Vice President Strategic Partnerships, what does that mean?

It is my responsibility to find new partners with whom we can develop custom made technical solutions to accommodate new markets. For example building partnerships to develop ways to use drones in the field of safety and security. This could be with large companies such as IBM, Nokia or NVIDIA but also smaller companies who possess a specific expertise. Before I was the Head of R&D. In my current position I can combine the technical expertise with more commercial work, which I really like.

What kind of projects are you involved with?

For example, recently we teamed up with IBM to explore the possibilities of connecting our drones with the cloud. This makes it possible to collect data with our drones and make it available for analysis in real time. It’s especially cool for us as a small company to work with such renowned companies that has been at the forefront of international industry for decades. Our engineers worked alongside theirs to work on connecting our drones with the cloud services of IBM.

In the field of security this collaboration could lead to more applications for drones. Think of surveillance by drones to detect changes in an area, for example the arrival of an extra car or an abandoned suitcase, facial recognition or detection of suspicious behavior in crowds. Traditionally the images have to be collected and reviewed afterwards, if you automate the process of data collection through cloud services you can review the data in real time. Making it a more direct and useful tool.

Why did you pursue this career?

Before I was doing scientific research at a university. That was very interesting but I missed working in a team. I also like to see tangible results and to be in touch with other companies in the market. In my job at Aerialtronics I found both: the research related aspects and the more commercial way of dealing with innovation that appeal to me. Also with my background in Aerospace Engineering the drone industry is one of, if not the most exciting industry to work for at the moment.

Can you name a milestone in your career?

There are so many, it’s hard to name one in particular. Something I really like about my job is that, because we’re in such a new industry, I get to meet with people and go to places I would have never dreamed of. There is a lot of attention for our products. For example, a while ago we sat down with companies like Google and Amazon during a meeting organized with the Small UAV Coalition (a drone lobby organization for the US), and last week we visited a company that builds fire trucks and is very interested in incorporating drones in their future fire trucks.

How will your industry or job in particular change over the next few years? How do you keep up?

My job will still exist in the future. The drone industry will undergo some major changes in the coming years as the industry matures. Once effective laws and regulations are passed the use of drones will drastically increase. Also the continuing evolution of drones and shift to autonomous flight will lead to more applications for drones. For a lot of people in different industries drones will become a permanent addition to their toolkit. For us it’s important to stay ahead of competition through anticipating early and find new opportunities. For example the new applications in security the automated flights offer.

How did you end up here after completing your study?

I began by doing research at a university after I graduated. After gaining some experience and with some luck, coincidence and detours I ended up working for Aerialtronics. It all went pretty natural, you just roll into it once you get some experience in the field. At Aerialtronics my growth was natural too. In smaller start ups your job is less defined beforehand. This means you get more freedom to fill in your activities. Nobody is going to stop you if you want to pick up more or want to work out a new idea you came up with. This helped me grow with the company and create the position I hold now.

Do you have any tips for up-and-coming talent?

If you know what you like it really helps if you spend time on that outside of office hours. In our business there are a lot of people who are intrigued by drones. But sometimes we sit down with them and notice they haven’t found out much about it on their own. If you have experience with drones, for example you build some application for your hobby project, you are much more interesting for us. We are always welcoming applications from people who engage with drones because they’re passionate about the technology.

[Images by Frisse Focus]

Aerospace Engineering (Bachelor and Master) at Delft University of Technology.

Software Developer, what does that mean?

My job is to write the software for our products, develop new features for our products and refactoring (updating) of our code to improve the quality. We have a ‘boy scout rule’ which means you have to ‘clean up’ if you find a piece of code that is not written well. Like boy scouts have to clean up litter if they find it somewhere. That way we keep our code in good shape. I work in a small team with a relaxt vibe. We work hard but there is plenty of room for relaxation too. We’re not just looking at our screen the whole day, sometimes we take some time to play table tennis for example.

What kind of projects are you involved with?

We are involved in various projects. Our software  analyses large quantity databases and structures that data to add logic to it. Our application makes connections between variables in the data and finds anomalies that you would normally not detect. This helps our clients to improve their business processes. We do all sorts of projects, for example: fraud detection for insurance companies, banks and governments.  But also analyses for defense and public safety and security organizations to improve their effectiveness and efficiency.  

Why did you pursue this career?

I have been busy with programming for a while. When I was younger I tried to hack games for example. As I got older I kept programming and it eventually became my job.

Can you name a milestone in your career?

For me that was the moment when I realized I was adding value to the company and the product with the effort I’ve put in. In the beginning you just go along with the workflow, but after a while you get more familiar with the job and can really add something and make a difference. Putting my knowledge and skills to use to make our product better is really rewarding.

How will your industry or job in particular change over the next few years? How do you keep up?

How the industry could change I don’t really know. At the moment we as developers deliver a default product which is customized specifically for our customers by our consultants. What we will be improving is the standardization of this configuration resulting in a more efficient process. For me this is a very interesting aspect because of my history in the development of process automation.

I keep up by doing. Outside of office hours I’m programming at home to learn new techniques and insights. At work we use C# and TypeScript, at home I try other languages like JavaScript that way I learn new ways to solve a problem. Hobby projects are always helpful for learning new stuff which you can later use in your work. For example right now I’m developing something that allows me to use separate hardware on different platforms without a delay if they are on the same Wi-Fi network. Think of using your laptop keyboard for your desktop without having to connect them physically.

How did you end up here after your study?

I have always been occupied with programming from a young age. So I thought I’d enroll for an HBO study computer science (informatica), that didn’t live up to my expectations so I quit. Later I tried a HBO study in software engineering, but again I quit in my second year. I then continued at the MBO but got bored and dropped out again. After I quit two HBO studies and consequently dropped out of MBO I contacted a recruiter. They set me up with Business forensics for an interview. After an interview and an assessment they gave me the opportunity to come work for them. I got a really nice vibe out of the interviews and was excited that they put their trust in me by giving me the opportunity to come work for them. Since then I work here and haven’t regretted my decision. Although I did not finish my studies they helped me a lot on the job. At school they try to teach you a way of thinking and approaching certain projects. Especially the more business related aspects were really useful to me.

Do you have any tips for up-and-coming talent?

Don’t sit there waiting, just do it! If you have an idea or plan, don’t doubt yourself but just go for it. I was hesitant to contact a recruiter after i quit my studies, but I did so anyway and it worked out great for me.

[Images by Frisse Focus]

HAVO,
‘Computer Science’ at HAN University of Applied sciences 
‘Software Engineering’ at Fontys University of Applied Sciences

Associate partner at Revnext, what does that mean?

I work as a lead advisor on cyber security, innovation and strategic communication at Revnext . At Revnext we all have a specific expertise that we bring to the table. We offer custom solutions and strategic advise to companies in need of a specific cyber expertise. We really have a track record on subjects like forensics and cybersecurity, but also work cross sector in the fields of e-health, clean tech and logistics. We don’t offer a generic advise right of the shelf, but really dive into the details of every particular situation to come up with a bespoke solution. Furthermore at Revnext we praise ourselves for spending 21 percent of our profits on research and development. This gives us the opportunity to invest in subjects which are dear to us, such as standardization for the internet of things, cyberpeace and social return in cyber security.

What kind of projects are you involved with?

I am helping a company set up an e-forensics department at the moment, guiding them and providing strategic advice. Furthermore I advice a big insurance company about their ‘Spaeklab’ on cybersecurity. With my platform Internet of Toys, a think and do thank, we expose vulnerabilities and security flaws in toys that are connected to the internet. For a presentation to former generals I reprogrammed Cayla, a cute internet connected doll, to speak a death wish in Arabic. You should’ve seen the look on their faces, they thought I'd lost my mind! I’m also publishing a lot of columns and articles on cybersecurity and internet of toys in various magazines and newspapers and speak at conventions on cybersecurity related subjects quite often.

Why did you pursue this career?

I’ve always been busy with computers and the technique around it. When I was 8 years I got a Commodore 64 that had a cassette deck connected to it. I bought new cassettes, recorded signals which were broadcasted through radio and connected it to the Commodore to see what would happen. Not much happened, but it was my first experiment with a computer. When the Commodore started to become boring I moved on to Nintendo, playing Mario for an endless amount of time. Later followed by the Sega and so forth, I was always busy with computers, gaming and experimenting with computer technique. When Interactive Voice Response Systems became popular, for example used by the ‘Belastingdienst’, I found out that you could skip the queue if you entered a certain combination of numbers while waiting. During my studies I found out that I wanted to be involved in more than the ‘hard side’ of IT (Security), just being busy developing and building things. I got more attracted to the ‘soft side’, so I decided to focus more on human aspects and resources instead of the machine part. That’s exactly what I’m doing now: helping clients with their cybersecurity issues within different perspectives.

Can you name a milestone in your career?

It’s difficult to name just one. We are doing so many cool things at the moment. Last week we made front page of an important Dutch Newspaper, Trouw, because of our investigation about data breaches within hospitals. It even reached the members of Parliament! A while ago I was in Dubai as a founder of the Holland Innovation House, when I got a call from the ambassador of Abu Dhabi. He heard about this Dutch initiative, where we presented 11 companies within cybersecurity at the biggest technology event in the world, GITEX, and wanted to know all about it. He also made me promise to continue my journey in order to gain access to international markets within the United Arab Emirates. It’s nice to see that what we are doing is being noticed. Also the moment when I was asked tot join the Speakers Academy was cool. I was like: “you want me to be a speaker on your roster? Really? Wow!” It’s cool to get acknowledged for your efforts in this way. Another thing that happened recently is that I’m a finalist for a prestigious cyber award in Great-Britain: Women in IT Award 2017. I’m the first ever non-British person to be nominated in this category, so that is a pretty big compliment. But maybe the coolest thing is that with two partners we recently discovered something that will lead to an invention. All in all it’s really nice to see that all the effort I have put in over the past years is getting noticed.

How will your industry or job change over the next few years? How do you keep up?

In the IT Security business there are more and more cowboys popping up. An increasing number of new parties are entering the market. Not because they have the knowledge or experience but just because cyber consultancy is considered the new gold. It’s seen as an easy way to make money quickly. Sometimes I come across an advise or report produced by an accountancy firm or so called “expert” at my clients. It will shock you when I tell you what "solutions" were offered. What would you advise if your house were on fire? Get the fire under control or run away and never look back? There are a lot of firms entering the business without substantive knowledge who have a “cyber department” all of a sudden. They will come up with the advice to run away from the burning house as a figure of speech. As I often say, “we have to stop poisoning the well”.

How did finding a job after your study go?

After my bachelor I started working for a big consultancy firm, for exactly one month. It was really boring so I decided to start my own business. My first assignment was at a bank. I was hired to provide them with strategic advise in their first steps towards digital banking. Things like ‘My ING’ or ‘RABO Mobile’ did not even exist at the time. In that position I was the linking pin in the triangle of Human – Machine – Resources, exactly what I wanted to do. From there I went all over the place in the world of banking. Eventually I ended up working on projects for the NCTC (National Coordinator for Security and Counterterrorism, red.). That’s were I met Anouk Vos with whom I later founded the international network Woman in Cyber Security (WiCS).

Do you have any tips for up-and-coming talent?

I truly believe that you should focus on your potential. What makes YOU happy? What are the things in live that put a smile on your face? Make sure you go wherever your passion brings you. It is the only way to become a voice instead of an echo.

Furthermore, years ago I have set a personal goal; at least once a week I am having coffee (or tea for that matter) with someone I haven’t met before and/or with someone who wants to learn more about cyber security. We have a nice Women in Cyber Security office at the WTC The Hague. It really is a nice place to meet and mingle because everyone who runs an office at the 13^th floor, leaves their doors open for each others. Therefore, we do not “only” have coffee but we make sure our guests can take a cyber dive if desired. I am looking forward meeting new people for a “cyber coffee” and, off course, hope to light their cyber fire. Just drop me a message.

Bachelor ICT – communication systems at Utrecht University of Applied sciences

Vice president Women in Cyber Security

President Platform Internet of Toys

Cybersecurity Consultant, what does that mean?

The main goal of my work is to make organizations more resilient against various forms of criminality related to the digital environment. To improve cyber resilience we focus on three key aspects: organisational-, human- and technical elements. Testing whether an organisation is vulnerable can be done in several ways, for instance through social engineering and hacking. Social engineering entails testing whether employees of an organization are willing to convey confidential information or provide me with login credentials to gain access to their systems. With these social engineering projects we aim to increase the resilience of people within organizations. Whereas social engineering focusses on behavioural aspects, hacking concentrates on the technical aspects of cybersecurity. I search all the systems of an organization that are linked to the internet in order to find vulnerabilities. These vulnerabilities vary from leaking confidential information to granting myself access to their network and finding their crown jewels. In other words, I try to gain control over their systems as if I were the system operator.

