Secret CSO: Jos Aussems, Xydus

What advice would you give to aspiring security leaders? “Don’t be cautious in making career choices. Making risky choices and experiencing whether the work helps you learn.”

Headshot of Jos Aussems, CISO at Xydus

Name: Jos Aussems

Organisation: Xydus

Job title: Chief Information Security Officer

Date started current role: February 2022

Location: UK

Jos Aussems joined the Xydus leadership team with responsibility for the critical role of keeping the organisation, and its customers’ data locked down. A fruitful 17-year career at PwC has proven his prowess. At PwC, Aussems moved from senior roles in tech consultancy to the management of one of the leading cyber teams in the industry. His position at Xydus has reunited him with former colleagues and peers as he and his team establish a world-class security capability.

What was your first job? After leaving university in 2005 I joined PwC as an IT auditor not really knowing what IT auditing entailed. My only goal was to work for a big international company with lots of opportunities and at the time PwC offered exactly that.

How did you get involved in cybersecurity? I travelled around several different departments while working at PwC and considered myself to be an intrapreneur, building new services and products under the PwC umbrella. One of these services included setting up PwC’s ISO 20071 certification business, which is where I started my cybersecurity journey.

What was your education? Do you hold any certifications? What are they? I went to Tilburg University where I gained one Masters in Organisation and Management, and a second in Information Management, which sits between IT and business. At PwC I was a Certified Information Systems Auditor (CISA) and a qualified ISO27001, ISO9001 and ISO22301 auditor. I’m also a certified scrum agile product owner.

Explain your career path. Did you take any detours? If so, discuss. After consulting at PwC for about six or seven years, I decided to set up the ISO20071 certification business within PwC. I noticed that cybersecurity was an area with lots of opportunities, both within PwC where there was increasingly more of a focus, but also in wider society. It’s a great domain to work in but I learned that I am more of a consultant than an auditor. So, from here, I started spending more time consulting in cyber, moving from one engagement to another. It was a great learning experience to contribute to improving so many security functions from global technology providers, organisations in the nuclear energy space to the semiconductor industry. 

After a couple of years, I wanted to go on a journey with a scale-up, to make a lasting impact on a company and its path towards growth. This is where Xydus came along. I knew the CEO, Russell King, from my time at PwC. Moving over and joining as CISO has been a big step change for my career. In moving to the other end of the table I now feel I can make more of an impact and contribution to fixing the global digital identity crisis.

Was there anyone who has inspired or mentored you in your career? I would say both of my grandfathers - their work ethic and no nonsense mentality towards getting things done really inspired me. They also inspire me to always keep learning.

What do you feel is the most important aspect of your job? It has to be building a team. Helping to nurture and grow their talents but also instil a work ethic that promotes unity and of course security.

What metrics or KPIs do you use to measure security effectiveness? At Xydus, KPIs for security need to provide a holistic overview of our security posture. They should address time, quality and cost elements, e.g. spending against budget, meeting sprint objectives, and resolution times of security incidents. Also, company objectives should provide focus, be it cyber resilience, protecting customer data or regulatory compliance. Finally, less is more - carefully considering and selecting KPIs is vital to avoid analysis paralysis.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Xydus is a scale-up going through rapid growth - last year it saw a 600% increase in sales. To support its next stage of growth we have been focussing on building and developing our engineering teams, which of course has hurdles to overcome. The main skills shortage we’ve faced is in AWS security architects and infrastructure engineers - they are in high demand as more organisations use AWS to bring their infrastructure into the cloud.

Cybersecurity is constantly changing – how do you keep learning? I gain many new insights from talking to fellow CSO’s in my network. I find reflecting on different approaches to security depending on industry and organisational specifics particularly valuable. I also believe in building partnerships with key suppliers and leveraging their expertise and knowledge of our estate as a source of learnings.

What conferences are on your must-attend list? Enigma 2022, IEEE Symposium on Security and Privacy, Cyber Security & Cloud Congress.

What is the best current trend in cybersecurity? The worst? The best has to do with the use of AI to combine and interpret data sources and alerts from within the organisation with threat intelligence to almost predict security incidents before they happen.

The worst is a growing tendency of security technology providers to over-promise. Identifying which elements of the security technology landscape a provider can cover can be challenging, which is why I focus on building lasting partnerships with our key security technology providers based on honesty and transparency.

What's the best career advice you ever received? Make sure you have a good work life balance. It’s essential to balance this in terms of job stability and the effort you put in vs the energy you get back.

What advice would you give to aspiring security leaders? Don’t be cautious in making career choices. Making risky choices and experiencing whether the work helps you learn. Staying in one job for too long only doesn’t always help you expand your mind and experiences.

What has been your greatest career achievement? It is difficult for me to qualify career achievements, to compare and select the greatest achievement. Having the privilege of working with a team of talented security professionals is just as, or even more, rewarding as winning the next big contract.   

Looking back with 20:20 hindsight, what would you have done differently? I consider myself a generalist, looking at security primarily from a governance, risk and compliance perspective. I am quite effective in explaining security from a business perspective to C-level executives. My time at Xydus so far has emphasised the importance of ‘getting your hands dirty’ specifically when it comes to SecDevOps, something I would have focused on a bit earlier in my career with perfect hindsight.

What is your favourite quote? There’s one quote I’ve always loved, which I believe is attributed to Einstein: “Everything should be made as simple as possible, but not simpler.” To me this means if you claim to have an understanding of a very complex subject you should be able to explain it in simple terms.

What are you reading now? I’m currently reading a book by Sam Harris called Waking Up. It’s all about neuroscience and psychology, looking at the philosophy of the mind and the nature of consciousness. It’s incredibly interesting but has absolutely nothing to do with Information Security! Although reading expands the mind and helps put things in perspective.

In my spare time, I like to… Do the usual, really - spend time with my niece and nephew, my family, my friends.

Most people don't know that I… paid my way through University studies being a DJ at a club in my hometown in the South of Holland.

Ask me to do anything but… Configure a firewall :-)