Jo Deblaere (Cyberwolf.io): 'Hackers Gain Access to Corporate Networks Via the Private Sphere'

You worked for Accenture for no less than 38 years... We rarely see such loyalty to a company these days.
‘I also always say that I have worked for a lot of different companies - but they all happened to have the same name. Over the past decades, I have been able to do many different things in many different parts of the world, a world that was also changing rapidly. I have always found new challenges along my way. That kept the work exciting and varied. But yes, 38 years is a long time. As a result, Accenture has become a part of my DNA. Anyway, Accenture will always form the biggest part of my CV.’

What will you miss the most?
‘What I already miss is juggling between teams 20 times a day. That was what made my job as COO fun and what I was also good at: facing all kinds of complex, exciting and interesting challenges at a fast pace. From one problem to another urgent issue. That tempo, that pace, is addictive. But I have to be honest: you cannot keep up that pace forever. It is important to stop at the right moment to avoid becoming a caricature of oneself. I am glad I was able to pass on the relay baton to the new generation at the right time. I will definitely continue to use my good qualities. But no longer full-time. I work at a lower gear now, but with just as much passion.’

What things do you miss the least?
‘What I miss the least is the jet lag. Waking up with sunken eyes at 03:00 in the morning in a hotel in the United States, for example. Those were the down moments, and they were quite frequent.’

Over almost four decades of Accenture, you have seen the world change. Can you describe how that was?
‘There is always change, but the changes we saw in the last decade are unprecedented, especially regarding digitalization. And the changes in the last five years were even faster than in the preceding five years. The biggest difference from before is that you get less and less time to analyze things. Directors need to take decisions much faster. This means gathering the various perspectives faster to arrive at a conclusion more quickly. It means that companies no longer make their decisions based on 100 percent of the analysis, but sometimes on just 60 percent. It means working with scenarios a lot more. These are big changes. Digitalization impacts the boardroom in a big way. People may once have thought that the technology revolution only affected dark office specialists, but it now deeply affects the boardroom. People, right up to CEO level, now have to deal with products and services they had no idea about until recently. All companies have become digital enterprises. That may not be an original insight, but it is a fact and the most significant change in my active career.’

And all that in addition to the world outside having to deal with unfathomable geopolitical developments...
‘Yes, although I have a slightly different opinion on that than most. Of course, the current geopolitical situation is worrying, but there have been several times in my career when the geopolitical situation was also worrying and that there were geopolitical tensions. OK, the last 15 years have been relatively calm, but that is only a very short period in world history. In that short period, it looked like the world would become more global. Now we are moving more in the opposite direction again, towards a multipolar world, with multiple power blocks. This is a new reality. There is no need to panic about that. Although, it is a fact that crises and challenges abound now. It is not just the geopolitical situation, there is also the digital revolution, the disruption, the climate issues... it is a pretty strong cocktail.’

You will use your knowledge as a non-executive, starting on the Advisory Council of Belgian digital security company Cyberwolf.io. I tried to google it, but in all honesty: that did not reveal a whole lot. Where did you end up?
‘I ended up in Belgium’s best kept secret. Cyberwolf.io is a mystery player in the market. We operate a bit under the radar, we do not do big advertising campaigns and have to rely on word of mouth. Cyberwolf.io has a CEO who prefers not to go public and is not active on LinkedIn. Hidden but present - that is made eminently clear on Cyberwolf's website. In fact, that says exactly what the company does and what it wants to be.’

The company focuses on personal cybersecurity for directors. Why specifically 'directors' and why in particular 'personal'?
‘Directors because people on executive boards and supervisory boards hold the most important positions within companies. And personal because, unfortunately, hackers do not recognize the sanctity of private life. The cyber risk for people in high positions is very high. And the biggest risks lie at the boundary between private and business spheres. A lot of hacks do not directly target companies, but rather have their origins in the private sphere. Hackers enter the corporate environment via that private sphere. We have plenty of examples of hacks being committed through their children’s devices or recently even through a device of the mother of a CEO. And we are not talking about the theft of say just 10,000 euros and some innocent data. No, these attacks immediately involve tens of millions of euros and very sensitive data.
With non-executive directors, there is an additional risk. They often sit on multiple supervisory boards, hold confidential information from multiple companies and are often not included in those companies’ security systems. This is an enormous risk. Furthermore, cybercrime has increased exponentially in recent years. The risk of a hack is a factor of 10 to 20 times greater than the chance of your house catching fire. Now everyone has fire insurance, but when it comes to cybersecurity, we let things slide. And the unfortunate thing about cybersecurity is that the chain is only as strong as its weakest link. And, unfortunately, there are a lot of weak links, especially where it concerns the aforementioned personal part.’