What kind of projects are you involved in?

I can’t go into much detail about our projects because we guarantee full discretion to our clients. I can say however that we work for all sorts of organizations, from small businesses to large corporations and governments. Digital security is something that is relevant to every organization nowadays. The department I work for is usually hired as a preventive measure. We are often asked to do a check to find out what the current status of security is, find vulnerabilities and see whether the organization is resilient. Based on our findings we propose a follow up to improve security.

Why did you pursue this career?

Although I’ve occasionally built websites in the past, I did not really aspire a career in IT. I was actually interested in working for the police or Marechaussee (Dutch Military Police). Unfortunately, when I applied it didn’t work out because of the large number of graduates applying and the small number of available jobs. It meant I had to rethink my options and consider what I wanted to do and which matched my competences. That’s where IT came back around. I dared to take the plunge into IT without a specific IT-education. I started as a software tester to gain experience and hoped that I could do something with criminality and IT at one point down the road. Luckily that’s exactly what happened.

Can you come up with a milestone in your career?

My biggest accomplishment is that I have managed to become a cybersecurity consultant. When I started working I had no education in IT. So I estimated my chances of becoming a cybersecurity consultant to be slim. I’ve always held onto my goal of becoming one and kept believing that I could make it. I grabbed every opportunity that came my way with both hands and now I’m doing the job I wanted to do. How awesome is that?!

How will your job change over the next few years and how do you keep up?

You never know for sure how IT will develop. New techniques and applications come and go and all have their pro’s and con’s. It’s impossible to stay up to date with every development. The techniques that are relevant for me depend on whatever project I’m doing at any given time. I’m always working for a specific client so whatever technique that client is using is relevant for me. Sometimes I learn about new techniques at home, sometimes while doing research for a project. It’s  a lot of trial and error really, finding your way in new applications and techniques.

Another element that is changing is the increasing awareness about cybersecurity within organizations. However, cybersecurity awareness does not always have cybersecure behaviour as consequence. That’s where we do things differently at Hoffmann: we combine social engineering with psychological research into why the desired behaviour does not occur. Then we propose technical, organisational and human interventions, of which an awareness programme might be an option. Awareness is good, but we prefer responsible cybersecure behaviour.

Also our ‘attack surface’ is changing in the sense that it is growing bigger because more and more objects are connected to the internet, especially now with the developments around ‘Internet of Things’. This comes with a challenge in finding a balance between technical measures on the one hand and organizational level resilience on the other hand. For me personally it means that I fo sure need to stay up to date on how to hack various systems.

Finally, we have to abide to laws and regulations which are also subject to change. You never know which new laws and regulations will be adopted in the (near) future and how they will impact your job. For instance: is ‘ethical hacking’ allowed or punishable? And, What kinds of techniques are we allowed to use or How intrusive can we operate? All questions which will be answered differently as new laws and regulations are adopted.

How did you find a job after your study?

My first ambition, to work for the police or Marechaussee, didn’t work out. After some reconsideration I decided to try IT. I uploaded my resume on an IT job portal. Via that channel I got the offer to do a traineeship to become a software tester. As a software tester you don’t really need deep technical skills. Your job is to test software as if you’re the end user and report anomalies. It was the perfect way to start my career in IT and gain experience. During that period I attended relevant courses and did some self teaching and experimenting with more technical subjects. Eventually, I had gained technical skills and enrolled in a course on ethical hacking. In the job I had back then, I unfortunately could not put my new skills to use. That’s when I started looking around again and found the job I’m in now. The ethical hacking course was the game changer that led to the career I had in mind, combining IT and criminality.

Do you have any suggestions for-up-and coming talent?

Dare to take the step and discover IT. It’s a sector of industry in which much is possible, also due to the ongoing developments. As long as you keep believing, many opportunities will open up to you.

Bachelor Criminology, Erasmus University Rotterdam
Master Criminology: Corporate and Organised Crime, Erasmus University Rotterdam

Vice President Product, what does that mean?

I’m responsible for the product our company offers and the portfolio built around it. I make sure we have a product team that keeps track of market developments, listens to our own product specialists and engineers and other stakeholders that influence our product. That’s what I do in a nutshell. With the info my team collects we make a roadmap that we use to feed our engineering team with ideas and the philosophy behind them to create or improve products.

What kind of projects are you involved with?

EclecticIQ offers several products. Our core product is a threat intelligence platform. This is an enterprise platform for threat intelligence analysts. It’s designed to make their work more easy and quick. It aggregates and analyses various sources into a similar format. Our product was developed because the job of a threat analyst is very comprehensive. There is a lot of data available that comes in various formats for example ftp and xml but there are many others. Organizing all this data into useable content is very time consuming. Our product automates that part of the process. We also deliver tools for analysing and comparison of data. We make sure the threat analyst can focus on his core task: performing threat analysis and reporting on potential risks.

Our clients are mostly in the banking and government sector but also in oil and gas and some in retail. We started in Amsterdam with a small team but now have about 35 employees, offices in London and Moldavia and a partner in Australia. Currently we are exploring the possibility of entering the U.S. market with our product.

Why did you pursue this career?

I rolled into the IT security business by coincidence. About 15 years ago I started at a small firm where I helped setting up a helpdesk. That was my first IT experience. After that I worked for the Ministry of Defence where I worked on some bigger IT projects like implementing a new OS. I then moved on to start my own IT security company together with a business partner. With Goodfellas we focused on producing firewalls. I did that for five years before moving on to work in general management and later product management at several companies.

I stayed in the IT security business though because it´s such a dynamic field and you have fun colleagues. In IT security you have to deal with your adversaries who are innovating just as much as you do. Sometimes it seems like new investments are needed because you’re falling behind. But then something new, like threat intelligence for example, comes along that causes a paradigm shift.

The domain is also interesting because it´s growing. Back in the days you would maybe have one security officer. Nowadays you have whole departments and all sorts of specialisations. Hacking for example was considered just fun or mischief, now it’s considered a crime in some cases. All these developments make it so dynamic. A lot of people still think you need a technical background to work in IT security. While really there are so much opportunities at the moment. There’s a whole economy behind IT security spawning new jobs and educational programs in this sector.

Can you name a milestone in your career?

There have been many, but for me personally as an entrepreneur starting my first company and EclecticIQ are the biggest milestones. Last year at EclecticIQ we got so many applications from new clients. It´s really rewarding to have all those new clients after all the hard work you´ve put into trying to make your company a success.

Another thing, a bit different, is that we helped people who were about to be arrested because they accidentally did something wrong and they came to us for help. Intelligence officers also make mistakes sometimes and it´s nice if you can help them fix it.

How will your industry or job in particular change over the next few years? How do you keep up?

I expect threat intelligence to go mainstream next year. So it will be interesting to see how that’s going to work out for us. Also we are looking into the possibilities of experimenting with big data, AI and machine learning. We don’t have a clear plan how to use this techniques yet but we see a lot of startups that are active in this area. I think this will lead to interesting new solutions and products.

I believe its important for someone working in IT security to stay up to date through reading forums, websites, visiting conferences etcetera. For example, despite being more involved in product management, and less so the hard core security aspects, I still visit conferences like BlackHat and the annual RSA conference in Las Vegas to learn about new ideas and techniques. There are lots of ways to stay up to date and it’s nice to meet people who work in the same field as you do.

Do you have any tips for up-and-coming talent?

If you like IT security and want to work in this sector: don’t give up. There are so many different specialisations and positions that it can be overwhelming sometimes. If you think you like it keep trying and don´t give up. There are so many options available that you can always grow in a position or move on to another challenge within IT security. If you start as a network security specialist for example and you don´t like it, look around to find out what aspect of IT security appeals to you more.

Also don’t underestimate the time you have to put in to stay on top of developments. It´s not like you just complete some study and you´re there. You really need to keep educating yourself online and try new things. Getting to a level of knowledge that is useful and valuable really requires time invested and a curiosity for technology.

NIMA PR A (public relations)

Cyber Security Expert, what does that mean?

I’m responsible for collecting and organising all cyber threat intelligence that RedSocks Security works with.

Aside from that I also work as an incident responder. So, whenever a company has been hacked my team and I will try to remove the hacker from the network environment and get the company up and running again.

The data we collect comes from different sources. Some information comes from open-sources other info is retrieved using paid services. The information we collect is organised in a way that makes it informative and actionable enough to be useful. We build our own labs to test malware but also search the internet for binaries, executables or exploits that are useful. We collect this data and based on various analyses draw conclusions from it. Every day new phishing, spam and other viruses are being released, all sorts of potential threats emerge from this malicious software. We collect information to counter these new threats.

What kind of projects are you involved in?

We look at how malware behaves when it infects a network. Based on these observations we try to find out whether the malware is detectable. Every malware has its own ‘config’. A config contains the way a program executes itself. We build config extractors that enable us to retrieve the config from the malware. Usually a config is encrypted. We use specific techniques to bypass the encryption and are able to extract it anyway. That can become quite technical.

Essentially, what we do is diagnosing whether a patient is ill. The patient being a disk located in a network. If this is the case, our clients make decisions on the further actions they want to take based on our intelligence reports. We do not remove the malware ourselves. We detect it within the network and advise on the best possible next steps.

Antivirus software sometimes tries to delete malware – this is not always successful. For example: when the antivirus software deletes only a part of the malware. The user might think the system is ‘clean’ at that moment, while it’s really not. The malware itself then proceeds to generate more traffic which enables us to better understand how it works and how to deal with it.

Why did you pursue this career?

It’s my hobby. I’ve always been working and playing with computers, trying new things. I dream about computers. When I was still in school I was trying different things, and experimented a lot. One of those experiments resulted in me getting arrested for hacking. I wasn’t really doing my best to cover my tracks because I wasn’t stealing data or damaging systems. I was just curious to see what I could do and how far I could get. Getting arrested and sentenced means that I can’t work at many organisations nowadays. Some organisations require you to be free of a criminal record if you want to work in this industry. Especially the bigger corporations. Fortunately, there are a lot of other companies, start-ups and scale-ups for example, who recognise that this is just another form of experience and don’t dwell too much on juvenile mistakes. Some of the best professionals in the industry have at some point been in touch with the authorities in this line of work (either positively or negatively).

Can you name a milestone in your career?

Unfortunately, I’m not permitted to talk about my biggest professional milestones. Confidentiality is essential in our industry. Something I can mention though, of which I’m very proud, is that I dismantled the Pobelka botnet in 2012. This botnet infected the majority of The Netherlands, from governments to businesses, and a lot of confidential information was compromised. After dismantling the botnet, we notified as many victims as we possibly could.

Another thing is that I’m frequently asked to participate in interviews. For example, to provide background information in the news or for newspaper articles on the subject of cyber security. Being considered a reliable source on this subject is a very big compliment.

How will your industry or job in particular change over the next few years? How do you keep up?

The most important thing is that there is such a vast amount of data available, we hardly know how to deal with it all. How to process all of the information and what to filter from it. In the future, we will need, and will probably have, better and more powerful systems to extract useful intelligence from these large amounts of data. Having more powerful systems will contribute to a safer Internet.

Also, malware is becoming increasingly sophisticated. Back in the days you could take over computers relatively easy. Now, it’s becoming more and more advanced mathematics. More layers of encryption are added to software and hardware, but also to malware. Extracting the details from malware is becoming increasingly time consuming, time we simply don’t have. There probably will always be some malware that keeps very deep and dark secrets.

I keep up by trying new things at home and always be open to new technology, net programming languages, new infrastructure, and new operating systems. If you don’t keep up, your value as an engineer will decrease rapidly.

How did finding a job after your study go?

I knew I wanted to become a digital forensic investigator. So, I went looking for contacts that could help me start a career in this industry. It’s relatively easy to find people with similar interests on internet forums, LinkedIn and other social media channels where you find people with the same interests as you. Eventually, I found a job thanks to one of my contacts. He introduced me to someone who had an opportunity and that got the ball rolling.

That’s it really. I knew what I wanted to do, looked for the right contacts and landed into this job eventually.

Do you have any tips for up-and-coming talent?

Make sure that you have diverse knowledge of both penetration testing, digital forensics and network monitoring. Only if you are able to understand these three, and know how they relate to each other you’ll be able to feel confident within the cyber security industry. This is very important! A lot of people get this wrong. They focus on only one element of cyber security which consequentially causes ‘blank spaces’ in their knowledge. It’s important to see the whole bigger picture and understand how things are interrelated.

Information Technology, Amsterdam University of Applied Sciences

Information Security Consultant, what does that mean?

