The Most Underrated Tool in Your Cybersecurity Arsenal: Friendships

While you’re busy building out your cybersecurity toolkit, don’t neglect your friendships.

That was a key piece of advice from Dan Jones (right) at the recent conference on government and cybersecurity organized by iBestuur, a leading Dutch publication covering the public sector and popular with European policymakers. Jones, a cybersecurity advisor at Tanium, appeared in a panel with Frank van Beem, deputy CISO at the Dutch Ministry of Defence.

“As Frank said, and I am swiping the phrase with pride, ‘You don’t build friendships during a crisis,’” Jones stated after the event, held just outside Amsterdam in late October.

The future of IT and security is autonomous. But most organizations don’t know which manual processes are easy to eliminate. This is where you start.

Jones is a big proponent of collaboration and relationship-building, and how they need to be part of the ongoing cybersecurity calculus at any organization.

He spent nearly 30 years at the UK Ministry of Defence, working in various capacities, including IT manager, information communication services portfolio leader (a four-year stint in Saudi Arabia, where he was based in Riyadh), and, finally, in defensive cyber operations. While there, he was instrumental in developing strategies to mitigate digital supply chain risks, and took a holistic approach to cybersecurity resilience, integrating people, processes, and technology.

This year, he jumped to the private sector, where he serves as senior security adviser for EMEA at Tanium, a leading cybersecurity solutions provider (and publisher of this magazine).

We spoke with Jones shortly after the conference to get his takes on collaboration (short-term contracts encourage it, he says), artificial intelligence (don’t go straight to Formula 1 – he’ll explain), and the upcoming European NIS2 and DORA regulations, which aim to strengthen digital security (and already have many enterprise leaders, especially in Europe and the U.S., concerned about compliance).

(The following interview has been edited for clarity and length. It was first published in iBestuur last month. You can read the original article in Dutch here.)

You like to participate in conferences yourself, not only because of the bitterballen* afterwards but also to meet new people. Why is that so important to you?

When there’s a crisis, you need friends. And as Frank van Beem just said: You don’t build friendships during a crisis. You have to make connections and gain knowledge by exchanging experiences with other specialists.

I’ve been saying for years: Cybersecurity is a people issue, even if we like to wrap it up in technological jargon. Cyber threats are multifaceted, and often no one person or team has all the answers.

Having the right allies can make a difference during a crisis. The connections you make now can be the lifeline you need later. And there is no better place for government service employees to make those new connections than at an event like this one, where everyone can speak openly and honestly.

[Listen also: Here at Focal Point, we’ve been exploring the keys to better relationship-building – in this recent podcast, we cover how (and why) to make friends with your cyber insurer]

How do you think organizations should prioritize technology, people, and processes when managing cybersecurity?

I would say it’s essential to think of cybersecurity as a triangle made up of technology, people, and processes.

Technology is only as effective as the people who manage it, and their processes need to be solid.

Strong technology alone cannot protect an organization. The technology is only as effective as the people who manage it, and their processes need to be solid. Effective cybersecurity depends on a balance between these three. You need the right technology, skilled people to operate it, and processes to connect it all together. Often, cybersecurity incidents expose weaknesses in this balance.

Also, don’t forget that no organization lives on an island. A government department not only exchanges data with other government departments but is also dependent on different suppliers. All those connections have to work flawlessly.

Aren’t risks in the supply chain often underestimated?

That is indeed a big problem. Supply chain risks are one of today’s biggest challenges. A breach or malfunction in a supplier’s system can cause a chain reaction and affect countless services. Public sector organizations need transparency with their suppliers and vice versa. This is where short-term contracts can sometimes help; they allow both parties to measure the effectiveness of the relationship over time.

[Read also: DDoS attacks are back, threatening governments, banks and other targets – check out the best evasive strategies to implement before and after an attack]

In the public sector, short-term contracts with clear expectations encourage ongoing accountability and keep everyone engaged in a productive, transparent way.

Nowadays you see a trend toward long-term contracts. But you’re not in favor of that yourself? Surely they create stability in the relationship between customer and supplier.

Yes and no. Long-term contracts can provide a sense of security, but they can lead to complacency if not managed properly. I’ve seen cases where long-term contracts become “how do we get through this contract?” instead of building mutual value.

With shorter, easy-to-renew contracts, there is a continuous need to earn the trust of the other party, which helps to be accountable and responsive. Government contracts often lean toward the longer term, but I think it’s worth evaluating this approach to encourage flexibility and adaptability, especially as cyber threats evolve.

In my previous job at the British Ministry of Defence, I inherited a 10-year contract with one supplier. We couldn’t get anything done from them. When I left, I had replaced that one contract with more than 60 short-term contracts. We were much more effective that way. I do realize that renewing more contracts every time is also a challenge. You have to find the right balance. Every team has to assess what they’re capable of. But in my experience, more short-term contracts are the next best thing.

Many participants at your session are clearly suffering from NIS2. Is that a burden or a pleasure?

NIS2 is one of those frameworks that are crucial for public sector entities. It is designed to improve the cybersecurity of essential services in Europe.

I see mixed reactions – sometimes NIS2 is seen as “just another requirement.” But I encourage organizations to look at regulation as a guide that emphasizes critical practices, such as asset visibility and third-party risk management. In fact, NIS2 mainly imposes those things that organizations would or should have done anyway.

[Read also: The EU’s DORA rules are coming – here’s what banks and tech firms need to know]

And make no mistake: There is a 2 after NIS, so you can bet that there will also be a NIS3, which will raise the bar again.

It remains surprising that many organizations do not yet have the basics in order.

That is indeed a cause for concern. I heard questions about advanced techniques such as threat hunting, the role of analytics, and what artificial intelligence can mean. But at the same time, many organizations do not yet know exactly what is in their network and how well all endpoints are protected.

Many cybersecurity specialists want to make full use of AI right now. But that’s like wanting to become a Formula 1 driver as soon as you get a driver’s license.

I also notice that organizations are not prepared enough. A business continuity plan may have been drawn up at some point of what should be done in the event of a crisis, but those plans are not practiced enough. When it comes to cybersecurity, too many organizations overlook the need for practice. The approach of the British military is a good example: They practice until the procedures become second nature. In the event of a real incident, there is no hesitation.

Government agencies would benefit greatly from similar exercises, such as tabletop scenarios or simulated cyber incidents. These exercises uncover gaps in plans and identify roles. Often, in an attack, you discover flaws, not in the technology but in processes and coordination. Practicing these scenarios builds trust and prepares teams to respond efficiently.

But first, make sure the basics are right. Using AI, for example, to automate and orchestrate repetitive manual tasks can regulate the cadence of essential processes and reduce errors.

[Read also: How to prepare for the EU’s AI Act – start with your risk level]

Of course, many cybersecurity specialists want to make full use of AI right now. But that’s like wanting to become a Formula 1 driver as soon as you get a driver’s license. You first have to get through the lower series before you can venture into Formula 1.

You’ve been in the Netherlands a lot lately. How do you think government organizations in the Netherlands and other markets in Europe are performing in terms of cybersecurity?

I would say that there is a strong awareness, but that the consistent execution can vary. The Dutch public sector, for example, has realized that in order to be truly secure, they must not only strengthen their own systems, but also take into account the dependencies on third parties.

Regulations such as NIS2 emphasize this interdependence, but more can be done. At Tanium, we encourage customers to test, test, and test again. Some teams are better at applying these fundamentals than others, but overall, I think there’s a growing understanding that executing the fundamentals well makes the difference between resilience and vulnerability.