“The bar must be raised.”

After sixteen years in banking, he moved to ICT Group, of which ICT TriOpSys is a part. A new environment, but with a familiar risk profile: "In terms of threats, the entire critical sector is on a par with banks," he says. "Yet I see that many organisations still rely too often on compliance and certifications alone. As if lists alone offer sufficient protection against state actors or advanced ransomware."

According to Rorive, the threat to vital infrastructure is structural and diverse. "China is hunting for information, Russia and Iran want to disrupt, and North Korea is seeking financial gain. At the same time, IT and OT are becoming increasingly interconnected. Systems that were never designed for security are suddenly exposed to digital attacks. Add AI to that, and the playing field becomes even more complex. The vulnerability of vital infrastructure should not be underestimated, with an impact that can affect society as a whole."

“In terms of risk profile, vital infrastructure is in no way inferior to banks.”

“Being compliant does not necessarily mean you are secure.”

According to Rorive, security is too often reduced to checklists and certificates. He warns against blindly relying on them: "Compliance and certifications are valuable, they increase maturity and bring processes in order, but they are not the end goal. They can also create a false sense of security. We sometimes receive hundreds of questions in Excel sheets that we have to fill in. That takes an enormous amount of time, and what does it actually achieve? You can tick all the boxes on the form, but does that say anything about how your organisation would withstand an attack in practice?"

When asked how, he replies: "The bar must be raised. True resilience can only be achieved through cooperation, transparency and the courage to talk about vulnerabilities. Dare to ask yourself out loud: what really threatens us, and how can we become resilient to it?

Banks did not become frontrunners because they wanted to, but because they had no choice. The vital sector has the same urgency, so it is time to invest in security and governance."

“Many organisations suffer from cyber shame. But transparency always yields more than it costs.”

Cyber shame increases the damage

Incidents are inevitable. The question is how you deal with them. Rorive sees that many organisations keep incidents quiet for too long. "I call that cyber shame. But transparency always yields more than it costs."

He refers to examples. "TU Eindhoven showed how you can gain trust through openness. Clinical Diagnostics did the opposite: weeks of silence, with all the consequences that entailed for partners and patients. Openness is not a sign of weakness; it is the only way to emerge stronger from an incident."

Attackers work well together. Defenders need to do better.

"The core of resilience is easier said than done: collaboration. In that respect, criminals have it easy. One vulnerability is enough to strike. For defenders, the challenge is many times greater: complex systems, countless dependencies. Only with intensive collaboration and transparency can you cope with that. Networking with like-minded people, partners and suppliers makes all the difference. In the first hour of an attack, also known as the golden hour, preparation and collaboration make all the difference. So practising, running through scenarios and making agreements is what organisations need to do."

This also touches on broader themes such as chain integration and the link between OT and IT. "That's where you see how important collaboration is: no single party can solve this on its own."

“The role of the CISO is shifting.”

How does he put this into practice himself? "Security belongs in the boardroom. Too often, security is still seen as an IT issue. But in critical infrastructure, the risks are too great. My role is not to arrange everything myself, but to give the organisation direction and engage in dialogue with directors. Only then will security become a sustainable part of the strategy."

“We can only stand up to attackers together.”

Our biggest challenge for the future

“Threats are constantly changing. Compliance helps organisations mature in the area of security and thus contributes to greater safety. But it is not a finish line. Those who see compliance as the ultimate goal run the risk of experiencing a false sense of security.

Incidents will always occur. The difference lies in how we deal with them. Only through cooperation, trust and transparency can we truly become resilient.”

His appeal to directors and partners is simple but powerful: "Invest in trust. In your network. Share incidents with each other. Practise together. Only then can we turn vital infrastructure from a weak spot into a strong fist against attackers."