As an Information Security Consultant I look for what we call the ‘crown jewels’ within an organization. The ‘crown jewel’ is the most important asset of an organization. Besides their personnel this can be a specific process, essential resources, or even an essential asset like a machine or a server room. When we know what the ‘crown jewel’ is, we can decide what potential risks this client should be aware of. We map these relevant risks thoroughly, based on the core business and processes of the client. We then look at what plans and measures are already in place. And how effective they are. If necessary, we give further advice on how this organization can improve their security. This can range from returning keys and laptops when someone leaves the company, to advising about creating new checks and balances to prevent fraud.

What kind of risks do you focus on?

We look at different risks: fraud (vulnerable processes), cyber risks (information security based on people, technology and organisation) and crime (theft, extortion or terrorism). In case of a crisis or incident, we also support the client.

What projects are you involved with?

The projects I’m involved with vary a lot, both for public and private organisations. Today, half of all crimes are digital. Quite a shocking number! So at the moment there is an increase in awareness about the risks and consequences of digital crime. At Hoffmann we mostly work for bigger organisations but we also get smaller companies with high revenue and rapid growth that want to make sure their activities won’t be compromised.

And how do you approach a project?

When working on a project I perform a case study, visit on site, report and finally present my findings. Usually we are hired as a preventive measure. But sometimes our detective or digital forensics department is brought in after an incident. While they focus on the incident, they put me forward to perform a security scan. In order to help the organisation prevent a future incident.

Why Hoffmann?

Hoffmann is the oldest private detective firm in The Netherlands and a well-known name in the security business.

Can you name a milestone in your career?

Well, discretion is very important in my line of business. I have done a lot of great projects but our clients prefer not to see their name mentioned - as you might understand. A personal highlight in my career though was when I was hired at Hoffmann. This was the company I heard so much about and was fascinated by. So it was pretty cool that I got the opportunity to work for them.

How will your industry or job in particular change over the next few years?

Our lives are changing fast. Digitization, the Internet, privacy issues. In today’s digital world, we depend more and more on data. And securing this data will always be a point of concern. The focus will be more on digital security, but the physical part of security will always exist as well. Because a server park or data center also needs to be protected from physical threats.

How do you keep up?

My way of working will not change that much I think. It’s still about protecting the ‘crown jewels’, looking from the outside in and from the inside out when I perform a security scan. But the way we look could very well change, because of new techniques. We might have to become more creative. In that sense our scope will change. I make sure I keep up with important developments. For example I took a course on the subject  ISO27001 including certification. And I am an avid reader of security.nl

How did finding a job after your study go?

At the end of my studies a friend of mine was working for Deloitte. He thought I would be interested in this as well. I did some research and agreed with him. So after graduating I packed my bags to go travelling for a couple of months but as soon as I came back I applied at Deloitte. Successfully.

Do you have any tips for up-and-coming talent?

Always keep an open mind. When looking for a job approach companies that you find interesting. See up close what a company is like. Investigate, do your research. Ask questions. This way you will make sure you find the job that matches your interest.

BSc Integrale veiligheid at InHolland University of Applied Sciences

MSc Public Administration – Governance and Management of Complex Systems at Erasmus University Rotterdam

Chief Technology Architect, what does that mean?

It means being the lead architect of our platform and product. My job is to define the features for our product from a technical and functional perspective. I’m leading the teams that are working on the technical implementation of new features based on our strategy plan and different technologies that are used for the features and products. In the end my primary task is to make sure that our various products and features stay structured in a proper way instead of it becoming something like a spaghetti.

What kind of projects are you involved with?

The projects are very diverse. In my role as CTA I’m also the team lead for our mobile development team. We offer a server part and a mobile software development kit. It eventually means I lead the teams activities and I’m involved in the designing and building of projects and features. The features are being developed based on the questions that come from customers. It’s my job to make sure that we can go from a client question to a new feature that is useable and still fits with the product as a whole instead of it becoming a bunch of random features. When designing and building features we need to take many aspects into account: the product and the product strategy, the client’s question, and also to safeguard the technical implementation of new features. In practice I write and review code and implement features into the existing product. We start with the design of the potential new feature, then we look how it fits into the existing product. If it fits and the design is finished we’ll build it. An example of a feature we are currently working on is transaction signing.

Another important aspect is to consider the security, which is very important for our product because in the end it’s a security product. We have security embedded in our working routine. We are certified by iComply, a secure software foundation. They prescribe the desired way of working to build secure products. When you look at the feature you don’t just look at how to build it, but also how to exploit it. This means we test how to ‘break’ the feature and what steps we have to take to mitigate the potential security risks. While building on our product we map the architecture and write down every step of the way when we build it initially. By doing this we still know further down the line why we made certain decisions and why we built something the way we did in order for us to be able to adjust it. This way we can see if we have implemented a way to mitigate a certain threat. It’s a sort of document to track our steps and see if we implemented the right mitigations.

Why did you pursue this career?

Funny question, I never actually set out a career path to become the CTA at a startup. It kind of came along and I just jumped on it. It just so happened that I was looking for a new challenge at the time the opportunity at Onegini came along.

I studied business and IT which has some technical elements in it but is not really a technical study. Security was not even a part of the study programme. But slowly I grew into it. When I started working my first job was in Identity & Access management. I was interested in technology and wanted to know the business. I wanted to be able to really understand the questions coming from customers and be able to talk to them on all levels. My personal interests and preferences resulted in me starting as a consultant. While being a consultant I got more and more into technology and development of features and products. Being in the job I am now is actually not because of a predetermined choice to do this but just kind of happened. But then again it kind of is my choice because I followed my interests and it got me here.

I started my career in Identity & Access management, that is already security related. But my engagement was from a higher level because as a consultant you don’t really design things. I discovered that security is sort of like a mindset. That you don’t just need to look at ‘how to make’ something but also at ‘how to break’ it. Breaking things is in my nature I guess. When I was young I took apart my sister’ ‘My First Sony’ but couldn’t put it back together. I want to know how things work at a detailed level. Not just that it works, but also how it works is interesting to fully understand something. That’s also an important aspect when designing and building a product if you are in the security business. It can break in places you didn’t think of in the first place and that can have serious consequences for your product.

But I think to summarise, why I got into security is because I was naturally intrigued in how things work. In security, you have to be interested in how things can be broken to keep it working. That’s how it is in line with my personal interests.

Can you name a milestone in your career?

When I started working for Onegini! Previously, like I said, I worked as a consultant. I was already doing different projects for various customers. already security related that’s where I gained experience. But at Onegini I became responsible for building it. When I started at Onegini there was nothing and we really had to start from scratch designing and building our product in a secure way. For me that was a huge milestone. I really feel privileged to be a part of this, being involved in something from the start is not your everyday opportunity and I’ve leaned a lot from it.

How will your industry or job in particular change over the next few years? How do you keep up?

It changes a lot. You see people becoming more aware that secure is important. However, there is still a lot of ignorance, especially among customers. They underestimate the possibility that hackers can ruin their lives. You see that organisations are becoming more aware of security risks. Hacks are happening everyday, not just for information of businesses themselves but also to get customer data. Companies are becoming more aware of the risk and they will need solutions that actually help them. As I mentioned earlier this is not just technical but also human related as human factors are also a big part of security.

If you look at our product and what it does, right now our customers are mostly banks and insurance companies, because they are already focussed on security and aware of how important it is to be and stay secure. If you look at the rest of the market there are not a lot of mobile security solutions. I expect that over the coming years there will be more interest from different industries to keep their customer data safe and mobile solutions will play an important role in that. So, I think our product will become more interesting and in demand over the next years. Because right now I have the idea that a lot of mobile developers are not at all aware of security issues.

I keep up by reading articles, Twitter, visiting conferences, talking with people. For example, the RSA conference in San Francisco or reading about different attacks. By reading on security in general I try to keep my knowledge up to date. It's also important to not just rely on open sources, but also to participate in courses on security at conferences for example or other training.

How did finding a job after your study go?

I was doing my master thesis at Capgemini, and initially I wanted to work for Capgemini after I graduated. Unfortunately, I failed the admission test and because the economy was in a recession in 2009 they couldn’t hire me. Looking back, I am very happy that this happened because Capgemini is a very big company and I very much like smaller companies which are more flexible and offer you more responsibility.

So, after I couldn’t get hired at Capgemini I went abroad for a few months for holiday and once I got back I started looking for a job and came across a job offer for consultancy in Identity & Access management. I applied for the job and got hired :).

Do you have any tips for up-and-coming talent?

The security industry really offers a lot of opportunities but it should be something you like. My tip would be not to focussed on your career but to look at opportunities and be open in what you want for yourself and be willing to take the challenge and do what you like. I believe that will take you the farthest, otherwise you will run into barriers.

Bachelor in Business Information Technology, Twente University

Master in Business Information Technology, Twente University

Principal Consultant and Technology Lead, what does that mean?

I’m helping Innopay to strengthen our consultancy services by improving our technical capabilities. Partially through bringing my own expertise but also by making sure we attract people with the right skills and by setting up partnerships with technology providers. In order to be relevant and competitive in innovation programmes for our customers, we have to innovate ourselves too.

Innopay has an excellent track record in innovation programmes. We are specialised in digital transactions, and combine a deep understanding of the business with knowledge of technology and regulations. These three are increasingly overlapping and innovations can only be successful by combining the same level of understanding of all of them.

I am building an experience lab at Innopay for this reason, modelling the world of our clients for future scenario development and increasing our skills and knowledge along the way. We can increase our understanding of technology and its implications, abilities and disabilities by gaining hands on experience in the lab. Also, In today’s agile development world, it seriously helps to have a realistic working model of the digital transaction world to provide deep and early insight. Ideas can be quickly validated in such a model and, once finalised, more easily implemented by all players in the ecosystem. Our clients benefit from improved development and validation skills and a smooth handover from the development to the implementation phase.

What kind of projects are you involved with?

At the moment the majority of my time is spent setting up the experience lab and the associated partnership network. Aside from that I’m involved in several Blockchain projects and projects related to open, API based, business models. Openness is a hot topic right now in the payments industry. In 2018 the PSD2 (Payment Service Directive 2) is coming into force. This directive is intended to increase innovation and competition in the payments industry. For example the directive says that from 2018 onwards banks have to give third party service providers access to your transaction details. This could for example be a Google application or Facebook. Think of having important transactions displayed in your Facebook newsfeed for example. Or logging into your mobile banking app and having transactions of more than one bank displayed with suggestions for your personal financial management. The technology behind this is the Application Program Interface, or API, that allows banks to offer lower level services to third parties. But If you open up your service, how do you keep it secure? Next to PSD2, we’ll shortly see the introduction of the new GDPR (General Data Protection Regulation) and the AMLD4 (Anti Money Laundering Directive 4). All these new regulations combined raises many questions around business models, user experience, security and privacy. I am preparing to use our technology lab in many projects around these topics.

Why did you pursue this career?

My study had a strong technical focus but I wanted to be on the applied side of technology once I started my career. That’s why throughout my career I have been on the verge of business and technology and in practice gradually lost touch with the details as I developed a broader profile. Technology still fascinates me however and after I did a project in which I had to take a very deep dive into technology again I realised that I could maximise my added value by combining a deep understanding of technology with a broad understanding of the business, because the same technologies empower many business these days.

I have been active in innovation management and business development and always felt a great drive to improve services and experiences enabled by new technologies. I worked mainly in the telecom and media sectors and there was always a lot to improve. Security and privacy were always a part of that, but I would primarily focus on functionality and usability and leave the security and privacy stuff to others. I must admit I sometimes felt it was a bit old fashioned to be focussed on that too much. I wanted to break the mould. But now that the mould has been broken without a doubt, I feel an urge to more evenly balance all factors. Do we really want all our data to be everywhere? Do we have enough control over our personal things? Is it ok for others to monitor me without my permission?

The urge to keep contributing to innovations, while balancing this more with security and privacy made me decide to cross over to the financial industry. In this industry security and privacy have always been important topics and we really have to take these aspects very seriously from the get-go. At the same time we need to innovate. Fortunately, with the latest technologies like biometrics it doesn’t always have to be a trade-off anymore. Functionality and security can and must really go hand in hand now.

Can you name a milestone in your career?

I have worked on dozens of new internet and mobile services and I’m proud of many of them. At Planet Internet for example I set up the first Music on Demand, Streaming Games and Video on Demand services in the Netherlands, and later I played a role in the development of many media sites and apps, connected TV and -Audio and the NS mobile travel planner. A lot of these projects have changed the world a little in their own way. Now I’m involved in Blockchain and open banking projects, which I’m sure are going to do the same.

How will your industry or job in particular change over the next few years? How do you keep up?

There is a lot going on in the world of digital business and the financial sector is no exception. Banks will be required to open up their business to others under the European Payment Service Directive 2, starting with access to the account. When banks aren’t the only ones who can service the end-user with financial services but any third party can do so, this will lead to a focus on the core competences and the introduction of new microservices. So opening up in a controlled and secure way is a big theme at the moment. Also seamlessness, being able to pay anywhere, anytime in any way, effortlessly and still secure is becoming an increasingly important theme. And when Blockchain and Machine Learning really break through, we can’t even begin to imagine the potential impact on this industry.

