BUILDING CYBER RESILIENCE IN RETAIL

Building Cyber Resilience in Retail
Presented by Dirk Beynaerts, CISO at Colruyt Group, at BE-CEC on September 11, 2025 in Dolce, La Hulpe

A case study presented by Dirk Beynaerts on how Colruyt Group transformed its cyber defense. 

Colruyt group represent nearly 11 billion € in revenue, half a billion € in investments per year, over 33.000 employees, over 2000 people in IT and over 70 people in cybersecurity.

What does size and complexity of the Colruyt Group mean for cybersecurity?

Case for action

Colruyt’s cybersecurity posture, while in “OK-ish” shape in the present state, clearly required a transformation to meet the growing risks and challenges of the digital landscape. An external formal assessment confirmed what was already acknowledged internally: although progress had been made, it was insufficient, unstructured, and lacking long-term direction.

The absence of a clear strategy and vision meant that cybersecurity initiatives were often reactive rather than proactive. This was compounded by a fragmented security architecture and the persistence of legacy systems, both of which weakened resilience and increased exposure to threats.

In addition, governance and steering mechanisms were not clearly defined, leading to siloed decision-making and a lack of alignment with business priorities. Cybersecurity was too often perceived as a source of friction instead of an enabler of business value and innovation, further limiting its effectiveness across the organization.

The overall risk posture needed significant improvement to achieve higher quality and maturity. While there was acknowledgment that work needed to be done, there was uncertainty about the how—how to prioritize, how to organize, and how to set a sustainable path forward.

This combination of challenges—an acceptable but fragile baseline, legacy and fragmented systems, lack of governance, and insufficient strategic clarity—created a compelling case for action. Transformation was necessary not only to strengthen security, but also to reposition it as a business enabler, underpinned by a clear long-term vision and a structured program of improvement.

There was a clear for action. So, when Dirk Beynaerts started as CISO at Colruyt Group, he got following assignment: 

• Create a Security Strategy & Vision
• Develop and execute a long-term roadmap

Colruyt’s Security Strategy & Vision

Colruyt’s security strategy is designed to ensure the right level of protection—strong enough to safeguard the business, yet pragmatic enough to avoid unnecessary complexity. The focus is on striking a balance: enough security, but not too much.

The strategy is built around six key pillars:

1. Embed security in the IT lifecycle
   Security is not an afterthought but an integral part of every stage of the IT lifecycle—from design and development to deployment and decommissioning. By embedding controls early on, Colruyt ensures that systems are secure by design and secure by default.

2. Make IT security SMART
   Security objectives and measures are made Specific, Measurable, Achievable, Relevant, and Time-bound (SMART). This ensures clarity, accountability, and the ability to track progress effectively, moving from abstract goals to tangible results.

3. Reduce technical risks
   The organization prioritizes reducing technical vulnerabilities and exposures that could be exploited. This involves addressing legacy challenges, strengthening architecture, and applying consistent controls to lower the overall risk profile.

4. Be ready to respond
   Recognizing that not all risks can be eliminated, Colruyt invests in incident preparedness and response capabilities. This ensures resilience: when incidents occur, the organization can respond quickly, limit impact, and recover effectively.

5. Secure solutions for the future
   Security is aligned with long-term business and IT strategy. Future-oriented solutions—cloud adoption, digital transformation, and new customer-facing technologies—are built with robust security in mind to avoid repeating past fragmentation.

6. Create a security mindset
   Technology alone cannot secure the organization. Colruyt fosters a culture of security awareness and accountability, ensuring that employees at all levels understand their role in protecting information and systems.

Together, these pillars form a coherent strategy that ensures proportionate, effective, and sustainable security—enabling Colruyt to operate with confidence in an evolving threat landscape.

Colruyt’s Security Transformation Journey

Colruyt Group’s Security Transformation Journey was initiated as a strategic response to an increasingly complex and demanding environment. The business case for transformation was built with strong sponsorship from both the CIO and CEO, ensuring leadership buy-in from the very beginning.

Why transform?
The decision was driven by several converging factors:

• An evolving threat landscape with more frequent and sophisticated cyberattacks.

• The introduction of NIS2 regulation, requiring stricter compliance and higher accountability.

• The need to address internal historical gaps in the evolution of security processes, capabilities, and organizational maturity.

