2025-08-09 –, Delphinus
Language: English
In the realm of cybersecurity, workplaces can be surprisingly unsafe, with a higher turnover of CISOs and alarming rates of misconduct. This talk explores the mechanisms behind this paradox, examining organizational dynamics, the pressures on CISOs, and the emergence of toxic behaviors. By analyzing real-world some very personal examples, we will uncover the root causes of these issues and provide practical solutions to foster a safer, more resilient cybersecurity culture.
Cybersecurity is a field where pressure is constant, and mistakes can have severe consequences. Yet, for many cybersecurity professionals, the greatest threats do not come from external attackers but from within their own organizations. In one striking example, a security researcher discovered severe vulnerabilities in a widely used product, only to be dismissed as "overreacting" by management—a classic case of gaslighting. At Equifax, a CISO faced public blame for a devastating breach, despite years of underfunding and ignored warnings about outdated software. In another case, security engineers at SolarWinds raised concerns about critical vulnerabilities that were ignored—vulnerabilities that were later exploited in a massive supply chain attack affecting thousands of organizations.
These toxic dynamics are not just isolated incidents; they are symptoms of a broader problem in the way organizations perceive and manage cybersecurity. Security is often seen as a cost center—a department that creates problems rather than solving them. This mindset fuels blame-shifting, where CISOs become scapegoats after breaches they lacked the power to prevent. Even worse, security professionals who try to escalate serious risks are sometimes ignored, marginalized, or even retaliated against. A report by (ISC)² found that 60% of cybersecurity professionals have experienced burnout, and nearly one-third have left jobs due to toxic work environments. Such conditions not only harm individuals but also weaken an organization’s overall security posture.
But it doesn’t have to be this way. This talk explores how more mature industries have learned to overcome similar toxic dynamics. What can we learn from those experiences? By drawing on these examples, this talk will identify practical steps to transform cybersecurity into a healthier, more resilient field where burning people is no longer the net result of dealing with security.
Brenno de Winter is a distinguished cybersecurity expert, ethical hacker, and thought leader known for his relentless commitment to transparency, accountability, and ethical technology. After years in IT, De Winter transitioned to journalism, where he combined his technical expertise with investigative reporting. His work exposed serious security flaws in government systems, corporate networks, and public infrastructure, driving meaningful change. His reporting was characterized by a clear, accessible style that made complex cybersecurity issues understandable to a broad audience. This approach earned him the title of "Journalist of the Year" in the Netherlands in 2011.
He is the cat-father of OpenKAT, an open-source cybersecurity monitoring solution, and led the initiative of MIAUW (Methodiek voor Informatiebeveiligingsonderzoek met Auditwaarde), a structured methodology for penetration testing that has been adopted by organizations seeking to ensure audit-quality security assessments. While MIAUW was his initiative, its development has been a collaborative effort, benefiting from the contributions of other experts in the field.
De Winter is also a respected voice on privacy rights, digital resilience, and regulatory compliance. He regularly speaks on topics such as NIS2, ISO 27001, the GDPR, and the Cyber Resilience Act, offering practical guidance on navigating the complex world of digital regulation. His focus on bridging the gap between technical security measures and organizational governance has made him a sought-after advisor.
Beyond his consultancy work, De Winter remains an active advocate for cybersecurity awareness. He has launched the "Katcast" podcast, where he discusses cybersecurity, privacy, and digital rights, making these critical topics accessible to a broader audience. His passion for teaching and his dedication to ethical technology continue to drive his work, making him a respected figure in the cybersecurity community.