There is so much going on that it’s almost impossible to keep track of everything on your own. It requires a lot of time to stay up to date. Fortunately we have a team of knowledgeable colleagues, with experts from various disciplines and we are a very open organisation geared towards knowledge sharing. An internal network is a good starting point but it’s also important to connect outside your own organisation. Innopay has a great network that includes knowledge institutes, peer consultancy firms and start-ups throughout Europe. And I have grown a personal network that enables me to quickly find the right people to catch up on things. You don’t have to know everything yourself as long as you know where to find answers. Aside from that, the internet is of course a major source of information. If you look at the amount of information that is available now compared to 20-30 years ago, it’s astonishing. Everybody can find and share knowledge at any time.

Do you have any tips for up-and-coming talent?

My tip would be to stay true to yourself. Choose a profession that you are fascinated by and that motivates you. If that happens to be cybersecurity then congratulations; there is going to be a lot of demand for that. If you are motivated by innovation, take security into account in an early stage. It’s important.

Electronic Engineering at University of Twente

Cyber Security Lead, what does that mean?

As the cyber security lead for the Country Digitization Acceleration programme my job is essentially a business development position. Cisco has a large sales organisation but my position does not primarily focuses on sales. I’m more of a linking pin in the whole organisation. My goal is to find or create new business activities for Cisco. Cisco is widely known for its hardware solutions like routers, modems and such. But there are organisations that are not familiar with all of our products and solutions. My task is to introduce those organisations to Cisco by being a conversation partner on the topic of security for them.

We provide solutions to your problems. It’s my job to get all the relevant, what I like to call ‘Lego bricks’, on the table so we can build with that. The Lego bricks being experience from earlier projects. We work with those bricks, partners and consultants to come up with the best possible solution. It has happened that a solution didn’t include many Cisco products. Because I’m in business development rather than sales that’s not necessarily a bad thing. That specific solution might be the best fit for the customer and in the future they will likely knock on our door again because we helped them out before. Perhaps then we can offer a solution that does include more Cisco products.

What kind of projects are you involved with?

It’s mostly new projects in which information security and digital safety are an important aspect. New technology applications or implementation of new security measures for example. In the product lifecycle I’m more involved in the brainstorming phase – at Cisco we call this ideation – rather than the actual implementation or operation phase. When a project is taking off my involvement usually ends. Of course I stay informed on whether a solution works or not and why. This feedback helps me to come up with better solutions in future projects.

One of the things I’ve noticed in these projects is that my diverse background is really valuable. I’ve been in both technical and commercial positions across a somewhat odd mixture of disciplines. This helps me to separate the real problems from secondary issues.

Why did you pursue this career?

My career actually took a lot of unanticipated turns before ending up in the position I am now. I started in IT because I wanted to understand how computers work. This was way back when computer were not very common. Computer Science did not exist as a separate study program. I studied electric engineering because that was the programme that was closest to computers. I learned fixing and using computers as they were not very user friendly at the time. After I graduated from my master I started working at Leiden University and started another masters in Medical Informatics. I had a curiosity for medical images like flat lines, pulses, MRI images and thing alike. This combination between computer images and medical images happened by coincidence. I finished my masters while working on the Human Genome Project at the Massachusetts Institute of Technology (MIT). The project set out to map the human DNA. My role in the project was digitising the images used to make the map. Back then this was very difficult to do. Tools like scanners or digital photography did not exist at the time so everything was custom build.

When I came back to The Netherlands I was headhunted by a consultancy firm. I did a lot of network and security projects and made a career in the consultancy business. I moved on to another consultancy firm where I got to the position of leader for the Benelux Infrastructure Systems Security team. Eventually I decided it was time to get out of my comfort zone and learn something new, really have a new challenge. This resulted in me starting at Cisco as a system engineer. Now 13 years and several jobs later I am in a position where all my previous experiences kind of comes together. Combining consultancy skills with technical IT and security knowledge.

Can you name a milestone in your career?

In hindsight the biggest technical milestone was my time at the Human Genome Project working on digital imaging and processing, because it was such ground breaking work. Also I met my wife because I went to the U.S. to work on that project so I’m really happy I did that. But I also consider my current position a milestone. It’s a really interesting and big challenge and I’m learning a lot of new things. It’s always exciting to start with something new, how it will play out. Especially if you’re asked to really create something within the organisation that didn’t exist before.

How will your industry or job in particular change over the next few years? How do you keep up?

If I would know the answer to that I wouldn’t be here. I do see some trends though. The world is becoming an increasingly smaller place thanks to the web, social media and things alike. This makes society less individual. Back in the days you could really be the expert on a certain topic. Nowadays work is increasingly becoming a team effort. When I started my career I was solving problems on a small specific topic on my own. Now I’m working alongside other experts on projects with a much broader scope making sure everything moves in the right direction. We have virtual teams with members from all over the world that I have never met in person but we work on projects together. You’re becoming part of an ecosystem of partners, colleagues and even competitors. In the future we will work more in these ecosystems and large teams.

To keep up I’m still learning, still studying. New topics emerge, like Blockchain for example. At first glance it looks like a completely new technique. But when you really look into it you see it’s a clever combination of existing techniques to create something new. That’s when you come to understand it and see that it’s very clever and really a new application and that it has the potential to become a disruptive technology. That’s when you start reading journals, I have a subscription to ‘Harvard Business Review’ for example because they often write on emerging technologies. So you go through professional literature, study on the subject, look for contacts. If it’s something that’s completely new and difficult to grasp you can take a course or self study on it. Nowadays that’s a bit more difficult than it used to be back in the days. You have to look for it yourself a lot more.

When I talk to clients I always ask them; “Do you have any homework for me?” It’s important that you have a good understanding of what your client does. You don’t have to be an expert but you do need to understand the business. Sometimes the homework they give me is an annual report to go through another time it’s a scientific article related to their business.

Finally I have some certifications that require I keep my knowledge up to date. To keep my CISSP (Certified Information Systems Security Professional) and GICSP (Global Industrial Cyber Security Professional) certification it’s required that I collect CPE (Continuous Professional Education) points. I have to show what I have done to keep up to date in order to keep my certification. For example what literature I have read, what courses I took and so on.

How did finding a job after your study go?

In the 80’s and 90’s it was relatively easy to find a job because there weren’t many experts and computers were relatively new. Computers where a new disruptive technology and I was young and enthusiast. Nowadays it’s kind of the same for cybersecurity experts. In that sense there will probably always be some jobs in IT where experts are needed. Data for example is a hot topic right now where experts will, and already are, in demand.

Do you have any tips for up-and-coming talent?

Be authentic! Don’t try to be someone you’re really not. If you don’t understand something, just say it and ask and learn about it. And finally do what you like and don’t be afraid to make choices that lead to a change of course. I’m really glad I made those choices. For example, at one point I was about to become Vice President but instead I started a new job as a system engineer. Something of an unusual and weird choice to many but it felt good and worked great for me.

Master Electrical and Electronics Engineering / technical computer sciences at HTS Haarlem

Master in Medical Informatics At Leiden University

Master of Business Administration (MBA) (Financial Systems)

Master of Business Informatics (MBI) (Enterprise Resource Platforms) at Rotterdam School of Management

Several Certificates like CISSP, GISCP

Security Engineer what does that mean?

Being a security engineer at Guardian360 is very diverse. We have colleagues with a strong technical background, people that are focussed on the social side of security and everything in between. Really every security engineer is different. Personally I focus on both the technical and social side of information security. I like to work with a combination of both. I try to really incorporate both aspects as much as possible in the security solutions I develop. For example for our phishing as a service. With phishing as a service our technical solution provides human awareness. When clients come to us we sit down with them to find out exactly what goals they want to achieve and why. Based on what their goals are we explore what technical solution we can come up with in a positive way. At Guardian360 we don’t like the FUD approach (FUD is: Fear, Uncertainty and Doubt). I do the intakes with clients to find out what they need and am involved with the development of the technical solution. It’s really that combination that does it for me. Not just being busy with programming and developing but also sitting down with clients, have a coffee while they tell me what they’re looking for and how we can help each other.

What kind of projects are you involved with?

We have, I mean, Guardian360 offers the product Network Security Audits, essentially a compliance module. What our module (in combination with our networks and software vulnerability scanners) does is detect and collect technical vulnerabilities on systems and networks. Sometimes the data this produces is hard to grasp. Our module translates these vulnerability reports to relevant standards, like ISO27001 for example. I have been involved with the development of this module from the start. Another thing I do is maintaining contact with clients and offer support when they need it. I advise them on vulnerabilities and what the implications can be for their product. At first the module was operated manually but we managed to automate the whole process. I think we’re the first in The Netherlands to have that, which is of course pretty cool if you ask me. I got involved in this process through an assignment at school. With two other students we worked on the project and quickly found out that the way they wanted to do it originally wouldn’t work properly. So we reported our findings and they said, ”ok, well if you think you can do it better than just do it.” We got to work and managed to figure out a better way pretty quick. When they noticed what we were doing we were all offered a job at the company.

Why did you pursue this career?

It’s what I mentioned before, that combination between the technical and social aspects of information security that make this job so attractive to me. Not having to pick whether I want to be working just on technique or just on social but really combining those two is what makes it so much fun. Aside from that, security attracts me because you really have to think out of the box to come up with solutions. I really like that! It’s basically just messing around, trying things in different ways. If you’re supposed to get into something in a certain way, I like to try to get in another way too. This can be on the technical side with system hacking, or the social side like social engineering. That’s how I ended up doing what I do now.

Can you name a milestone in your career?

One of my personal highlights was going to china for 6 months during my bachelor. I got to work on an assignment for a company doing research there. I was just 19 years old and working on my assignment at a company over there in China. They also need security specialist over there, like they are needed everywhere. During the first year of my study I said I wanted to go abroad for a longer period during my studies. When I was in my third year and looking for an internship my teacher said to me, “hey, why don’t you go to China like you said before?” The internet makes it really easy to go as there are no borders. It takes some time to find the right contact and prepare for the trip but it’s really worth your while.

How will your industry or job in particular change over the next few years? How do you keep up?

I hope that the awareness on information security will increase in society and that it will lead to a more mature IT landscape. Also, I but also Guardian360 would like to see a more positive attitude towards information security. Show people that you can actually increase your cashflow and save money through implementing good information security measures instead of it being seen as a necessity that only costs you money. The link between people and technology will always be an important element and probably only become more important as technology evolves and the dependency on technology increases . And how do I keep up? I’m just finished with my bachelor and will move on to do a master. Aside from that I’ll keep doing side projects and working as a hobby. Trying new things is really easy and really helps you to improve your skillset.

How did finding a job after your study go?

Everyone will agree that there is a huge growth in this sector and that there are a lot of opportunities. I already have a job before I’m even finished with my studies. I would really advise people to choose for a career in IT security, you’re guaranteed to find a job you like because there are so many possibilities relating to the technology and social aspects of information security. But most of all you should do what you like though, that’s important too.

Do you have any tips for up-and-coming talent?

I just started my career so I don’t really have a golden tip. Do what you like, keep learning as you go. Everyday I’m confronted with the fact that I don’t really know much yet. Just keep doing what you do, try new things and see where it will take you. Also seize opportunities during your study, there is really a lot of room to enjoy your time as a student. It’s so easy, but such a cool experience to study abroad for example. Internet has made it so easy to find assignments or internships. For my assignment at Guardian360 I put a message on my LinkedIn saying I was looking for an assignment and actually found this one within 8 hours after posting the original message.

Bachelor Information Security Management at the Hague University of Applied Sciences

Starting with a Master ‘ICT in Business and the Public Sector’ at Leiden University in September 2017

Security Analyst, what does that mean?

DearBytes installs sensors in the networks of our clients that help us track and monitor network traffic. All events that these sensors generate as well as events from other sources, for example anti-virus, are collected in a SIEM (Security Incident & Event monitor). If our sensors detect an unusual situation we are notified because it triggers an alarm. Once we receive the notification we investigate what happened, decide if it’s serious and contact our client if needed. We explain what happened and what the consequences are, or can be for their business.

The alarms I mentioned have to be developed too. To find out what should trigger an alarm we have in depth conversations with our clients to find out exactly what their ‘crown jewels’ are and what kind of activity on their network in considered to be normal or not. Once we have determined what is normal and what’s not, it’s our job to find a way to recognise and detect the abnormal signals and design an alarm for it so that our analysts can be notified upon detection.

