The Amrop Digital Interviews: Jan Joost Bierhoff, CISO Heineken
“The reporting line is important, but even when that’s in order, the CISO needs to do the hard work”
Companies are under more pressure than ever to push technology transformation at a faster pace, but with much more attention to the organization’s information, cyber, and technology security. The tensions between enabling business objectives through technology and maintaining a robust security posture are especially challenging in terms of CISOs reporting to CIOs.
Amrop’s Global Digital Practice together with global search partner JM Search has been studying common areas of C-suite tension through a series of interviews with CIOs and CISOs in Europe and the US. In the third of our series, Job Voorhoeve, leader of Amrop’s Global Digital Practice interviewed Jan Joost Bierhoff, CISO at Heineken, the Dutch multinational brewing company founded in 1864. They discussed reporting lines, communication-related competencies, and the collaborative nature of the CISO community.
Q: It would be great to hear how you started your career and became a CISO.
A: In my first years with Deloitte I spent nearly 60-70% of the time as Auditor mainly in Africa with the more up-coming countries to help them with their IT security. I started in one of the breweries of Heineken dealing with their IT security, satellite connection at that time. After I joined the IT department of Heineken to work on lowering the risk profile. I am now globally responsible for the whole security function of Heineken; present in 190 countries with breweries in over 80 countries. Currently reporting to one of the Board members, the Chief Digital and Technology Officer - before this year I reported to the CIO.
Q: There often appear to be tensions between the priorities of enabling business objectives through technology and maintaining a robust security posture. What have you found to be the specific areas where these tensions most clearly manifest? (e.g., technology, ownership and accountability of technology and delivery, budget priorities and constraints, other?)
A: For Heineken it’s mainly about gaining trust in the supply chain domain. It’s the heart of our existence. Of course, we're super good brand managers. That's the other power of Heineken. So, our brands are super strong. But you can only do that if your product actually is reliable, and its quality is always exactly the same. So, the breweries became more automated over time. Even at this moment in time one of our breweries in India is not automated at all. There's no automation, there's no technology. So, it used to be how we worked. And over time more and more IT got into our operational technology sites. Also, our hand in IT security became stronger and stronger. And there are, of course, the brewers – they’re not distrusting us, but in the end, it's their domain. Some of them are already getting a bit further in their career, less flexible to changes and also less flexible to technology changes in particular. So, we’ve needed to step up massively to take them by the hand and say: we're not a threat. We're here to protect your breweries even better, but really, it’s about gaining trust, and even at certain moments we might need to take control of the brewery from a technological point of view, while they do the delivery of the products. That needs to go hand in hand. So that's where the biggest gap to fill is - in gaining trust, in taking over when needed.
Q: How is that done when it comes to setting priorities and from a budget perspective? I can imagine that it's going to cost them, right? One thing is gaining trust and being open for a discussion, but, at the same time, it all comes down to the budget. What, in your experience, is the key to success when it comes to dealing with those tensions?
A: Credit for success in this respect definitely goes to the CEO and the executive team in shaping the “Evergreen” strategy, which provides very clear goals as to how we, as Heineken, want to grow. There’s a whole set of activities which need to be done. These are called the top 25 programs which need to be done, but 80% of these are supported by technology, and all of them have an IT component. One of them, for example, is the OT security, and from the funding perspective, it’s really almost equal to what’s dedicated to our B2B agenda. Thus, while we, of course, also have central pockets with funds available, the breweries are requested to allocate between 2% and 8% of their budget, depending on the country, to OT security. We set them on course, the program is spread over three years, but the request to allocate the budget is set by the executive team, thus making it relatively easy to make sure it happens. And then it’s a matter of delivery, which is, of course, hard enough in itself.
Q: Were you involved in setting the percentage and scoping that? How did you do it?
A: It is a massive jigsaw, of course. So, for example, some operating companies don’t have a brewery and only have a sales office, so in their case the project is not applicable, and the security budget is zero. But in the 80 sites residing in the 40+ operating companies it is really a matter of how many firewalls are still out there. It means really breaking it all down.
Q: You’ve basically done an audit for all of them?
A: Yes, my audit background has helped a lot. But it is also our HR team, which has done a great job identifying what Heineken is. So, if I go to the HR system, I can really zoom in on the operating companies and see, for example, how many people work in a brewery, and even that gives you a flavor of what it might need in terms of security awareness campaigns. Also, my IT colleagues have helped a lot by getting us more insights into the assets and classifying them per brewery and per country. So, from a central point of view, I can already see how large a brewery is.