Perhaps, people think that it will never happen to them.
‘The annoying thing about cybercriminals is that they are often indiscriminate. It is not like they always have someone in mind and specifically knock on their digital door. No, they knock on everyone's digital door. And it only becomes a targeted attack after one such door is opened. It is precisely that weakest link that determines how strong your cybersecurity policy is. Too little attention is paid to this.’

It is therefore with good reason that hackers specifically target members of executive boards and supervisory boards. They are generally smart people anyway. Does this mean they lack knowledge on this issue? Or is it a kind of ignorance? Or possibly arrogance? It also reminds me of minister Hugo de Jonge who used his private email while in office, reasoning that the ministry's system was 'too complicated'...
‘I do not know if it is ignorance or arrogance. In the final analysis, it doesn't matter either. Many people probably think: it won't happen to me. After all, companies surely think carefully about their security; they have good firewalls. Cybersecurity is on the agenda of every executive board and supervisory board and you will find some mention about it in all annual reports. But it always concerns the company itself. How do I protect the company? It never concerns the cybersecurity of a supervisory board member. After all, what about the supervisor's mobile phone or iPad? Or their browsing habits? Supervisory board members also presumably sometimes sit on a train reading highly confidential documents. And his phone probably contains confidential documents from multiple companies. One such supervisory board member's password might be retrievable from a website where he once ordered coffee. These are big risks. In my opinion, it is usually not arrogance or malicious intention. However, I still do not feel any sense of urgency among directors to do anything about it. Cybercrime was always a distant concept. But believe me: growth is exponential, and the floodgates are breaking.’

The problem is clear. The only question is of what use can Cyberwolf.io be?
‘I have Cyberwolf.io technology on all my private devices: On my iPhone, iPad and MacBook. Cyberwolf.io uses software to monitor what is going on 24/7. Everything is monitored and protected. Of course, while respecting privacy rules. If I look at a picture of Ms. X or Mr. Y on Google images, that is not something that is registered.’

How did you actually end up at Cyberwolf.io?
‘I know the founders of Cyberwolf.io well. We went out to dinner with our wives once. It then became apparent that our working agendas for the coming months had a very clear thematic overlap. One thing led to another. But that is the short story. The bigger story is that I am convinced that cybersecurity will remain one of the top three priorities for companies for a very long time. There is still a lot of work to do.’

I had actually hoped you would tell a juicy story about the time when you too became a victim of hackers...
‘No, I do not have such a story. Fortunately. Recently, I did receive a very suspicious e-mail from an acquaintance of mine, someone who is on the board of several companies, industry-leading companies in fact. I called him immediately. It turned out that he had been hacked. All his contacts had been stolen and all those contacts were receiving emails that were really not kosher. If you click on it, malware is immediately installed on your mobile phone. And malware on your mobile phone is the absolute worst thing, because - and I do not need to tell you - your mobile phone has everything on it these days. But no, I have never been hacked myself.
Although I do have a funny anecdote about my onboarding at Cyberwolf.io. They immediately launched a digital investigation into me here. What sensitive information could be found about me online? I was not really worried about this because I thought I knew everything based on previous research. Nevertheless, they managed to find a few things. I was surprised. But do you know why? It is down to the scope. Scope is everything. They focused on the private part. It is a private service that the company provides for its leadership. This allows the company to sleep at night when confidential information is exchanged.’

One may well wonder where the line should be drawn. Should the next step be protecting one’s mother and children?
‘Well, I understand your question. I just do not have the answer. Or have not yet. Time will tell. There are already directors who include their entire family in a security sweep. But ultimately it will be a trade-off in which costs and benefits are considered. I suspect we have some way to go before we find the right balance in this. But first, let us start at the beginning.’

This interview was published in Management Scope 09 2022.