Where existing tooling, be it commercial or open source, doesn’t fit our needs we develop our own tooling or modify existing ones. We use this tooling to automate as much of the analysis processes as possible. This leaves the analysists to do the interesting stuff.

Furthermore we do threat intelligence. We follow trends and keep an eye out for new threats that surface and investigate them. That can be new methods of attacking, new software attackers use, vulnerabilities in the software our clients use and new viruses and malware that is being used. For example when a big breakout like WanaCry happens we do research on the impact. Give advice on what to do and check if clients are infected. Of course with ransomware finding out if you’re infected is easy, but some malware is harder to detect. In the case of WanaCry though giving advice was easy because Microsoft already published what updates to install to prevent attacks.

What kind of projects are you involved with?

The projects are very diverse. We have clients from various industries, banks, government, healthcare. Really the whole spectrum, even SME companies. In the beginning DearBytes was mostly focused on the healthcare sector but in our SOC that focus is completely gone. Nowadays it’s really diverse.

The incidents we deal with come from alarms from the security monitoring or from our threat intelligence. A third option is that we look at anomalies in the SIEM. When we have an incident it’s a matter of deciding upon what the impact of the incident is, or can be, and mitigate it. If it is a serious problem we notify the client. If we do research on incidents or risks based on the SIEM data it’s basically more a mater of investigating. Looking at what sort of data are available, like log files of network traffic. If we find anomalies we fix it draft up a report for our client giving advice on how to deal with the incident and what the impact can be. If they can’t do it on their own they can ask our colleagues from managed services for help. The SOC team does not fix the problems on that level. The core task we have is doing research so that we can deliver accurate reports.

Why did you pursue this career?

For the challenge that comes with it. I used to be a system administrator before I worked for DearBytes, but I got attracted to security because I saw it more as a challenge. You’re looking for people that try to hide from you. As a system administrator when a programme doesn’t work like it should you just have to fix it. It doesn’t hide or anything. With security if a person is attacking you they try to hide and you really have to investigate it thoroughly to find out what’s going on.

After high school I went on to work as a stage builder. After a while I thought this wasn’t something I could do until my retirement. Via my brother in law I got a job in IT and from there kind of ascended to where I am now.

Can you name a milestone in your career?

I think that would be March 2015. That’s when DearBytes founded this SOC. Some of the guys who started in the very beginning are still here. We’re still building and improving our product and deliver a more mature service to our clients almost every day. That’s something I’m proud of being a part of. Being involved from the beginning and seeing and helping our product grow and improve over the years. When we started in the early beginnings the office was almost empty. It was just a desk in an empty office space. But right now we’re actually running out of space. We’re looking to expand since we’re growing to big for the space we have now. It’s nice to see that development and growth and be a part of it.

How will your industry or job in particular change over the next few years? How do you keep up?

It’s a fast paced environment. There are a lot of innovations that follow each other in a rapid pace. So it’s important to stay up to date on developments and trends. That’s the most important thing you need to do to stay up to date. What direction the industry will move in is hard to predict. Attacks are increasingly being automated and a growing number of companies and organisations fall victim to… well, cybercrime. I hate to use that word, cybercrime, but I don’t really have an alternative. But as the number of attacks increases and subsequently the number of victims. So does the importance of threat monitoring. It’s not really a question of ‘if’ but rather ‘when’ you will be attacked. So monitoring is important if a company wants to be able to respond adequately when they get screwed. Even if you keep al your software up to date and follow best practices there is always a way to get in. That’s what the NSA leaks have showed us. It’s just waiting on what the next big headline will be.

Currently I’m enrolled in an education. Furthermore it’s important to follow the news and be aware of what is going on. I read a lot of papers on subjects related to my work, scientific ones but also on forums and twitter. Basically all places where you can find news. Less on obscure forums, but blogs from individuals and companies are really valuable.

Do you have any tips for up-and-coming talent?

A lot of people expect you need a really diverse set of technical skills and expertise. But in my experience having an open and curious attitude is just as, if not more, important. The kind of people that want to know all the gory details, and get their information from different sources. The kind of individual that really dives into something to find out and understand how something works. It’s my experience that this attitude really helps and that people that do have a technical background are not necessarily better because they don’t ask questions. In our SOC we have someone who doesn’t have any background in IT. But because he asks a lot of questions and has a natural curiosity he always is able to provide our clients with good advice.

currently: System and Network Engineering at Amsterdam University of Applied Sciences

Product Manager, what does that mean?

As a Product Manager I am responsible for various Security products. Based upon trends in the market and customer needs I introduce new products and adapt current products to these customer needs and new trends. I develop Product Plans for my products and try to respond to our customers needs together with a team of operations employees. There are various reasons for adding a new product to our portfolio. At KPN we find a secure network the absolute prerequisite for our customers to safeguard their privacy and prevent misuse of their digital identity. We feel it is our responsibility in this digital world to improve online security and to empower our customers in coping with and responding proactively to online security and privacy issues. KPN is the largest Managed Security Provider in The Netherlands and has extensive knowledge about ICT Security, but not all customers in every segment are aware of this. There are competitors who have been offering this service for years. But we would like to convince our customers that we are the best partner to combine the delivery of connectivity and security from the experience that KPN has in protecting vital communication infrastructures for decades. Since 1852, KPN Netherlands has continued to provide the latest technology at the moment. From telegraph to 4G, from telephone operator to telephone exchange and from state-owned company to commercial group.

The product manager creates individual building blocks first and then puts them together in order to satisfy our customers’ needs by offering a more complete product. Offering a more complete product also eliminates competition because your offer stands out from the rest. This helps KPN to stay and to grow as a key player in the market.

By creating a modular but integrated portfolio KPN shows it understands customer’ needs. We have to think for example what a secure workplace exactly looks like and how our customers would like their employees to securely use their workspace. We can offer a product that is intended to make life easier and give them security by design for our clients. We think that the way we build our products will make a difference for our customers.

Our goal in the end is to become the go-to security partner for every organisation. Whether you are buying an internet connection or a secure workplace. The product managers help by contributing to the Strategic roadmap and provide input on a tactical level.

What kind of projects are you involved with?

At the moment I am working on integrating our security portfolio with other KPN products and use the concept of ‘security by design’. Security should not just be a point solution, but it should be built into every product. My contribution in this process is translating customers’ needs into products. One of my personal strengths is the interaction with customers and the technical integration of their needs. The goal, like I said, is integrating security into our whole portfolio. Making security our core business by weaving security solutions into all the products and services we offer. To get there we need the building blocks to feed our core businesses with security.

Why did you pursue this career?

I have always been trying to hack things as a kid. So when I had to choose an education I started with network/system management in IT. From an early age I had to care for my mother at home and starting an HBO bachelor was not an option because I just didn’t have the time and concentration.
At that time a new MBO 4 programme, Private Digital Investigator had started. This education was all about hacking, digital forensics and fraud investigations. It got my attention because I was already into hacking. During my education I did an internship at a private detective company that focussed on fraud and digital investigations. After my internship I got into IT and security monitoring and from there moved on to cyber security. I worked for an international consultancy firm for a while and noticed that all the elements of cyber security that I liked came together in security monitoring. It has elements of identifying risk, protecting the organisation, detect threats, responding to threats and recover if needed. You have to decide what to monitor, what risks you are monitoring, and when something happens you have to dive into that specific case. So first I worked in jobs that covered one aspects and found a place where all those elements came together in the SIEM/SOC environment of security monitoring. I got to work on some big projects, setting up monitoring environments and developing relevant use cases. After doing that for a while they asked me for the role of product manager to help them further develop and position the security services that KPN offers.

In the beginning of my career I was offered a job because I had a relevant diploma. But in recent years I have been recruited based on the experience that I built up over the years. I got offered new positions based on the roles I had before and the kind of projects I worked on. People with an MBO background are people with a hands on mentality and a Security Operation Center environment is perfect for these people because you work on the operational side of the business. They are often more attracted to the technical aspects and less to the business side of things. My experience is that if you want to grow in an organisation to the business side, you really have to prove yourself when you have an MBO education. Being passionate about your work is necessary if you want to grow, and more important is how to get there through education, training etc... I really like my job and cyber security in general is also my hobby in my spare time as I like to read articles and whitepapers about subjects I work with. It influences me to work on innovation, trends, partnerships and what the market wants and where they stand on maturity. You need to keep up, IT is a dynamic environment and it helps me to become better at what I do in my work.

Can you name a milestone in your career?

That would be my employment at a large consultancy firm by passing the HBO assessment and going to the OHIO business course in the USA, and after that the big projects I did. They only used to hire people with an HBO or higher level of education. I only had my MBO diploma and still they employed me because they believed in me, which gave me a lot of confidence. I was working with clients at their offices and I was their primary contact. I learned a lot during this time and worked on various projects for different types of clients. I got the chance to gain new experience and to improve my skills which boosted my career and myself.

I believe that if you want something you have to work hard for it and you have to invest time in order to grow. I think how I grew up has made me competitive in that way. Sometimes I overdid it though, at a certain point in time I was getting a new certificate every week. But now I have found a better balance, working on a job level I wanted to and just get the certificates I really need or want.

I started working in an internship when I was 21, switched a couple of jobs and became a product manager at KPN at 27. I would like to advise everyone who wants to work in IT to start with consultancy. You will gain so much experience in such a short time that you will grow really quick. You see so much different environments and projects, that really helped me a lot to choose my career path. It gives you a lot of insights and experience on what you like or don`t like.

How will your industry or job in particular change over the next few years? How do you keep up?

I see a lot of processes being automated with BI (Business intelligence) and a lot of innovations are shaping cybersecurity. The protection of data will become very important, because so much new data is becoming available. Another thing is the Internet of Things and how we deal with the growth and subsequent security risks of that. Privacy will be an important subject when the GDPR will come into force in 2018. I think security by design should and will become the standard. New products will be developed with security built into it instead of being added in a later stage. Products will have to be developed with security in mind from scratch. This will need some time but you will see that security is everywhere in a few years. There is already a lack of specialists and that will only increase over the coming years.

I could say that I keep up by getting the right certifications, but that is not really true. You can pick up a lot of theoretical knowledge on certain subjects that way, but I believe that you have to keep up with all developments and trends to stay ahead of the curve. Getting to know the landscape you work in from a helicopter perspective is more important. How is everything related to each other and how to secure it. Getting your certification will then become more a thing you do afterwards to confirm you know all about it and proofing you are a specialist on a certain subject. To keep up I basically do what I always have been doing: Reading as much as I can and keep track of all kinds of innovations and understanding the “Why” and “How” from strategic to operational perspective levels. My colleagues experience me as a very curious, social and eager guy in the work field.
I always try to look at how innovations influence our products and how we can adjust to these innovations. What are the missing links in the portfolio of KPN that we need to be able to stay ahead of the curve. With IoT for example KPN has been able to do a lot because we anticipate on these innovations.

How did finding a job after your study go?

Back in 2009-2011 there were not that many cyber security related jobs like today. There was more focus on risk management side and that was a lot of business driven security. The private digital researcher programme was developed to anticipate on an expected growth in the future on operational and IT processes. I got the unique chance to work at a private detective firm. That wasn’t at all a sure thing for my fellow students. It was hard to find a job in Cyber security back then. There was a lack of definitions on the type of role/function in shaping perspective. A general job in IT did it better for most graduated students, because a lot of companies didn’t know how to deal with full time security jobs and you had to explain how important this was for the company. But security has definitely grown in popularity and also in number of jobs. I think right now the people following an education in cyber security will most likely find a job without much problems as the demand for experts is growing faster than the supply. Most companies now know how to fill in the roles because of the latest breaches and hacks.

Do you have any tips for up-and-coming talent?

Keep a broad perspective and don’t focus to much on one aspect of cyber security. Doing a great job at one aspect doesn’t mean you have to forget the whole landscape. You have to be ready if someone asks for help, and you need to understand their question and how security can help their problem from another point of view. SOC is really diverse with a lot of relevant technologies and processes. If you have no knowledge or experience of one part of it, it’s hard to fully comprehend it. You need to be able to oversee the whole process like the kill chain and threat landscape. I had the chance to develop myself in a very broad set of disciplines. If you don’t get that chance it’s still important to keep learning new things and keep a broad perspective. You don’t have to be a specialist in every discipline. But you need to be a specialist in the discipline you’re good at and meanwhile keep an overview of the whole domain and make sure you don’t forget what’s outside of your comfort zone. Because the IT landscape is wide and everything hits security.

ICT beheer (MBO)
Particulier digitaal onderzoeker (MBO)

Team Lead Inside Sales, what does that mean?

Most of the time, our account managers are on the road visiting clients and prospects. The Inside Sales team supports them in all the solutions SecureLink offers. Like drafting up quotations, based on the input we get from the account managers. We also maintain contact with all of our vendors and distributors. Our technical consultants, on the contrary, help us with the technical aspects of projects. They make the configuration that we use as input for quotations.

