latest developments, expert guidance, and strategic insights in the world of cybersecurity leadership.

And that’s just the beginning, so let’s dive in!

On this edition

Guest article
Cybersecurity starts with you – not IT, by Nathalie Claes

Curated content
2025 Data Breach Investigations Report, by Verizon

Curated content
Ex-Facebook CISO Warns: 95% of Bugs in Your AI System Haven’t Been Invented Yet, by Rob Pegoraro

Toreon insights Integrating EU DORA with ISO 27001: What CISOs Need to Know, by Dirk Praet

Tips & Tricks
The 2025 CISO mindmap, by Rafeeq Rehman

Navigating CRA Compliance with Toreon and CRACY

Upcoming Trainings

GUEST ARTICLE

Cybersecurity starts with you – not IT

By Nathalie Claes, Leading Lady of Dadir

A wake-up call: one click is all it takes

You might think cyberattacks only happen to tech giants, banks, or governments. But I’ve seen it happen time and again—small and medium-sized businesses are hit the hardest. Why? Because they believe they’re not interesting enough to be targeted. And that’s exactly what makes them vulnerable.

In my book “Hacked, Now What?”, I set out to change that mindset. The book isn’t a technical manual filled with jargon—it’s a human guide for business leaders, entrepreneurs, and professionals who want to take back control. Cyber resilience doesn’t begin with firewalls; it begins with awareness, responsibility, and culture.

It’s not just an IT problem

Let’s clear something up right away: cybersecurity isn’t a task for the IT department alone. It’s not just about software or servers. The most dangerous threats aren’t technical—they’re human. Curiosity, fear, urgency, trust. These emotions are the doors hackers walk through.

It’s time we stop saying “talk to IT about it”. Cybersecurity is a business issue, a leadership issue, and a human issue. The moment we accept that, we can build a culture that actively protects our business, instead of leaving it up to a few people in a server room.

Phishing isn’t dead—it’s getting smarter

We’ve all seen the old-school scam emails from “Nigerian princes”, and many of us laugh them off. But phishing has evolved. Today’s emails are well-written, personalized, and dangerously convincing. Sometimes they don’t even arrive by email—they come through text messages, phone calls, or deepfake video calls that imitate your colleagues.

One wrong click can cost millions. That’s why we must stop thinking of cybersecurity as just a technical defense. It’s a training issue. A leadership issue. And, above all, a people issue.

The USB stick that brought down a hospital

Here’s a story: a USB stick, left in a hospital parking lot. Someone picks it up, plugs it into a work computer—just to see what’s on it. Instantly, malware begins spreading through the network. That’s baiting in action. And it happens far more often than you think.

Humans are curious by nature, and attackers know this. They label USBs with things like “salary details” or “party photos.” We can’t assume our people will always resist that temptation—we need to train, simulate, and create an open culture where reporting is encouraged and mistakes are learning moments, not punishable offenses.

Your greatest risk may already be inside

Insider threats are among the most overlooked dangers in any organization. Whether it’s malicious intent or just someone who doesn’t follow security protocols, insiders can do immense damage. I’ve seen cases where financial teams unintentionally shared sensitive files or where a frustrated employee quietly siphoned off data.

We can’t prevent every insider incident, but we can create an environment where vigilance is the norm. That means having clear policies, regular communication, and a culture where employees know that security is part of everyone’s job description—not just the IT team’s.

AI is both friend and foe

Artificial Intelligence is transforming everything—including cybercrime. Today, attackers use AI to create flawless phishing messages, scan for vulnerabilities, and impersonate voices in real-time. But AI can also help us: anomaly detection, behavioral monitoring, and automated response systems can provide real-time defense.

The challenge is to understand AI’s potential and its risks. It’s no longer enough to “hope” our systems are secure. We need to invest wisely, not just in tech, but in understanding the changing threat landscape. That means asking questions, staying curious, and preparing people as well as machines.

Hackers don’t break in - they walk in

Cyberattacks often follow a predictable pattern: reconnaissance, intrusion, escalation, and data exfiltration. Known as the Cyber Kill Chain, it’s a chilling but eye-opening model. The most dangerous part? In many cases, we could stop an attack early—if someone had noticed something odd and spoken up.

That’s why I always say: information security is a team sport. If employees feel safe flagging strange emails or reporting odd behavior, we stop attacks in their tracks. But that only happens in organizations where psychological safety and shared responsibility are deeply embedded.

The Human Firewall: why culture is the real defense

In all my years working in information security, one truth has become clear: you can’t patch human behavior with software. Real resilience comes from culture. A company where people are aware, empowered, and proactive will always outperform one that throws money at tools without building understanding.

That’s why creating a strong security culture must be a strategic priority. Start by involving leadership, communicating clearly, and making awareness part of your onboarding, training, and daily habits. Don’t just send out a PowerPoint once a year—make security part of the conversation.

The new skills every leader needs

As a leader, you don’t need to become a cybersecurity expert—but you do need to ask the right questions:

Where are we most vulnerable?
Are we training employees effectively?
What’s our response plan if something happens?
How quickly can we detect and contain a threat?
Are we building a culture that encourages vigilance?

Leadership in the digital age means being able to navigate uncertainty with confidence. That starts with knowing enough to lead—not just delegate—your company’s security efforts.

