According to Sanne, it can sometimes be a challenge to explain in simple terms exactly what the role of the security organisation is. To do so, she often uses a metaphor. ‘The university can be compared to a village,’ she says. ‘It’s a village with several roads, which are the faculties and divisions, and these have a lot of houses on them. Take the road of Academic Affairs, with the houses of the Osiris and Brightspace applications. Each department is responsible for maintaining its own house.’
This metaphor goes beyond the structure. Just like the residents of a village, organisational units have to deal with policies, explains Sanne. ‘In a village, it’s the municipality that implements policies. For example, if you want to build an extension, you have to apply for a permit and comply with safety regulations. Within our university, we as the security organisation are the municipality: we make the rules and facilitate support to make sure, for example, that the hypothetical fire brigade turns up if a cyber incident occurs. But homeowners do have to install their own smoke alarms. It’s only by working together that we will keep our university village safe and secure.’
Sanne says that this also requires employees to take responsibility. ‘Make sure that digital files are secure. Compare this to your home: when you leave, you lock the door. And you don’t just give away the key to your home either.’
Role of CISO
As CISO, Sanne sees it as her mission to ensure that the university can function securely and resiliently in an increasingly complex digital world. She helps make digital risks easy to understand and manage. ‘Within our university, it’s all about creating, sharing and preserving knowledge. For this purpose, we work with large amounts of data and all kinds of systems and in collaboration with suppliers or other institutions. I develop policy that covers basic arrangements for working securely online, and I advise the Executive Board on digital risks: from phishing to the threat of a ransomware attack, like Eindhoven University of Technology faced in early 2025.’
Those risks, according to Sanne, strike at the very heart of the university. ‘Information security says a lot about our licence to operate. With external collaborations for scientific research, good information security is expected. It underpins our operations. As CISO, I am always available for questions or discussions, but each faculty also has its own Security and Privacy Officer for specific questions, for example about digital risks when doing research abroad.’
Increasing digital awareness
Sanne therefore advises all employees to take responsibility themselves. ‘Increase your digital awareness. You can do this by following the e-learning called ‘For your eyes only’, which contains examples of digital risks from everyday practice and helps you to recognise them. Our aim is to organise technology in a way that enables you to work securely without having to take additional action. But you will need to stay alert to suspicious emails, because we do work in a place with information that outsiders would be interested in getting their hands on.’
Besides the aforementioned e-learning, employees throughout the university are regularly given the opportunity to take short fast classes online as well as attend lectures on working securely online. Within faculties too, there are an increasing number of initiatives, from lunchtime lectures to training courses. Sanne believes this is necessary because information security must become self-evident. ‘It is as much part of our operations as HR and Finance. I myself originally came from the world of communications. Cybersecurity and hacking seemed rather irrelevant to me at first. The themes were complex, but I learnt that it’s important to make them understandable so that everyone becomes aware of them. Cyber threats do not stop at national borders, which makes them challenging. We want to be a resilient university: if cyber incidents occur, we have to be able to manage and recover from them properly.’
There is a lot of corresponding knowledge available within the university. ‘More than we often realise,’ explains Sanne. ‘From AI research at the Donders Institute to the Cyber master’s at the Faculty of Science and the work of iHub. We can learn a lot from each other. My hope is that we will make better and better use of all the knowledge we have within our university.’
Want to know more? Visit the ‘Privacy & Security’ page.