A large part of our job also evolves around customer contact. If customers or account managers have particular questions, we try to answer them, or get them in touch with the right person. This can be on anything; deliveries, products, you name it.

All the assignments SecureLink has, start at Inside Sales. We’ll take care of the transfer of the project to the internal organisation. We’ll make sure our Administration, Planning department, Project Managers and Security Engineers know what to do – that they have the right scope. Sometimes the scope is clear from the beginning, but sometimes you really have to dig deeper to get a clear understanding of a client’s wishes and needs.

I’m aware a lot of people use this saying and it’s a bit of a cliché to say so, but we’re basically the spider in the web. People really do know where to find us and come to us for help. We get a lot of questions and requests from all the various departments.

 (text continues under photo)

What kind of projects are you involved with?

We have a lot of different vendors in our portfolio, who offer solutions from WLAN, to firewalls, to switches. Our portfolio basically covers everything in infrastructure and security nowadays. Besides the fact that we sell products and solutions, we are a supplier of managed security services. Our added value is in the maintenance of the products, the project services and the NOC and SOC services. We see the market move from just buying a box and installing it, to buying services. Companies don’t want to buy a router, but connectivity. So, they ask for connectivity and leave it up to us how we provide, maintain and support that connectivity solution. That brings an interesting new challenge to our work. We also have our own Cyber Defence Center and quite a few clients for our Network Operations Service Center (NOC) and Security Operations Center (SOC). The various services and clients are very diverse in size and scope. This is what I like most about SecureLink. We don’t just sell our products but rather our experience in delivering security solutions. Our clients can sit back, relax and trust that we make sure everything is taken care of. We mostly focus on the top 500 companies, really the big guys. We’re not exclusive to a certain industry, we supply schools, government, healthcare, commercial companies. Really every industry you can think of, this is also what keeps our job diverse and interesting.

  (text continues under photo)

Why did you pursue this career?

I, more or less, rolled into the business by coincidence. It wasn’t really a conscious decision to look for a job in cyber security. After I graduated I went backpacking through Southeast Asia. When I got back home I started looking for a job. That was easier said than done. Five years ago, there weren’t as many vacancies as there are now and my ‘common’ commercial education didn’t really help to find one. One of my friends works in the Marketing department at SecureLink. She told me their Administration department was looking for some support. It wasn’t really the kind of job I was looking for, but I needed the money and decided to apply. That’s how I got to know SecureLink. While I was there, an Inside Sales position became available and they asked me if I was interested. And I sure was! It’s a much better match with my education and I never left since. The position is still as exciting and interesting as it was in the beginning.

SecureLink surprised me, in a positive way. After graduation everybody wants to work for big companies, like Unilever or Coolblue. My experience is that you need to be open for other opportunities, you’ll be surprised of what you’ll find. I never thought of working in cyber security before, but it’s such an interesting business and there’s so much going on. Because I’m working with a lot of technical people it even crosses my mind sometimes to move to the technical side. But for now I’m happy with the position I’m in. That’s also because of the acquisitions SecureLink made last year. We now operate internationally and with my background in international business that’s an interesting development. It’s nice to witness this growth from up close; SecureLink grew from a relatively small Benelux operating company to a large Pan-European player.

  (text continues under photo)

Can you name a milestone in your career?

Last year I’ve got promoted from regular Inside Sales to Team Lead. It’s a sign of trust and appreciation based on the work and effort I have put in. Really a step forward in my career. Another thing I’m proud of is successfully finishing my computer science course. The exams I made to practice for the final exam were quite difficult. I even went around the company and asked some of the technical guys to help me with the things I didn’t understand. In the end I’ve managed to complete the course successfully and that’s something I take pride in.

How will your industry or job change over the next few years? How do you keep up?

I think one of the most important trends for the next few years will be the transition from products to services. We see a growing demand in the market for service and unburdening. Aside from that, we keep track on new product developments in the market. We constantly look for new products and vendors. If a new solution pops up, and we think it could be an asset to our clients environments we include it in our product portfolio. The transitioning to cloud services also affects our business. It isn’t delivering a hardware solution that we install and configure anymore. Cloud services are inherently connected to IT. It’s a fast-paced domain and the technique is rapidly evolving.

How do I keep up? It’s very important to educate yourself on the products and solutions SecureLink offers, especially when we sign contracts with new vendors. I talk to colleagues with technical expertise to get a basic understanding of the product before I start working with it. SecureLink facilitates this learning process through organising breakfast and dinner sessions at the office. Everyone can sign in and a colleague will give a lecture or demonstration on the product or service. It’s a nice way to keep track on industry trends on a personal and company level. At SecureLink we only do the things we’re good at, we want to help our clients as much as possible. Only then you can offer a complete package to them.

We also attend product specific sales trainings organised by the vendors of the products we offer. And last but not least the news is an important source of information. Especially lately with cybersecurity news making headlines more frequently. You really need to know about the incidents and what’s behind it, only then you can provide decent answers when customers come to you with questions.

  (text continues under photo)

Do you have any tips for up-and-coming talent?

The most important thing is to keep an open mind. Think about what you like beyond the comfort of things you know. In my case that was IT. Another thing I would advice, is to get to know the culture of a company you’re interested in. Try to find a company with a culture that matches with you as a person.

International Business and Languages, Utrecht University of Applied Sciences
Course on Computer Science at Open University (course from the bachelor curriculum)

Researcher and Security Consultant, what does that mean?

As a security consultant at TNO I answer the complex questions on the subject of security for clients. Questions like “how can we make sure that our network is still as up to date 5 years from now as it is today?” Or the military knocks on our door asking how they can make a certain weapon system cyber secure. We start with getting our documentation in order before we begin our research. The core business of TNO is applying knowledge, bridging the gap between hard-core research and business. We do not engage in fundamental research but rather put the research done by others into practice. Taking elements of the more fundamental research and translating that into innovative concepts that can be put into practice. Often this kind of research consists of theoretical models that have not been tested in real life but only in simulations. We put those models to the test. I have a lot of variation in the kind of work I do. One day can be filled with brainstorm sessions while other days I’m visiting clients or really do research on a certain topic to get to the bottom of it.

What kind of projects are you involved with?

I mostly work for the banking sector, Ministry of Defence and telecom operators. I cannot discuss the work I do for the defence part in too much detail. That can be difficult at times because it is such an interesting client with a lot of exciting things to work on. You get to go to special places I would otherwise never be able to visit. That really makes my job interesting.

For the telecom operators I’m mostly busy with the development of patents and building demo’s. The demo’s are important to show that the patents we come up with actually work. This research is mostly done with my colleagues from TNO’s Networks department. They have built their own LTE network which we use to build our concepts on. It’s really unique in the sense that there is a special combination of people with different backgrounds that you can collaborate with at TNO. It allows you to quickly discover and learn new subjects. When I started at TNO I knew nothing about mobile technology and now I’m involved in developing new standards.

With regards to the projects we do for banks it’s a combination of research that is open and projects that have to stay behind closed doors. How their networks are designed and what kind of measures they have implemented to detect certain types of fraud has to be kept a secret. If criminals find out, those measures are not effective anymore.

Publishing research on detecting malware on networks is helping everyone and it’s not really secretive. One of the things we look at is what connections systems within the company network make. With the current security products, the focus is mostly on the connection to the internet. We think that this market is pretty saturated, with firewalls and intrusion detection products for example. There are so many different products on sale, but not yet products that focus on traffic within the network. So that’s why we do research on that subject. For example, checking if systems on the network suddenly start communicating with other systems within the network or that they go to fileservers that they normally would not go to.

I work with a lot of enthusiastic people that are experts in their field and are really high qualified. You can learn so much in such an environment, I don’t think there are much companies like this besides TNO.

Why did you pursue this career?

Cybersecurity caught my attention. The challenges that come with it, learning to hack a system and the variety of tasks. It’s a large domain but still feels compact. There are so many aspects to information security that make it challenging and diverse but you can still really dive into a subject. For example, malware detection is completely different from cryptography, the security of hardware or access to systems. It’s all security but at the same time every subject is an expertise in and of itself.

I try to do everything I like. If something interesting crosses my path I have the freedom to get started on that particular project. Some people like to really dive deep into one topic. They are internationally considered as the top experts on their subject. Perhaps I come across a subject I like that much one day, but for the time being I’ll keep doing all sorts of different things I find interesting.

Can you name a milestone in your career?

I think when I was on board of a Royal navy ship. Last year I spent some time aboard a naval ship to get an idea of the context of the assignment. Being with the people that work on them and really getting to learn the environment where the projects I work on find their way to was cool. Not just sitting behind a desk and coming up with ideas, but actually being there and getting an idea of the activities and helping the people there. It’s not a place you would normally come. A unique opportunity and experience.

How will your industry or job in particular change over the next few years? How do you keep up?

More and more tasks will be automated with machine learning and artificial intelligence, and new techniques will be applied to cyber security. The amount of available data will only increase up to a point where we cannot process it manually. Alerts from security systems will increase accordingly and we’re trying to figure out if we can find ways to cope with these developments. Trying to find out if there are smarter ways to contain the flow of information or deal with it in a more effective and efficient way.

I keep up by reading a lot. There is so much information available on the internet. You really have to put in time, reading news articles and blog in order to keep up. I started experimenting with computers as a little kid and eventually started with a study in computer science and consequently found a job in IT.

Also sometimes I follow courses on a specific subject. Last year I did a course on network security. If you work on a certain project and there is a specific relevant training, TNO always encourages and supports you to do that training. For example some of my colleagues are currently busy with OSCP, a pentesting course.

How did finding a job after your study go?

During my study I met someone who is now a colleague of mine at TNO. He gave lectures for one of the courses in my study. We got in touch and via him I got to do my graduation assignment at TNO. After that assignment I was offered a job and that’s how I ended up at TNO.

I think for a lot of my fellow students it went kind of similar. Most of them already found a job before they graduated. Also, looking at posts on LinkedIn I don’t have to worry about being unemployed in the near future. It’s not that everybody gets a job that easy though. You do actually have to be capable, otherwise you’ll be surpassed. There are high expectations, you’re really expected to bring something to the table. You’re expected to be able to contribute on many levels and various topics. Knowing just a little bit about crypto does not make you a security expert in that respect.

Do you have any tips for up-and-coming talent?

Try to do hobby projects. There is so much to be found on the internet. Courses and online tools to teach yourself skills that are useful for your career. You really get a head start on your competition if you gained some experience outside of your education’s curriculum. I think that I learned just as much useful skills online as I did in my entire study.

University of Twente BSc Computer Science

University of Twente MSc Information Security Technology (Kerkckhoffs Master)

The Kerckhoffs Institute Master was a specialisation and partnership of 3 TU's

Incident handler, what does that mean?

The core business of the KPN-CERT (https://www.kpn.com/kpn-cert.htm) is responding to security incidents. Digital security incidents to be precise. We get notifications of incidents from a variety of sources. These notifications can be about pretty much anything. We look into the incident and investigate what triggered the alarm. We try to figure out what exactly happened or what is going on. What the impact of the incident is and what the potential risks are. These investigations are very different from one another depending on who or what kind of protocols are involved in the incident. For example, it can be about unauthorised actions that are detected on a certain machine. We look at what kind of connections the machine makes. Are there any things out of the ordinary? It’s essentially forensic research to find out whether the system that is suspected to be compromised is actually compromised. The strategy we follow really depends on the incident and what leads we have to start with. One thing we do for example is reverse engineering malware.

KPN-CERT is part of KPN’s CISO department. There’s also a REDteam that is actively engaged in hacking and pentesting KPN products before they are shipped to customers. The KPN-CERT is more on the responsive side of the security business. The core activities of the teams are very different but we do work together a lot. Together with all the CISO teams we also publish the KPN Security Policy (KSP), which is open source, with best practices (https://github.com/KPN-CISO/kpn-security-policy). On top of that we also do threat intelligence. We look at what’s going on in the outside world in terms of potential risk developments that might affect us or be relevant in other ways. A more proactive role when compared to the regular CERT activities.

What kind of projects are you involved with?

Mostly investigation projects. What I like is that I can withdraw myself to do the investigation and research into an incident and then come back with concrete results. Often I have to work with colleagues to get to the bottom of something. That combination of teamwork and solo investigating is really nice.

Why did you pursue this career?

By coincidence. I was studying something I didn’t like when one day while going to school I read an advertisement that was written in such a way that I recognised myself in it. I just thought, ‘I have to apply for this’. It was a secondment agency specialised in IT. I got hired and my first placement was at a Security Operations Centre (SOC). In a SOC you keep track of network traffic, looking if you can detect patterns in traffic flows. I liked it so much that when a permanent position opened up I decided to apply. So I did apply and got hired. That was in 2013 and turned out to be the start of my career in security. Later while working for the SOC still, I was asked if I wanted to join the KPN-CERT team.

