Kurt de Ruwe has been a CIO for almost 20 years, with roles at Bayer MaterialScience, Signify (formerly Philips Lighting), and now AkzoNobel, a global paints and coatings company.
AkzoNobel operates across 150 countries with 126 factories and nearly 1,000 sites. Under de Ruwe, the company is moving to an internet-only model, with plans to retire every firewall and SD-WAN connection by the end of 2026. It is also scaling AI agents across its operations, with close to half a million orders already handled autonomously.
Expert Insights spoke to de Ruwe at Zscaler’s Zenith Live conference in Vienna about deploying zero trust across a global manufacturing footprint, securing AI agents at scale, managing cybersecurity risk through M&A, and building a as strong security team culture.
Could you tell us about your background and what brought you to the CIO role at AkzoNobel?
I’ve been a CIO for nearly 20 years, and I joined AkzoNobel about four years ago. Before that, I spent a long time in the chemical industry across a variety of companies, then moved to Philips Lighting. When that business was split off into a standalone company, I was already its CIO, so I had to set all of that up. Then the opportunity at AkzoNobel came along.
On security, I’ve never been a CISO, but I’ve always had a very strong focus on it. I used to do hacking myself, including social engineering. At the companies I worked for, I was always keen to see how far we could get just by taking tools off the internet, and later the dark web, and trying them out.
I started working with Zscaler close to 14 years ago. [Zscaler CEO] Jay [Chaudhry] drew the concept of ZPA on a whiteboard for me at Philips Lighting, years before it ever became a product. I always regret not taking a picture of it. Jay is a CEO with incredible technical knowledge, so we always enjoyed those discussions.
AkzoNobel operates across 150 countries with sites from corporate headquarters through to factory floors. What does security look like at that scale, and how does your role as CIO intersect with the security function?
We have 126 factories and close to 1,000 locations in total, so it’s a big footprint. The key thing in security, especially now with the new AI models, is that you can never be 100% safe. So, it’s much more about detection and response than about protection. You still need a very high level of protection, but it’s really about how quickly you can detect something, and then how quickly you can resolve it.
On zero trust, we’ve fully deployed it. Every single application is mapped. We recently ran a red team exercise, and the thing that annoyed the hackers we paid the most was Zscaler, because it kept blocking what they were trying to do. So, we’ve had it vetted by a neutral party, if I can call them that.
By the end of the year, the intention is that all the firewalls are gone and all SD-WAN is gone. When I introduced zero trust and the Branch Connector to my CEO, I said, “We’ll get rid of all the firewalls and increase security.” He looked at me and said that didn’t really make sense. But
a firewall is a 30-year-old concept, and many companies still bet on it. If you deploy zero trust the way it’s intended, it’s a completely different approach: you protect the data, you encrypt all the communication, and you shrink the attack surface. The next frontier is securing AI, because it’s here, and it’s the next big thing.
How important do you see zero trust, and what’s changed for AkzoNobel since you adopted it?
For me it’s a fundamental way of protecting your whole environment going forward. Firewalls and that whole model are the past; zero trust is the way to go. There are many ways to do it.
You can add layers of zero trust on top of the complexity you already have, or, as we’ve done with Zscaler, you can strip things out. The leaner your environment, the fewer things you have that can go wrong. That’s one of the things we focus on.
Manufacturing has a mix of IT and OT, legacy equipment and hundreds of distributed sites. How do you approach zero trust when parts of your infrastructure were never designed with it in mind?
At AkzoNobel we have factories that are brand new and fully automated, and factories with equipment that’s 20 years old, so there’s a lot of variety. With PLCs and traditional OT, you can’t put agents on the devices. That was our challenge when the idea of going internet-only came up more than two years ago: how do we protect the factories?
The Branch Connector combined with microsegmentation, and the air gap is the ideal solution for us. The Branch Connector effectively makes the site invisible. I asked my CISO to try to hack it and he couldn’t, because he couldn’t even find it. Microsegmentation then reduces the attack surface inside the factory further, without touching the devices that control manufacturing.
You average around three acquisitions a year, with another integration ahead of you. What are the security risks that come specifically with M&A, and how does zero trust help you address them?
In the past, when you did an M&A, you’d put a firewall between the two networks and connect them, opening things up without really knowing how good or bad the other side was. With zero trust it’s different. We have a significant merger coming towards the end of the year. We’ll put the Zscaler ZPA client on their devices and a Cloud Connector in their network. From AkzoNobel’s side we connect to them using the Cloud Connector; they connect to us using the ZPA client. That lets us limit exactly what crosses over. Rather than opening everything, you only open what’s needed. In the beginning that won’t be much, but step by step you open up more.