Q: So, it’s really about being able to gather the data on the local situation which then helps you define what needs to be done and to scope it. And then there’s probably a dialogue because perhaps the local brewery puts in a minimum, the 2% and then you need to go in and say that, well, the bracket was 2% for those who are at a certain maturity but 8% for those who have to start from zero.
A: It’s always the game, where in the end we always ask them to reserve €5K, but, again, security is not the whole amount of money for doing a new brewing line, which also happens, and then we often stay within the limits of the €5K and they have some extra money to play with.
Trust is the one thing that’s very important on all levels – my level, but also on the level of the audit team and IT team, because if we do something they then know that we’re doing it for a very good reason.
Q: You can put it in the shared service center, so you can help them be efficient on certain elements, you can help them by scale.
A: But also, we could, of course, secure everything and achieve a certain level of security everywhere – build a very high fence around the house, so to speak. But, in the end, the houses that we really need to work on now are the next level. We’ve put the fence everywhere now, which was the minimum, and now it’s up to our procurement colleagues to see what blocks are the ones that matter the most. What’s the top 10? And the top 50 and 100? Of course, I start with the top 10. What are the supply connections and the supplier engagement with the set-up, the safety on the core side? Which customers really matter globally and which regionally? The company money needs to be invested while keeping the priorities in mind, so I’m going one mile further to the operating companies, the customers, the suppliers, or even employees, which matter the most.
Q: So, for you the connections are really important, right? Because you’re in the systems connecting with one another, and that’s high-risk, right?
A: Exactly. So, if we look at the hacks, which happened on a macro level, those led to warehouses that needed to close. So, we have already sold our beer to them, but then it stays there, and, while it has a shelf life of multiple months, if they don’t sell, we still miss out on the revenue. So, we need to help them as best we can to recover and perhaps even send people to help them recover as soon as possible. In these cases, we step in as a neighbor to help out the next-door family to recover from the blow.
Q: And that’s, I would say, also typical for the CISO community, because you really see this as a global threat. And you also go in because you see the key learnings for yourself, so you can update your teams on the latest insights. There’s a kind of win-win situation really.
A: That’s true. I’m also exchanging information with a CISO who is a friend; their organization is a friendly competitor, so to speak, because we’ve done some joint acquisitions – we bought an asset together and split it up afterwards. The CISO community really works together. If we see something happening in the Nordics, where they’re active, we inform them if we’ve bumped into a threat – we quickly check in saying that we assume you’ve seen this as well, but if not, please check it out. So that's really where we’re teaming up.
Q: What from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers?
A: It all depends on the CIO. I’m blessed with my CIO, who is, first of all, a great guy, but also has a background as an IT auditor. So, in the end, he understands me and my previous role as an auditor. We can have sufficiently heated discussions, but they’re always productive, and we have a very good trust relationship. But he can also help me set priorities and I go to him when there’s really an issue. For example, if we’re moving from one system to another and afterwards I need to start chasing the ones who are running behind, the CIO sometimes needs to stand up and say to everyone that moving is a must if we’re to take our work seriously, if we want to make sure we’re not being attacked. We, of course, take in the feedback and concerns, and then the CIO can direct them to me should any problems occur. The tone needs to be convincing. At the same time, if he were my peer, I would need to take time to convince him, and we might have clashing agendas, but now my agenda is automatically his agenda as well. So, this is a typical example where he's fully briefed, he stands up, tells the story, takes away all the ammunition from other people before there’s fire.
Q: So, reporting to the CIO for you is an advantage, because you have a good working relationship, and you’re part of his team. So, you also understand the technical implications of that strategy, and that’s really important. Because if you wouldn’t, you would be less connected to the OT, to the networking issues and certain levels of infrastructure, which is so important for you to be able to get it all fixed.
A: Yes, that’s exactly why it works. I definitely wouldn’t classify myself as a peer to the CIO because, after all, he’s a couple of positions higher than me. But in the end, when it comes to the reporting line, we’re sharing the same executive team member. So, the CIO is a lot more important in the company but we’re still in the same layer. His focus is really on building the future of the technology of Heineken, so he’s a lot more forward-looking so to speak. Of course, he’s also taking care of keeping “the old house” in shape, where many of the risks are and which could hamper the future. But also, the new initiatives, the new structures, for which we literally use the #CoolShit, model2, so we are not directly secured by design. So, it’s crucial that I continuously keep him informed about why I’m concerned about either his legacy or his future states. So, there will sometimes be clashing agendas on priority, but he will never overlook things which I’m truly concerned about. He might say: “Let’s not do this now, rather next month”, so it’s about balancing priorities.