It’s a relatively new profession. There weren’t that many specific security study programmes before. In my team there are people with all sorts of different background, chemistry for example. So in a way I’m not really the odd one out. Job wise I didn’t have a lot of experience in security. But I didn’t experience that to be a serious issue. The domain is so wide that you can never know everything on all subjects. You really need to work with your colleagues and help each other. You’re behind a computer most of the time, but because you need to work together you still have a lot of contact with colleagues within and outside of your organisation. Both digitally and in person. This collaborative dynamic is something I really enjoy.

Can you name a milestone in your career?

I really like my job in general. When I was working in the SOC my manager at the time asked me if I wanted to apply for the permanent position that opened up. I did, but my interview went horrible. I thought it wouldn’t work out. But my manager hired me anyway because he knew how I worked. That was really motivating. Also when I was approached to join the KPN-CERT team was a highlight. Working in such open and coherent teams are an important aspect of why I like my job so much.

How will your industry or job in particular change over the next few years?

It will change on different levels but I don’t think it’ll happen overnight. Because several incidents make headlines in news media people get familiar with some of the risk. This is in itself a positive thing. But it also means more people with bad intentions are getting familiar with the possibilities. We see that more and more incidents are exposed in which bigger actors are involved. That’s really interesting. It doesn’t necessarily make it more complex but we have to respond quicker, for example with shadow brokers dumping new exploits, making them available to everyone. Because more people have access to (nation state grade) malware, quick response is becoming more important. Companies are paying more attention to this. Which is a positive thing. You can also show it is important to get back on your feet if you get attacked. And you for sure will be attacked. It’s not a question of if, but when.

How do you stay up to date on these developments?

Some of my colleagues are working entirely dedicated to threat intel. They dive deeper into what is going on and we receive info from them. There are also meetings in which CERT-teams get together to share information. Both with government and businesses. What you see there is that companies who are actually competitors in the same business come together to share information relating to security despite being competitors.

I follow specific training on subjects that are relevant and get certifications. I did some SANS courses  and got my GIAC certification in addition to that. For example, I did certified forensic analysis and network forensics last year and this year I’m starting with malware reverse engineering. There’s a lot of attention in the media lately with some bigger malware incidents. We don’t notice a rise in incidents though as malware has always been part of our work. But it’s good to keep on top of developments.

Do you have any tips for up-and-coming talent?

Something I notice all the time, is that the field is so broad. I keep asking a lot and because of that I learn a lot. You cannot know everything all the time. If you go and ask colleagues for help you’ll see that they have just that bit of expertise that you’re missing and you learn from them. There is so much information and knowledge around you. That really makes it a nice place to work and learn. In regards to how things get together or how generic stuff works I think that if you didn’t google it before you ask someone, you didn’t try hard enough.

Tried HBO Media & Entertainment for a while before deciding it was not a good match

Teacher Application Development and Media Design, what does that mean?

I work at the ROC Mondriaan, a school for intermediate vocational education. The courses I teach are part of the educational programme Application Development and Media design. There are a lot of subjects that are part of this education. For example, I teach some popular programming languages that are being used for app development such as MySQL, PHP, Symfony and some JAVA. Recently we also started with a course on ‘secure programming’. We work in projects, it starts with a request for an application, we give the assignment to students and they manage and deliver the project, like as if it would be a real assignment. The students will have meetings with the client to map what their needs are and what functionalities are asked for. Based on that they make use cases, and now that we also offer the secure programming module they also make abuse cases. When the use cases are approved they continue to build the databases that are needed for the product. The database is build with MySQL and the Oracle course taught them SQL that they use to manipulate the database and the data. Finally, when all is ready the students actually build the application using various programming languages and the Symfony platform because that is a nice comprehensive platform with a lot of build in functions and the security is tested too.

What kind of projects are you involved with?

It’s mostly projects within our school. Students work on phone lists for example if a teacher needs one. Seems easy but a lot of things need to be taken into account. Aspects like authorisation for example. The teacher gives feedback on the development of the app throughout the whole process from idea to the final build.

For the secure programming elective, we have created a virtual machine running a version of Linux –Kali Linux to be precise – with hack tools to test the apps we build. We don’t use all the available tools because that would take years. We start with some often-used techniques like intercepting traffic to servers: the man in the middle technique. Another is SQL injections to test if you can get more information from the database than you should. A lot of older websites still have problems with SQL-filtering, making it possible to retrieve information from the database that is not intended for you. We teach them to consider this right from the start when designing and building apps. Cross-site scripting is also given attention. That’s basically sending pieces of code to the server to take over control. These three techniques are still close to what an app developer does. Of course you can also teach them how to break into networks, but that is more of a subject for the network management programme. We just want to make our students more aware of the vulnerabilities in the apps they build and make them able to deliver secure apps.

Really teaching them how to hack is tricky for us as a school. You don’t want them to use the skills we teach them for mal intent. So we teach them how to detect and intercept potential abuse. We do so in a closed environment with a virtual machine. The whole process of how to hack into a server is not something we teach them. We should not educate hackers but make them aware how the apps they build can be broken and how to prevent that from happening. That’s our responsibility if we are training app developers that have to work on safe and secure working apps. We are also developing an assignment for secure programming for interns, together with our partner Exact. Students will fulfil security tasks on the job.

Another project we are currently working on is in cooperation with the ‘Techniek Innovatie Huis’ (Technique Innovation House). That’s a joint venture of several educational programmes within ROC Mondriaan, companies and the municipality of The Hague where we work together on projects and want to get businesses more involved in our programmes. We are going to work on topics like cybersecurity and serious gaming for example. The location has only recently been opened so right now it’s still in its startup phase. But the idea is to really create a thriving environment where businesses can ask for help, participate in workshops and provide guest lectures. One project we are already working on in the Techniek Innovatie Huis is virtual reality. Right now it does not have a cybersecurity component but we do want to add that aspect too. The students are busy with programming a virtual reality environment to learn what the effects of adding new elements to it are and how you can program that.

Why did you pursue this career?

I started my career as a PL/1 programmer at an insurance company right out of high school. Building the systems that were used to store all the insurance policies. I started right after high school because there was such a big demand for programmers back then. After doing that for a while I decided to go back to school and study communication. But when I graduated there was a spike in the number of available jobs in IT again. So when I couldn’t find something that was related to my study I decided to pick up programming again and started with Visual Basics for Applications.

After working in the commercial sector for a while it didn’t really feel satisfying anymore. I became a bit bored and working in education appealed to me more than a commercial organisation. Education is less tedious in my opinion, there is nothing as dynamic as being a teacher. It’s really nice to work with and guide youngsters in a craft like programming. It’s surprising to see how much ROC students can do. Often when we talk with organisations and show them what we’re doing they are surprised by the skills of our students. We have a lot of hard working and curious ‘go getters’. We see that now with the secure programming course. We just started a few weeks ago and already they are helping each other and telling each other about various hacking techniques and where to find documents. They manage to find things before I do, luckily enough they keep me informed too. I’ve already had several books added to my collection because of them since we started with the module.

Education is very challenging and rewarding. Because I teach in app development I also have to be on top of what trends and developments are in the market just like in commercial organisations. Right now for example my job looks completely different from when I started. Nowadays a lot of work is cut up in little pieces and needs to be done quickly. That’s a completely different way of working then when I started when we would build a whole system, test it intensively and then put it into practice. The way of working is the same though: whether you’re in a commercial organisation or educational institute, you need to adapt constantly.

Can you name a milestone in your career?

A recent milestone was that we started with the secure programming elective. I experienced hacking when my personal website was hacked and when my bankcard got skimmed at a gas station. That I can educate the next generation of app- and software developers on techniques they can use to make their products more secure is a milestone for me.

Another thing is the Technique Innovation House I mentioned earlier. We see a lot more companies who are interested in what we are doing. When we had the official opening, we saw that our students who were busy with the secure programming course and hacking received a lot of attention. Even more than the group that was working on some more flashy applications they build with the Raspberry Pi. It’s nice to see this attention for our students after the hard work and steep learning curve we experienced while putting this programme together.

How will your industry or job in particular change over the next few years? How do you keep up?

I see my profession change in the sense that I will need to learn more techniques, especially now that we introduced hacking into the curriculum. We will keep working on that to show what can be done with hacking and how this affects app development. Also new ways of programming and new types of devices or the Internet of Things for example will be introduced and need to be secure. In the future, if a new relevant programming language comes around, we are going to include the secure programming part right from the start. This might have as a result that secure programming becomes so integrated that the actual elective becomes much more in-depth. Which means I need to learn more on the various techniques.

To keep up I read a lot of books, practice a lot and do internships at companies. For example I once did a workshop at Deloitte at a department that was specialised in cryptography. If you work with those people you really learn a lot of things that you will then bring to the classroom. More organisation should start offering this type of workshops or guest lectures to teachers as it’s very valuable for the level of education.

How did finding a job after your study go?

The first time I needed a job, the job actually found me. In IT there are always peaks at which a lot of people are needed. So when I finished high school I got a call if I wanted to start as a programmer and started right away. After I finished my study communication there was another peak in demand and I got hired pretty fast again. That’s what I love about IT, there’s always so much work because it keeps changing. You see it happening again right now with cybersecurity.

The switch to go work in education was intentional. I was working as an application developer at the time when my home situation changed and I was not really challenged in my job anymore. So I applied for a specific job at the ROC of Amsterdam that related to the job I had at the time. And I love my job ever since.

Do you have any tips for up-and-coming talent?

Yes! It’s my experience that companies respond very enthusiastic to security and hacking. They always say they are looking for people that like to puzzle, who are go getters and have good ethics. If you like to keep learning and do challenging work, IT really has everything to offer for you.

Bachelor Communication at the University of Amsterdam

Teacher Degree (BVE) at Fontys

Self study in Flash, Illustrator, XAMPP & Photoshop

Webdesign course at Mediacollege Amsterdam

Teaching Assistant degree at NHA

Advisor Cybersecurity, what does that mean? 

The essence of my job is to help organisations improve and strengthen their cyber security function. At the EY Cybersecurity team, which I joined in September 2017, we help our clients gain insight into their cyber security programme and strategy. We can help them to build an active defense system along with clear response procedures aimed at minimizing breach impacts.  

In addition, I focus specifically on cyber risk management. Within this topic, we help companies tackle the many cyber security challenges they face on a daily basis. For example, by simulating a ransomware attack or a data leakage incident, we were able to test an organisation’s incident response processes and, based on our observations during the exercise, were able to help them to improve those processes. At first, organisations can be somewhat skeptical to engage in such a simulation, but afterwards they are often surprised about the many factors they hadn’t considered yet and feel like they really should take action to be prepared for a cyber incident.  

We develop effective solutions using people, processes and technology, while enabling better security and risk decisions. This combination of three factors (people, process, technology) perfectly suits my study background in psychology and digital business. Ultimately, my goal is to apply my knowledge and experience to a variety of organisations, both in the private and public sector, to be able to significantly contribute to a more cybersecure society.  

 Why did you pursue this career? 

After completing my bachelor’s degree in Social Psychology, I switched to the Master Business Administration in which I chose the Digital Business track. During this master, I orientated myself within the working field of Business Administration and found out that actually cyber security is really interesting to me. However, given my study background, I wasn’t aware of my possibilities within this field. During an inhouse day at EY, I actually found out that I was eligible to apply for my current job. From that moment onwards, I became very excited about the cyber security domain. I would like to encourage other students (especially women!) to consider working in cyber security too. The job opportunities could and should be made more visible.  

How did finding a job after your study go, and do you have any tips for up-and-coming talent? 

I would give other students the advice to get in touch with as many companies as possible in the final phase of their studies, for example at events such as Career Days. You get the possibility to meet relevant contacts and to become familiar with the atmosphere within that particular company, which in my opinion is also very important. To qualify for, and actually land a job, I think it is important that you are able to express your motivation very well. Why do you want to work at this company, and what distinguishes you from others? Try to emphasize your own strengths in a concrete way. Give examples of skills you have gained as a result of the activities you have done that can be useful for that particular job. I did not have any work experience or activities that at first sight seemed relevant to cyber security on my resume. What I could elaborate on, for example, were certain capabilities that I developed during the membership of the board of a student association or the TEDx committee that I joined. It is important that you are aware of your potential. I think that future security talents have to be diverse, with a broad range of knowledge and competences.  

What has been a highlight in your current work, what motivates and excites you in your work?  

