“It’s cool to help the organization mature further and ensure we don’t get hacked”

What is your background?
"I studied electrical engineering. In 1992, at the age of seventeen, I started at the computer center of the Bondsspaarbank, now ABN AMRO, in the town of Woerden. It was all mainframes; there was no Internet yet, and security wasn’t really a thing. You could only hack into a computer system if you were standing right in front of it. At Getronics, I tackled the ‘Millennium Bug.’ I managed systems and applications for the State Lottery, among others. I also learned a lot about security, because by then, everything was connected. And it was [considered] increasingly important.”

"I managed banking systems for a few years at Effectenbank Stroeve/Theodoor Gilissen Bankiers. I was acquired by LogicaCMG and started at their telecom division as an engineer. I did that for about a year. In the EMEA region, I kept SMS centers running and resolved third-line issues. And then I switched to the consulting division within Logica. Eventually, I ended up at ING Investment Management, to do on a large scale what I had been doing on a small scale at that small bank [Theodoor Gilissen]. That’s how I moved on to problem management and a project management role."

"I’ve always been good at communicating, especially verbally, but my written skills were a bit weaker. At one point, I earned my bachelor’s degree in business management in the evenings. It was quite unusual that I was running all kinds of projects and programs without having the formal qualifications yet, just a lot of experience. With the degrees, it became 1+1=3. Then I worked on many large projects, including for the government.

However, at a certain point, working at a consultancy firm didn’t add much value [for me]. After twelve years at Logica, now known as CGI, I’d pretty much seen it all. I wanted to work for the government myself. In 2017, I received an offer from SSC-ICT [Ministry of the Interior] for the position of security team manager."

“I’m really on the business side here, reporting to the CIO and directly to the board of directors”

“At SSC-ICT, I really learned the security field in depth. I was responsible for a team of 25 security professionals, and I also helped set up the Security Operations Center. And after nearly five years, I actually wanted the role of CISO. The then CISO was set to retire in due course, but I didn’t want to wait. Then the opportunity at CAK came along.”

"I’m really on the business side here. I report to the CIO and directly to the board of directors. And I’m 'system-responsible,' as they call it in government, for security. Most security operations are handled by IT; my security officers and security operations teams are part of IT. And I provide functional leadership there. I think it’s cool to help the organization mature further and ensure we don’t get hacked. It’s a cat-and-mouse game.”

CISOs are under pressure from two sides. The threat landscape is becoming increasingly broad and dynamic. But there’s also internal pressure. You have to deliver, and you’re held accountable if things go wrong. Can you tell us a bit about that?
"When I joined the company, I cleaned house and looked at what needed to change. I conducted a GAP analysis. Where were we falling short? I had done a maturity assessment beforehand. We scored fairly below average on that. After three years, everything was more than adequate. So we have almost no incidents. Is everything perfect now? No, certainly not. But it’s difficult for outsiders to get in. And I also think that, given our low public profile, we don’t stand out. Plus, we don’t hold any state secrets, so we’re less interesting to state actors."

"We implement regulations for the Ministry of Health, Welfare, and Sport, such as the Wlz ['Wet langdurige zorg'] and the Wmo [Wet maatschappelijke ondersteuning]. The sensitive personal data of our citizens is the asset we must protect. If something like what happened at Odido were to happen here, the data of the most vulnerable people in the Netherlands would be out in the open. You wouldn’t want to deal with that. We’re doing a good job of protecting ourselves against a very large portion of the risk we face from attacks. But 100 percent security doesn’t exist. I always tell our board members that."

“It’s not an easy job. I manage to handle it within a normal workweek. I did turn fifty last year, so it’s not quite as easy as it used to be. And I also value my free time. So I look for a balance that allows me to do other things and not be working day and night.”

What technological or societal developments do you think will shape the CISO role in the medium term?
"I’d say all the geopolitical developments we’re seeing now. I’ve been in security for quite a few years. And what people are reading and seeing in the media now — those things weren’t discussed publicly for years, but they were definitely there. We’ve been under attack from all sorts of parties for years. That’s how [cybersecurity] has developed so rapidly. It has increasingly grown from a niche into a mature field. And that’s a good thing. We have far fewer defenders than there are attackers. And their tools are getting better and better. Mythos works better than even its creators thought it would. So I think it’s justified to call for an end to the use of these kinds of tools. But I don’t think it’s possible."

“What people are reading and seeing in the media now wasn’t discussed publicly for years, but it was definitely there”

“Of course, criminals also have a huge interest in having these kinds of things. Today’s AI follows the same attack patterns as a hacker. The same methodology. It fights its way in, extracts your data, and puts it up for sale on the dark web. That’s really bizarre. You don’t need any special skills to do it anymore.”

"The goal is: we don’t pay. I’m not saying it never happens; there can always be a reason to do it. But in principle, we don’t pay. And I don’t know if you can always sell that to your customers or citizens. It’s a real dilemma that I don’t think one can resolve. I would always say, "Don’t pay." But a manager, especially if they own a commercial organization, might think: if I pay a hundred thousand now, my business can move forward. So I understand very well why some organizations do pay after all."

What else do you contribute to society?
"I’ve been doing this for a long time, of course, including within the government. Because I enjoy it, but also for the sake of society. I wanted to make that clear. Otherwise, I could have worked for a commercial company for a higher salary. I also joined this [CISO] community to see if I can do my part. I’m involved in all kinds of work-related committees as well. I’m a member of the Manifest Group, a lobby group of large governmental agencies that share knowledge. In addition to my job, I collaborate with the CISOs at the Ministry of Health, Welfare, and Sport. So I’m involved in much more than just my own work. It’s much more complex.”

"Every now and then, I speak at an event. I enjoy it, but I don’t want to do it too often. And of course, I also want to stay somewhat up to date in the field, so I attend a conference now and then. That’s also good for your network. When I attend the One Conference, it feels like coming home. The same goes for CISODAY. I run into a lot of colleagues there whom I haven’t seen in years."

What do you think of the other candidates?
“They’re formidable competitors, though I think that’s a big word. I didn’t know them, but I feel honored to be included in the list. I have to be honest: the outcome isn’t that important to me. Just being asked is really nice already. [Laughs:] But now that I’m nominated, I actually want to win.”