The benefit is that while you do this, you learn the other company’s capabilities in detail, and you can decide what to open up. And because AkzoNobel has deployed zero trust so extensively, putting our clients on the merging company’s devices gives them a head start. Within a few months we believe we can bring them to the same level, and that’s a key asset.
You’ve been scaling automation and AI across the business, and you’re about to move into citizen development. What does that shift look like for AkzoNobel, and how are you thinking about securing it?
We’ve been very active in enabling AI for the last few years, and we’re way beyond pilots now; we’re scaling. The initial focus was enterprise AI, enabling agents to do a whole range of things. One example: we have agents handling credit-blocked orders, where orders are held because of credit. Around 90% of those orders are now handled by agents and released within minutes, which was close to half a million orders. We have several deployments like that.
That runs inside our enterprise environment: Databricks, SAP, and so on, using the protection we already have. But when you bring citizen development to users, you can’t control everything a user does. So, you need a security framework around it, and that’s one of the things we’re looking at with Zscaler: how to put guardrails in place so users can’t do anything crazy, so consumption is managed, and so data stays inside the company. Those are the next steps.
Are you seeing AI change the threats targeting AkzoNobel? Is manufacturing being targeted differently than it was two years ago, and how important is zero trust in addressing AI-driven threats?
AI has a huge impact on attackers’ capabilities. With the latest models, it’s no longer a question of whether they’ll get in. If they manage to scan your environment, they almost get a menu of ‘try this, try that,’ and the model will even create a tool to attack you. So, it’s about being much more vigilant. The detection tools generate millions of possible signals, so you have to use AI yourself against threats that are themselves AI-driven.
Zero trust, with encryption and microsegmentation, is all about limiting where attackers can go if they do get in. With the old-school network, once they were inside, they could go everywhere. Today every application is mapped, so movement is restricted. If a device is compromised, the attack surface is much smaller.
What’s the biggest security challenge on your desk right now that you haven’t solved yet?
The biggest security risk remains the user. You can have MFA, fingerprints, all kinds of additional protection, but we run phishing tests every two weeks and about 2% of users still fail. Compared with other companies running the same tests that’s good, but 2% is still 2%, and it only takes one person clicking the wrong link to create a vulnerability.
So, it’s about making sure users are trained and educated, and that we keep reinforcing the basics: if you get a strange email, don’t click, don’t enter your credentials. We have tools that flag, “This is phishing, check before you click.” We have a lot of tools and capabilities to protect us, but if the user does the wrong thing, that’s where the impact comes from.
How do you go about building a great cybersecurity team? What does the culture look like, and what do you look for?
It’s a mix of individuals with different focuses. It’s a team focused on innovation, with a hunger for new tools and capabilities, and a bit of competitiveness. When we did our first Branch Connector deployment, in Como, Italy, I told the CISO to break it. He launched a competition within his team, with a prize for the first person to get in. The security was good enough that nobody managed it, but it created that friendly, competitive spirit.
The other thing is the recognition that you’re never completely safe. If people really want to get in, they will. It’s then about how quickly you detect it and whether you can stop it spreading.
What advice would you give other CIOs on communicating cyber risk to leadership?
Be open and honest. Don’t hide things, but don’t over-exaggerate either, as if the whole economy is going to collapse. Put things in the right perspective: “We’ve discovered this, and here’s the solution we’re working on, or here’s how we’re dealing with it.” And keep the focus on users.
What advice would you give to a CIO or CISO at a large manufacturer who hasn’t started their zero trust journey yet?
Talk to companies that have done it, learn from the mistakes they made, and learn how to accelerate. And think big. When we started, I told the team more than two years ago that across our 995 sites we were going to go internet-only, open internet everywhere, like working from a coffee shop.
People thought I was crazy. We ran an RFI (Request for Information) with 15 companies and they told us we were taking an enormous risk; the CTO of BT asked why on earth we’d want to do that, because nobody had asked for it.
So, it’s about thinking ahead. Once you’ve decided, you identify your bottlenecks and find partners to help you solve them. Don’t be afraid to take things out. We’re removing firewalls. Very few CIOs would say they’re going to take out the firewalls, but the technology supports it, and we’re not the only ones doing it.
Do a full risk assessment of the implications, then go for it, and don’t take too long to implement. We started with 122 factories back in October, aiming to finish by the end of June. That was a bit too ambitious, but we’ll definitely have it sorted before the end of the year. Set strict targets, then execute, execute, execute.