Let’s talk about what’s coming

Cybersecurity is changing fast. We’re seeing trends that will impact every business: the rise of phishing-as-a-service, AI-generated deepfakes, politically motivated attacks, and vulnerabilities in remote collaboration tools. But with these risks come opportunities: to educate, to lead, to future-proof our organizations.

The biggest mistake is to think this isn’t your problem. The truth? Cybersecurity is your business. It’s your reputation. Your operations. Your clients. Your people.

Final thoughts: cyber fitness is a mindset

What I want readers to understand—what I want you to understand—is that building cyber resilience is like building physical fitness. It’s not something you achieve and forget. It’s something you train for, improve upon, and maintain over time. Even small initiatives and steps, taken in a consequent manner, can make a huge difference for organisations.

And like fitness, it doesn’t start with the perfect gear—it starts with mindset.

So, ask yourself today: Am I strengthening my team’s cyber muscles? Am I investing in the right knowledge and behaviors? Am I fostering a culture of awareness?

If the answer is “not yet”, then this is your invitation to begin. Not from fear, but from empowerment. You can protect your business. You can be ready for what’s next.

CURATED CONTENT

Handpicked for you

2025 Data Breach Investigations Report

Ex-Facebook CISO Warns: 95% of Bugs in Your AI System Haven't Been Invented Yet

Integrating EU DORA with ISO 27001: What CISOs Need to Know

Verizon’s 2025 Data Breach Investigations Report reveals alarming shifts in the cybersecurity landscape, with a sharp rise in third-party breaches, unpatched vulnerabilities, and ransomware incidents. The report shows that third-party involvement in breaches has doubled since last year, largely due to vulnerability exploitation, while nearly half of perimeter-device vulnerabilities remain unaddressed. Ransomware also continues its upward trend, appearing more frequently in analyzed breaches than in the previous year. This curated article unpacks the key trends shaping today’s threat environment.

Former Facebook CISO Alex Stamos offers a stark warning on the current state of AI security, emphasizing that the industry is only beginning to uncover the vast landscape of potential threats. He estimates that 95% of AI-related bugs remain undiscovered, highlighting the growing risks posed by machine-to-machine conflict. Cybercriminal groups, including North Korea’s Lazarus Group, are already leveraging AI to sharpen their attack methods and negotiation tactics. While AI holds promise for automating cyber defenses, it also lowers the barrier for creating sophisticated malware, underscoring the dual-edged nature of this rapidly evolving technology.

As of January 17, 2025, the Digital Operational Resilience Act (DORA) is officially in effect. For financial entities operating in the EU, this regulation marks a significant evolution in the regulatory landscape, placing digital resilience front and center.

If your organization is already ISO/IEC 27001 certified, you’re starting from a strong foundation. But DORA introduces new expectations that go beyond traditional information security.

In this blog, Dirk explores what DORA is, who it affects, and how to align your ISO 27001-based ISMS to meet the requirements.

2025 Data Breach Investigations Report

Ex-Facebook CISO Warns: 95% of Bugs in Your AI System Haven't Been Invented Yet

Integrating EU DORA with ISO 27001: What CISOs Need to Know

If your organization is already ISO/IEC 27001 certified, you’re starting from a strong foundation. But DORA introduces new expectations that go beyond traditional information security.

In this blog, Dirk explores what DORA is, who it affects, and how to align your ISO 27001-based ISMS to meet the requirements.

Tips & Tricks

The 2025 CISO mindmap

The role of a CISO is more complex than most realize, and the ever-evolving CISO MindMap by Rafeeq Rehman has been a go-to guide since 2012. The newly released 2025 edition is packed with fresh insights and actionable recommendations to help security leaders navigate the next 12–18 months. Don’t miss this essential update!

Navigating CRA Compliance: How CRACY and Toreon Can Help

With the EU Cyber Resilience Act (CRA) setting new cybersecurity requirements for all products with digital elements (PDEs), many organizations are facing increased pressure to meet compliance. At Toreon, we support clients through every stage of this journey — from assessing CRA impact to implementing secure development practices and managing compliance documentation.

In addition to our own services, we’re also proud to be part of CRACY, an EU-funded initiative aimed at helping especially SMEs tackle CRA requirements more easily. CRACY will provide practical tools such as checklists, self-assessments, and automation for compliance tasks — all designed to complement expert support like ours.

Whether you need tailored CRA guidance now or want to benefit from CRACY tools in the near future, Toreon is here to help you stay ahead of the curve.

For more information about CRA compliance or our involvement in CRACY, contact us.

Upcoming trainings & events

Book a seat in our upcoming trainings

All in-person events, hosted by the Data Protection Institute

Security Leader: Security Operations

Next training date:
4-5 September 2025

Security Leader: Security Governance and Compliance

Next training date:
25-26 September 2026

Security Leader: Security Architecture

Next training date:
14-15 October 2025

Security Leader: Security Operations

Next training date:
4-5 September 2025

Security Leader: Security Governance and Compliance

Next training date:
25-26 September 2026

Security Leader: Security Architecture

Next training date:
14-15 October 2025

Security Leader: Threat & Vulnerability Management

Next training date:
21-22 October 2025

Security Leader: Secure System Acquisition and Development

Next training dates:
24-25 November 2025

Security Leader: Leadership Module

Next training date:
2-3 December 2025