Secret CSO: Jos Aussems, Xydus

Last name: Its Aussems

Organization: Xydus

Job title: Information Security Manager

Start date of current role: February 2022

Location: UK

Jos Aussems has joined the Xydus leadership team with responsibility for the critical role of keeping the organization and its customers’ data locked down. A successful 17-year career at PwC proved his prowess. At PwC, Aussems rose from leadership roles in technology consulting to managing one of the industry’s leading cyber teams. His position at Xydus has reunited him with former colleagues and peers as he and his team establish a world-class security capability.

What was your first job? After leaving university in 2005, I joined PwC as an IT auditor without really knowing what IT audit entailed. My only goal was to work for a large international company with many opportunities and at the time PwC offered exactly that.

How did you get involved in cybersecurity? I traveled to several different departments while working at PwC and considered myself an intrapreneur, creating new services and products under the PwC umbrella. One of those services included setting up PwC’s ISO 20071 certification business, where I started my cybersecurity journey.

What was your upbringing like? Do you have certifications? What are they? I went to Tilburg University where I got a master’s degree in organization and management, and a second in information management, which is somewhere between IT and business. At PwC, I was a Certified Information Systems Auditor (CISA) and an ISO27001, ISO9001 and ISO22301 qualified auditor. I am also a certified Agile Scrum Product Owner.

Explain your professional background. Did you take any detours? If so, discuss. After being a consultant at PwC for about six or seven years, I decided to create the ISO20071 certification activity within PwC. I noticed that cybersecurity was an area of ​​great opportunity, both within PwC where the focus was growing, but also in society at large. It’s an area to work in, but I’ve learned that I’m more of a consultant than an auditor. So from there, I started spending more time consulting in cyber, moving from engagement to engagement. It was a great learning experience to help improve so many security functions, from global technology providers, nuclear power organizations to the semiconductor industry.

After a few years, I wanted to embark on a journey with a scale-up, to have a lasting impact on a company and its path to growth. This is where Xydus came in. I knew the CEO, Russell King, from my time at PwC. Moving on and joining the position of CISO was a big change in my career. Moving to the other end of the table, I now feel like I can have more impact and help solve the global digital identity crisis.

Has anyone inspired or mentored you in your career? I would say both of my grandfathers – their work ethic and no-nonsense mentality for getting things done really inspired me. They also inspire me to always keep learning.

What do you think is the most important aspect of your job? You have to build a team. Help nurture and develop their talents but also instill a work ethic that promotes unity and of course safety.

What indicators or KPIs do you use to measure security effectiveness? At Xydus, KPIs for security should provide a holistic view of our security posture. They should address time, quality, and cost elements, such as spend versus budget, meeting sprint goals, and security incident resolution timelines. In addition, business objectives should be focused, whether it’s cyber resilience, customer data protection, or regulatory compliance. Finally, less is more – careful consideration and selection of KPIs is essential to avoid analysis paralysis.

Is the security skills shortage affecting your organization? What roles or skills do you find most difficult to fill? Xydus is a rapidly growing scale-up – last year it saw a 600% increase in sales. To support its next stage of growth, we have focused on building and developing our engineering teams, which of course has hurdles to overcome. The main skills shortage we’ve faced are AWS Security Architects and Infrastructure Engineers – they’re in high demand as more organizations use AWS to integrate their infrastructure into the cloud.

Cybersecurity is constantly evolving – how do you keep learning? I gain a lot of new knowledge by talking with other CSOs in my network. I find it particularly helpful to think about different approaches to security based on the specifics of the industry and organization. I also believe in building partnerships with key vendors and using their expertise and knowledge of our domain as a source of learning.

What conferences are on your must-see list? Enigma 2022, IEEE Symposium on Security and Privacy, Cyber ​​Security & Cloud Congress.

What is the current top trend in cybersecurity? The worst? The best has to do with using AI to combine and interpret data sources and alerts within the organization with threat intelligence to almost predict security incidents before they happen.

Worse is a growing tendency for security technology vendors to overpromise. Identifying which elements of the security technology landscape a vendor can cover can be difficult, which is why I focus on building lasting partnerships with our leading security technology vendors based on honesty and transparency.

What’s the best career advice you’ve ever received? Make sure you have a good work-life balance. Balancing this in terms of job stability and the effort you put in versus the energy you get back is key.

What advice would you give to aspiring security managers? Do not be cautious in your career choices. Make risky choices and see if the work helps you learn. Staying too long in the same job doesn’t always help you broaden your mind and your experiences.

What has been your greatest professional achievement? It is difficult for me to qualify professional achievements, compare and select the greatest achievement. Having the privilege of working with a team of talented security professionals is just as, if not more, rewarding than winning the next big contract.

Looking back with 20:20 back, what would you have done differently? I consider myself a generalist, looking at security primarily from a governance, risk, and compliance perspective. I’m pretty good at explaining security from a business perspective to C-level executives. So far, my time at Xydus has emphasized the importance of “getting your hands dirty”, especially in regarding SecDevOps, something I would have focused on a little earlier in my career with perfect hindsight.

What is your favorite quote? There’s a quote I’ve always loved that I believe is attributed to Einstein: “Everything should be made as simple as possible, but not simpler.” To me this means that if you claim to have an understanding of a very complex subject, you should be able to explain it in simple terms.

What are you reading right now? I am currently reading a book by Sam Harris called Wake. It’s about neuroscience and psychology, looking at the philosophy of mind and the nature of consciousness. It’s incredibly interesting but has absolutely nothing to do with information security! Although reading broadens the mind and helps put things into perspective.

In my spare time, I like… Business as usual, really – hang out with my niece and nephew, my family, my friends.

Most people don’t know that I… paid for my university studies as a DJ in a club in my hometown in the south of Holland.

Ask me to do anything except… Configure a firewall 🙂

Leave a Reply