Q: That’s very interesting. So, if you have a mature IT organization and the CIO is focused more on the future direction of the technology, you as a CISO are more focused on the legacy of the organization, especially on the OT side, to see if there are issues that still need to be addressed. Could you say that?
A: Yes, exactly. Two of the pillars of “the house” are really about modernizing our front ends, while three pillars are about simplifying and automating the back ends, which, we could say, are more connected to the legacy of the organization. So, about 60% of my focus, and not only mine, is about simplifying and automating the back ends, and, by doing so, making it all smaller and smaller, while broadening the other pillars. Three years from now we hope that all our sales reps and restaurant owners will have 1 to 3 apps to communicate with Heineken – for doing the orders and all other necessary things. That’s the future.
We could secure everything and achieve a certain level of security everywhere – build a very high fence around the house, so to speak. But in the end, the houses that we really need to work on now are the next level.
Q: Do you have anything to add with relation to the scope of the responsibility and the philosophy when it comes to technology security? Can you share anything about the frameworks and best practices, considering that you’ve developed such strong and successful relationships?
A: I’m really blessed with the set-up we have, because our executive team really considers cybersecurity to be important. And I have unfiltered access, while some of my peers, other CISOs, sometimes have an issue with even getting into the boardroom, or when they do, there are filters. Of course, I still get my coaching on how to do the best storytelling (laughs), but I am able to have unfiltered sessions with the Supervisory Board members, where my previous role as an auditor helps a lot. Also, budget-wise, Heineken really takes security seriously, not being penny-wise and pound-foolish at all. Besides, I have access to our CFO, our CTO and, of course, our CIO. So, the only thing I can say to my fellow CISOs is, yes, the reporting line is important. But even when that is in order, the hard work needs to be done! See if you can get informal moments with all the people who you would want that with – for your cyber insurance you need to talk to the CFO and other colleagues in insurance, and see what’s important for them, so you can get more aligned, more focused with your own agenda; and by doing that you get to connect! Find moments to approach your commerce colleagues, see which apps and which customers are the most important to you, and approach also your supply chain people, which in my case is the brewery staff – see which 15 breweries are the most important. And yes, the supply chain colleagues might not always prefer that you’re talking to the same people as them, but, in the end, it’s also your own responsibility to connect – just ask them if they can join for a coffee if you feel like there’s still some possible hostility there. But really, make those informal connections, and from those you can start building formal moments throughout the year – from the informal beers and coffees you can get to, perhaps, formal biannual connects. And by doing that you gain your place at the meeting room table.
Q: Excellent advice, thank you! Let’s now talk a bit about Enterprise Information Security and Board and ELT Communications. What governance standards need to be in place to make sure that a cybersecurity framework aligns with organizational goals and industry security requirements? How can you best ensure that Boards and ELTs are informed on enterprise cybersecurity programs and risks?
A: So, during the meetings with the Board and ELT we do a one-pager, where we show what our current risk profile is, given that the gross risk on the outside world is growing. We show them how our net risk is reduced by the initiatives that we embark on, we show them what’s happening. And that really makes it tangible for them, because they understand that the gross risk is really there – they read newspapers, they talk to their peers, they know e-commerce sites, B2B apps are going down, factories are being hacked. And we explain what we’re doing to lower that risk, make sure they understand the terminology, and we talk in more detail about the top 5 activities that we’re doing. And there are 150 more activities, but we don’t need to bother them with that, we’re just showing the big blocks. And if they want to know more about the other activities, then the informal connections can again help – colleagues from different geographies can explain what’s happening in the region and so on. And then there’s a discussion on the executive team level about how we can cover the site and do more. So, by using my moment to shine, I can also get other topics on the table. But we always show that the risk is fed by, let’s say, the following 20 angles, and then these angles are cut away or narrowed by the following 5 or 6 initiatives.
Q: Yes, simplify, make it, being a point of view, almost. And it’s also like a scorecard of where you stand and how you develop.
A: Yes. And I can say, if you want me to do more, even if you gave me a bag of money, I cannot do more. If you want to reduce the amount of money or, let’s say, gain more time in spending that money, these are the three angles you can choose, that’s the lever between these brackets in time and euros. So, it’s up to them to decide if it’s about the amount of money.
