- The University
- 12/09/2025
Joost de Jong new Chief Information Security Officer
Joost de Jong has been the new Chief Information Security Officer (CISO) since September 1. He has seen the world change rapidly: cyberattacks are much less harmless than before, while at the same time, privacy and security awareness has increased among individuals and organizations. "The entire outside world now demands higher quality standards."
At the time of the interview, he has been installed for one week and one day, but "it already feels quite familiar." That’s not surprising: he had already spent four years at TU/e as Product Owner Security Operations, working closely with the previous CISO, Martin de Vries. Under De Vries, the CISO position has shifted from a position within LIS to a more 'external' advisory role under General Affairs. De Jong considers this a positive development. "As a CISO, your responsibilities now extend beyond IT security. Independence is legally regulated for a data privacy officer (dpo), but not for the CISO. That's why we've proactively resolved it this way."
Higher and different demands
De Jong has seen the world change in recent years. "It's become a lot more intense, and cyberattacks are much less innocent than they used to be. For the criminals it’s no longer just about making money; there's also deliberate damage being caused. That's a societal problem."
He also notes that this changing world, in which privacy and security awareness has increased, has also led to research partners and grant providers imposing different and higher demands on the university. "The ministry imposes stricter requirements, but so do hospitals, for example, that provide data for research, and grant providers that want data on how we handle incidents. Researchers sometimes think audits are mandatory because of LIS or the Executive Board, but it’s the entire outside world that now expects higher quality standards. It's important to understand that."
Toolbox
The new CISO acknowledges that TU/e is a high-risk organization and will always remain so. “That’s inherent in collaboration in science and knowledge sharing. I used to work at the Ministry of Defense. You make such high sacrifices there for extreme security, which come at the expense of user-friendliness and collaboration opportunities. You don't want that for a university.”
In his new role, De Jong wants to make TU/e a bit more resilient. "I want the organization to be so well-structured that there's a toolkit for special equipment and setups. Take, for example, a device that ASML is donating to TU/e. It might be interesting and valuable for research, but if the condition is that they no longer maintain it and it doesn't receive updates, that’s also a cyber security risk if you connect the device to the internet. These situations occur more often than you think. We need to provide proper support solutions for them. It saves time and money if you don’t have to reinvent the wheel every time."
He also wants to improve workplaces and make them more secure. "I want to move towards a situation where we, as IT, need to rely less on the knowledge and discipline of individuals within the organization. The impact of anything a student or employee might do wrong will be smaller because we've already secured everything so well. If we manage the technology properly, it allows us to ask less of people. Currently, we sometimes still make people responsible for more than they should be."
Former CISO Martin de Vries has left TU/e after more than four years in his position. He says he had a wonderful time, both personally and professionally. "And although we were affected by the cyberattack in January — it was never a question of if, but when an organization will be hacked, because there's no such thing as hundred procent security — there's still a lot to do. A great assignment for my successor," he writes.
De Vries also has a piece of advice for De Jong: "Go – even more than I already did – to the departments to see what they're up to and connect. Understanding each other's situation is important in advancing security within TU/e." The new CISO fully agrees with this. "I don't want that toolkit for myself, but to better support the organization. For IT support, most business operations within a university like finance and HR are similar to those in other sectors. But scientific research and labs are truly the most challenging areas for IT to support. If you can find a good solution for those, you really have come a long way."
Discussion