Fleur van Leusden
I'm currently CISO for The Dutch Institute for Vulnerability Disclosure and for the Dutch Authority for Consumers and Markets (Dutch government).
I'm very passionate about CISO-ship and like to share my knowledge and experience in a way that is funny, but has a serious message as well.
Pentesting can provide vital information to organisations about their security. However, many reports end up never being used or not being used to their full potential. That is partly due to the pentesters and their writing skills. But in large part is also to be attributed to CISO's lack of guidance and involvement.
I am not a spokesperson for all CISOs, but I do have quite a bit of experience in the pentesting field as a CISO. As such; I would like to share my thoughts about how a CISO can lead the pentesting process as effectively as possible, as well as what I as a CISO like to see in my pentesting reports.
I will also highlight why some reports don't get used and why I think we struggle with this as much as we sometimes do.
I think this information is usefull for pentesters and CISO's alike, because it shows both sides how the other one works and thinks.