Q: Yes, so it’s all really clear around where the budget is being spent, what is empowered, what is non-negotiable, what’s okay – you can maybe spread that investment over a longer period of time, but then these are the risks. You talked a bit about the relationship between the CISO and the CIO, but is the CIO also involved in this part?
A: The CIO and I go to the Supervisory Board and executive team meetings together. It’s always about a couple of topics which are on the top of our minds. These are usually about the largest investments and the progress we make out there, and they’re usually chaired by our CIO and heavily supported by our CTO. And then we also discuss the biggest risks – and the budget which needs to be successfully spent. And when it comes to risk, one of the big risks is around cybersecurity, but, because I used to be the voice of risk on the other side of the table, they also bring me in to discuss the other risks out there. So, there are often three agenda topics, and the CIO does the overarching security story where we can zoom in on a couple of supervisory- or deeper questions.
Q: The CIO, CTO, and you go in together?
A: Yes, and the three of us are aligned, we do five or six slides in there. It’s great to be part of the discussion, and the two of them have helped me immensely with the pitching, the storytelling – they sometimes coach me quickly, five minutes before we go to the Board meeting, they could say: it’s good, but if you bring it in like this it’s even more powerful. That kind of support is priceless.
Q: That’s really great, you’ve really been set up for success by your Board and your CIO. So, it’s all about the collaborative effort and bringing the awareness there, and, of course, you being the subject matter expert there. So, when it comes to really complex questions and they want to poke, you know that you are the one to have the answers for certain elements. And my final question: if we talk about the regulatory developments across Europe and the US, how does it impact your scope and responsibilities and also your necessary interactions with stakeholders?
A: The impact is enormous. When it comes to many of the regulations, we really welcome them, because, if we look at, for example, GDPR – because of the existence of GDPR it has become much easier to get data privacy out there in the rest of the world. We can have debate after debate about the European Union, and, sure, there are the good, the bad and the ugly components to it, but at the same time they’re really making regulations that are going to rule the world, and we do welcome those. But yes, it means that there is a tsunami of activities that need to happen right now, some of which will help us massively, but to implement all that, I, for example, need to debate with some of my suppliers about why they’re delivering old operating systems as part of their brewing line – in the future I could even sue them for doing that! So, it’s going to be about calibration, because they also need our help in figuring out what to do, it's, of course, not done on purpose. I think it will involve a lot of collaboration with our large European companies to deliver state-of-the-art operating systems with our brewery or conveyor belts.
But there are also other things which I cannot foresee at this stage, like the law around the use of AI. Even yesterday we had a debate with the ethics committee about the use of AI. And it’s going to be a big question for our company because some of the things are viewed as ethical in some geographies but not in others. So, what will be our ethical lens? Again, there is no good or bad, but in the end, we will have to choose our lens. We are active in a number of countries and are often really doing good for the local communities by raising welfare, uplifting the community spend. But the perspective in some other countries on this might differ. So, I’m welcoming the regulation, and I think that, as a global multinational, some of the low-hanging fruit will be easy, but there’s going to be some debate on what’s ethical, for sure. It will surely make our life spicy, and there will be debates, which we should have as a company over the edge of technology. It’s not going to be easy.
Q: Is the cultural awareness element, the international component in your role, really becoming more important?
A: We always need to keep that lens in mind. Within the European Union, let’s not lower our threshold, and be extremely harsh on the non-negotiables while implementing the legislation. At the same time, for the things where we simply don’t yet know how they’ll be implemented, let’s give it more time to give some countries time to adapt. We don’t want to stop the conversation.
Q: Great. Can I just try to summarize your approach to the reporting structure again: it doesn’t really matter where you are positioned as long as you have the unfiltered capability to talk to the leadership team around the cybersecurity issues; and when working together with the CIO you need a very strong relationship regardless of whether you’re reporting to them or working independently. Because you still need them to make things happen.
A: Yes, and another very important element is trust – because I’m not micromanaging my colleagues. I know that if they really have doubts they reach out to me, and if I need to come to them with a question they know it’s been well thought-through. So trust is the one thing that’s very important to gain on all levels – my level, but also on the level of the audit team and IT team, because if we do something they then know that we’re doing it for a very good reason.
A very special thank you to Jan Joost Bierhoff for his insights and thoughts!
For more perspectives from former CISOs and CIOs, read our full study on CIO & CISO: Managing Tensions and Working Together.
To find out more please contact Job Voorhoeve or the Amrop Digital Practice members in your country.