I have been working for EY for about a year now, and what I really like about my job is that you get the opportunity to meet a lot of new people and learn about a broad range of issue areas very quickly. I get to watch experienced colleagues, and there are a lot of possibilities to follow relevant trainings to expand your technical skills, for instance. In addition, working in a company like EY enables you to work in cross-competence teams. That way, I am also able to learn from different fields of expertise. A couple of weeks ago, I passed my CIPP/E (Certified Information Privacy Professional/Europe), which involves understanding the current data privacy law and regulation. I feel like I am really involved in the issues and topics that are relevant at this moment in time, like the introduction of the GDPR. You are not only technically involved with companies, but also contribute to the society more broadly. This societal impact of our efforts is a part of the job that really satisfies me.  

How will your industry or job in particular change over the next few years?  

Nowadays, you sometimes still see a separation between the technical side and the business side of cyber security. The two sides can have different interests which can conflict, for example when an application still contains certain vulnerabilities, but the board wants to launch it anyway. Although there has been a lot of improvement during the last couple of years, I hope that cyber security will get even more priority on the agenda of organisation’s boards.  

Could you elaborate on what security challenges need to be tackled and how that translates into your work?  

Sometimes it can take days or months before a breach or compromise gets noticed. The methods of threat actors are getting more and more advanced. While the focus previously was more on the prevent side, it gets more shifted towards detect and respond. For most companies, fire drills are part of the usual practice. However, there are a lot less organisations that have procedures documented or in place for when a cyber incident occurs. I think a lot can be gained when companies consider the primary cyber threats that are relevant to them (define their threat landscape), and develop appropriate incident response procedures. For example, what should all the different organisational departments do when the organisation is target of a ransomware attack? When dealing with cyber incidents in a right manner, for example informing the right authorities regarding legal issues or clearly communicate the issue to the public or customers, the negative impact of an incident can be minimized.  

How does your average, but interesting, working day look like? And what is the worksetting? 

No day is the same, which I like about the job. One day can filled with interviews and client visits, the other day with working at the office with colleagues. The atmosphere is very pleasant and open. We work in multidisciplinary teams using the latest technology and innovation is stimulated. Everyone is really motivated to make sure we come up with the best cyber security solutions.  

Bachelor Social Psychology, University of Amsterdam 
Master Business Administration (Digital Business), University of Amsterdam  

Governance, Risk & Compliance Consultant, what does that mean?

Broadly speaking, I work at Strict to help diverse organisations with the implementation of security and privacy policies that makes them compliant. These implementations need to be continuously updated and improved so that they can be smoothly incorporated in the company business processes. The entire undertaking, from legislation to governing company business processes, is based around a risk analysis method designed by Strict. With the result, we can implement detective, corrective and preventive security measures. The end goal of this task is to maintain the integrity of the information and safeguard the information supply. 

What kind of projects are you involved with? 

I’m mostly involved with consultancy projects at Strict. This means that I work based on secondment where companies hire me for a particular issue they face. For instance, one time I may act as a risk analyst and the other time I take on the role as privacy officer. What we see is that many companies have to deal with fundamental changes that directly affect their core businesses. Think about the General Data and Protection Regulation from last year or the continuous development of Artificial Intelligence. Usually, this means I have to conduct an intensive risk analysis where I try to find the correct balance of availability, integrity, and confidentiality of information security. Finding this balance took some time for me to grow into because applied practice in university was severely lacking. 

Sometimes I work independently and visit clients by myself and other days I work together with a senior consultant. Small projects may last for five or six days, while the bigger project may take up to several months, so there is a big difference between what kind of project we’re doing. Strict works mostly with large enterprise organisations: think about companies like Schiphol, NS, ProRail, Erasmus MC. But Strict also works together with governmental institutions; currently I’m doing a project at a province... In theory, Strict has two divisions: Strict Academy and Strict Consultancy but the difference is barely noticeable. I like working in the public domain because there it seems like I make more of a difference for society.

Can you elaborate a bit on your education pathway to your current function?

Sure! My motivation for pursuing this career started quite early. Ever since I was a teenager I have been fascinated by technology and its impact. I was one of the first to get a degree in ICT/ Electronica during my time in high school. Right after this, I decided to study ICT Management on a vocational level and I learned a lot of practical, hands-on skills during my time there. But the program was simply not challenging enough so I pulled two of my class mates with me and basically said: “Come one, let’s just go for the fast track program”. So, we did, and in the last year I completed an internship at Strict Consultancy, which was back in 2010. Here I found out that I really enjoy the combination of business with IT, so I decided to do the bachelor Business, IT & Management at a University of Applied Sciences in Amsterdam. This proved to be relatively effortless which gave me enough spirit to try my luck at a Research University. My interest in privacy was stimulated during this time because of how relevant it was back then. Information security is basically where I can apply my IT background and skills to confront privacy and security issues hands-on. 

During my education pathway, I never quite had the feeling that the content became more difficult to understand but rather that each topic was explored more in-depth. Because of this diversity in scope and because I’ve experienced various levels of education, I now notice that I can form a bridge between the ‘tech-savvy’ and people in non-technical positions. 

I also noticed that it matters a lot in what kind of environment you’re studying: if people are not motivated to learn it can have a major impact on your progress. I think that the education institutions themselves should take a leading role in providing for the right environment. 

During my studies, I really enjoyed it when professionals from the work field (in hybrid capacity) would come in and explain the importance of the theory and how to apply it in the work field. This makes it less abstract and motivates students a lot more. But I see that companies are less inclined to teach at universities because they’re not sufficiently supported. For instance, Strict really wants to contribute but the issue is that a lot of companies don’t exactly know how or where to do this. There should be an organisation that provides more insights and assists companies. 

Can you name a milestone in your career?

Yes, two actually. I had already dedicated a fair share of my time to learning about GDPR and e-privacy but still put a lot of energy into getting the CIPP/E (Certificate Information Privacy Professional Europe) because it teaches you so much about the implementation in organisations. 

But there is another really enjoyable moment for me: since I was young, I have wondered about how to define a risk and what a risk actually entails. And it was only during the risk training courses with Strict that I found the answers I’ve been looking for in the past decade. It is even better that I can actually apply this method and help organisations by analysing the risks they have. Applying this method is not even limited to information security because it gives me a framework that I can apply to risks outside the information security scope. 

How will your industry or job in particular change over the next few years? How do you keep up? 

For me, it seems like society is in a new transitional era, liking to the advent of computers a few decades ago. Similarly, to back then, it seems like we’re growing and still maturing. But now in the cybersecurity domain. Although most events still occur in the background, I do see that the level of (cyber risk) awareness is raising gradually among people. Think about the debates surrounding identity theft, or the alleged hacking of the Organisation for Prohibition of Chemical Weapons (OPCW) in The Hague this year. 

But there are also a lot of ethical questions that come with new technology like Robotization. I believe that in the (near) future we will make big steps in answering questions of ethics, but I also see society becoming much more aware of cyber risks. For instance, small-scale attacks on each other will become much more visible. 

I’m aware of the fact that there can be a mismatch between being aware and acting accordingly to a risk. Sometimes these just don’t align. However, I’ve also experienced positive examples. As part of AlertOnline month (each year in October) I have sent out a couple of phishing emails to employees and I was glad to see that they rang the ‘’alarm bells”, so to speak, instead of falling for the trap. Because of the growing awareness, I notice that even organisations are starting to restructure their policy to avoid economic damage and ethical issues. In the end, the organisation with the strongest safety culture has also the least cyberattacks. 

How did finding a job after your study go?

After I graduated, I knew for sure that I wanted to work in this field (IT), so I started looking for organisations that would hire a recent graduate: on LinkedIn, job fairs, you name it. But mostly I just rang up businesses to see if they were hiring. It was very helpful that I had already done some internships because it strengthened my convictions in which type of work field I wanted to be employed. Eventually I found the traineeship at Strict and that’s where I’m at now. 

The traineeship offers three types of directions: ethical hacking, privacy, and security consulting. My work basically falls in between the last two. Part of the traineeship at Strict Academy is a personal development program where we look at our personal perspectives. For instance, we talk about what drives us but also about challenges that might still stand in the way of what we hope to achieve. In group sessions we can share personal things with each other and provide feedback about one’s personal development without judgement. When I look at the future of the business, I believe that the combination of hard and soft skills, professional and personal development, prove to be really useful. 

Do you have any tips for up-and-coming talent?

Yes, for sure! I would say, try to find out as soon as possible what your passion is. What gives you energy and satisfaction? And then, act accordingly. I was early on really passionate about technology and IT, so I attended lectures, read blogs, and followed the news. Because of this, I was aware of the developments in IT which made me feel really connected to that field. 

And try to get in touch with organisations to gain more work experience. Don’t be scared to connect with organisations heads-on! Easiest way to reach them is to just ring them up or send them an email. Aside from being able to exchange work experience, I believe that a community with young professionals can really lower the threshold of connecting with the right people in an organisation. 

But in the end, it is your own responsibility to find your passion and to continue learning, even after your formal education career has ended. Opportunities are there for you to take. But opportunities can also be created.

MBO ICT Management

BSc Business, IT & Management, Amsterdam University of Applied Sciences 

BSc Information, Multimedia & Management, VU Amsterdam 

MSc Information Science, VU Amsterdam 

Social psychologist cyber security and compliance, what does that mean?

In my role as a social psychologist, I focus on the psychology of cyber security. The conversation in the field of cyber security mostly revolves around the technical parts, but people and their behaviour are often a starting point for hackers to gain access. I focus on how to make people resilient against cyber threats and attacks. Psychology is the science of behaviour, so my expertise helps to build the bridge between cyber security awareness (knowing what you should do) and actual cyber secure behaviour.

What kind of projects are you involved in?

The main part of my work involves behavioural change projects on information security. I help organisations in making sure that their employees behave safely with regard to information security.  How this is done varies per customer. Because our program is based on psychology, we pay careful attention to the barrier analysis; what is currently withholding employees from the desired behaviour? Based on these identified barriers, tailored interventions are defined. Sometimes, this intervention consists of instructing people by means of trainings. But more frequently, people do know what is expected from them, but different reasons are withholding them from acting accordingly. For example, when people are not motivated, just providing more instructions will not change their behaviour. Instead, in these cases we change people’s motivation, for example by introducing a competitive element, ambassadorship or by showing the consequences of unsafe behaviour by means of a simulated attack. My job is to analyse the barriers and to define the best possible intervention to change people’s behaviour.

Why did you pursue this career?

Being interested in people is something that is in my genes. After getting a PhD in social psychology I started working for TNO in the field of Defence and Security. I have always been interested in exploring the human side of security.

What is especially unique about cyber security is that the combination with psychology is very new. Previously, the task of getting employees to understand cybersecurity measures and behave accordingly was considered a CISO’s responsibility. However, people, and their behaviour, are complex and an area of expertise on their own!  At Secura we are one of the first to combine the expertise of cybersecurity with that of psychology. I really enjoy applying my scientific knowledge by making behavioural change programs that really make a difference for organisations. 

Can you name a milestone in your career?

Getting my PhD was a big milestone for me personally. More specifically in my job; the first time implementing a program for a customer and proving that psychological interventions beyond just ‘sending’ knowledge really change behaviour. I also had the honour to be on stage at the ONE Conference a couple of times, the recognition of psychology on such a big cyber platform is a true milestone.

How will your industry or job change over the next few years?

The market is already shifting and starting to understand the importance of psychology in cybersecurity. Combining it effectively is still a challenge for most organisations.

Ten years ago, phishing emails and other kind of cyber threats were simpler and easier to recognize. Training people on this was effective enough. Nowadays attacks have become sophisticated, warranting a different response. That goes beyond the solution of just offering training or e-learning to increase awareness. Awareness programs are still built on the assumption that if everyone knows what they should do, they will behave accordingly. What we have seen is that having knowledge does not necessarily impact behaviour anymore. 

Nobody asks a psychologist to build a firewall, but often IT personnel is expected to adequately mitigate the security risks caused by human behaviour. 

Understanding people and addressing them in the right way requires the input of people specialists; psychologists. A program that offers behavioural change has a lasting effect. That starts with understanding the expected behaviour, analysing which barriers are preventing the expected behaviour and determining which intervention can take this barrier away. 

In short, my profession is becoming more important, but not as a standalone specialism. Changing people to behave more secure is also not the job of psychologists only. The combination of all relevant areas of expertise is what makes an organisation cyber resilient. For example: in case people don’t use strong passwords within an organisation, this can be caused by lack of understanding how to create strong passwords or the fact that people are technically not forced to use a strong password, or the combination of both. In most cases it is the combination. The best solution is then also a combination; of psychology and IT.

Do you have any tips for up-and-coming talent?

It is always a challenge to give broad advice because there are so many paths to take. This sounds cliché, but do what interests you. For me it was the security domain and how people’s behaviour works and I have managed to combine the two. So, do what you love and love what you do! Specializing your skill into a specific domain like security makes your job even more valuable. 

PhD Social Psychology