Understanding the current state
A clear picture of Colruyt’s risk posture emerged from:

• Existing external assessments, which highlighted residual risks and improvement areas.

• A self-assessment using the CYFUN framework, helping to benchmark maturity levels and identify structural weaknesses.

Quantifying and justifying security investment
To secure executive buy-in, Colruyt adopted a structured approach to risk quantification and established a global security risk budget. This allowed the organization to link security efforts directly to business, operational, and financial impact, ensuring that investments were clearly tied to value and risk reduction.

Challenges to overcome
The transformation journey also acknowledged significant organizational challenges: shortages in staffing and expertise, gaps in knowledge, and the need for stronger collaboration across departments. These challenges had to be addressed in parallel to ensure lasting impact.

What & How: A multi-year transformation program
The outcome was a multi-year Security Transformation Program, designed to deliver sustainable improvements across governance, technology, and culture. This program ensures that security becomes embedded in the organization’s DNA—practical, proportionate, and aligned with long-term business strategy.

Benchmarking progress
To remain on track, Colruyt committed to benchmarking its progress against both external standards and industry peers, ensuring continuous improvement and avoiding stagnation.

Principles

The security Transformation Journey had following principles

Beynaert's principles:

• Align with CG processes DNA where it helps.  Be disruptive where needed
• Perfection is the enemy of speed
• Simplicity & Pragmatic
• Use Standards (e.g. frameworks CyFun)
• Align security goals with business outcomes
• Visibility => Awareness => Accountability

Security principles:

• Assume breach’ mindset
• Automation is critical in today’s threat landscape
• Shift to the left
• Shift to a Zero Trust model
• Build an adaptive, integrated security architecture
• Embrace AI
• Simplification 
  • platform, not point tools
  • Use what you have before buying new
  • Consolidation

Colruyt’s Security Transformation Journey

Executive Support & Mandate

Colruyt’s Security Transformation Journey

Security Transformation Program Approach

KPI's

• Risk
• Maturity
• Project progress/ On Time On Cost
• Cyber insurance
• Awareness progression
  
  

Pillars of the program

• Stakeholder Management
  
  • Increased IT and business team confidence in security posture
  • Gained business trust
    security team invited early into innovation projects
• Communication & Change Management

  • ‘On Tour’
    IT dept, IT communities, business…

  • ‘Unlocked’, newsletter
  • Enterprise connect
    Ent RISK – DPO - BCP/DRP - Legal - PA
  • Improved Collaboration with non-security teams & business
  • Change Management structural embedded:
    corporate, program & project level
• Awareness
  • Role based behaviour
  • Visibility, not real awareness yet

  Security organisation

A security organisation and a steering board were put in place 

What's next?

Looking ahead, Colruyt’s focus will be on embedding security even deeper into the organization’s culture and operations. Awareness will remain a priority, with initiatives aimed at engaging business stakeholders and spreading a security-first mindset “like an oil slick” across all layers of the company. By fostering role-based behavior and linking visibility to accountability, Colruyt ensures that every employee understands their responsibility in safeguarding the business. At the same time, efforts will shift toward maturity, with “shift left” practices becoming part of the DNA, governance and compliance strengthened, and security improvements designed to stick for the long term. Finally, the organization will evolve from a project-driven approach to a standing security organization, characterized by continuous effort, empowerment, and clear accountability placed where it belongs. Together, these priorities define the next stage of Colruyt’s security journey: moving from transformation to sustainable excellence.

Lessons learned

Colruyt’s cybersecurity transformation has delivered valuable lessons that will guide future progress. First and foremost, security must always be developed with the business in mind, ensuring it supports rather than obstructs objectives. Leadership buy-in is non-negotiable, as visible support from the top enables momentum and resource commitment. A clear strategy and vision, combined with active involvement of other IT departments, ensures alignment and sustainability. Giving the transformation a recognizable name helped create identity and focus, while deliberate investment in communication and change management proved essential to build trust and understanding across the organization. Above all, the journey reinforced that culture eats strategy for breakfast—lasting change depends on embedding security into mindset and behavior. Celebrating quick wins not only demonstrated progress but also made teams proud and motivated. Finally, the principle that visibility creates awareness, and awareness creates accountability became a cornerstone for driving ownership at all levels.

Conclusion

CYBER RESILIENCE IS EVERYBODY'S RESPONSIBILITY EVERYDAY!