MBO ICT Management
BSc Business, IT & Management, Amsterdam University of Applied Sciences
BSc Information, Multimedia & Management, VU Amsterdam
MSc Information Science, VU Amsterdam
Governance, Risk & Compliance Consultant, what does that mean?
Broadly speaking, I work at Strict to help diverse organisations with the implementation of security and privacy policies that makes them compliant. These implementations need to be continuously updated and improved so that they can be smoothly incorporated in the company business processes. The entire undertaking, from legislation to governing company business processes, is based around a risk analysis method designed by Strict. With the result, we can implement detective, corrective and preventive security measures. The end goal of this task is to maintain the integrity of the information and safeguard the information supply.
What kind of projects are you involved with?
I’m mostly involved with consultancy projects at Strict. This means that I work based on secondment where companies hire me for a particular issue they face. For instance, one time I may act as a risk analyst and the other time I take on the role as privacy officer. What we see is that many companies have to deal with fundamental changes that directly affect their core businesses. Think about the General Data and Protection Regulation from last year or the continuous development of Artificial Intelligence. Usually, this means I have to conduct an intensive risk analysis where I try to find the correct balance of availability, integrity, and confidentiality of information security. Finding this balance took some time for me to grow into because applied practice in university was severely lacking.
Sometimes I work independently and visit clients by myself and other days I work together with a senior consultant. Small projects may last for five or six days, while the bigger project may take up to several months, so there is a big difference between what kind of project we’re doing. Strict works mostly with large enterprise organisations: think about companies like Schiphol, NS, ProRail, Erasmus MC. But Strict also works together with governmental institutions; currently I’m doing a project at a province... In theory, Strict has two divisions: Strict Academy and Strict Consultancy but the difference is barely noticeable. I like working in the public domain because there it seems like I make more of a difference for society.
Can you elaborate a bit on your education pathway to your current function?
Sure! My motivation for pursuing this career started quite early. Ever since I was a teenager I have been fascinated by technology and its impact. I was one of the first to get a degree in ICT/ Electronica during my time in high school. Right after this, I decided to study ICT Management on a vocational level and I learned a lot of practical, hands-on skills during my time there. But the program was simply not challenging enough so I pulled two of my class mates with me and basically said: “Come one, let’s just go for the fast track program”. So, we did, and in the last year I completed an internship at Strict Consultancy, which was back in 2010. Here I found out that I really enjoy the combination of business with IT, so I decided to do the bachelor Business, IT & Management at a University of Applied Sciences in Amsterdam. This proved to be relatively effortless which gave me enough spirit to try my luck at a Research University. My interest in privacy was stimulated during this time because of how relevant it was back then. Information security is basically where I can apply my IT background and skills to confront privacy and security issues hands-on.
During my education pathway, I never quite had the feeling that the content became more difficult to understand but rather that each topic was explored more in-depth. Because of this diversity in scope and because I’ve experienced various levels of education, I now notice that I can form a bridge between the ‘tech-savvy’ and people in non-technical positions.
I also noticed that it matters a lot in what kind of environment you’re studying: if people are not motivated to learn it can have a major impact on your progress. I think that the education institutions themselves should take a leading role in providing for the right environment.
During my studies, I really enjoyed it when professionals from the work field (in hybrid capacity) would come in and explain the importance of the theory and how to apply it in the work field. This makes it less abstract and motivates students a lot more. But I see that companies are less inclined to teach at universities because they’re not sufficiently supported. For instance, Strict really wants to contribute but the issue is that a lot of companies don’t exactly know how or where to do this. There should be an organisation that provides more insights and assists companies.
Can you name a milestone in your career?
Yes, two actually. I had already dedicated a fair share of my time to learning about GDPR and e-privacy but still put a lot of energy into getting the CIPP/E (Certificate Information Privacy Professional Europe) because it teaches you so much about the implementation in organisations.
But there is another really enjoyable moment for me: since I was young, I have wondered about how to define a risk and what a risk actually entails. And it was only during the risk training courses with Strict that I found the answers I’ve been looking for in the past decade. It is even better that I can actually apply this method and help organisations by analysing the risks they have. Applying this method is not even limited to information security because it gives me a framework that I can apply to risks outside the information security scope.
How will your industry or job in particular change over the next few years? How do you keep up?
For me, it seems like society is in a new transitional era, liking to the advent of computers a few decades ago. Similarly, to back then, it seems like we’re growing and still maturing. But now in the cybersecurity domain. Although most events still occur in the background, I do see that the level of (cyber risk) awareness is raising gradually among people. Think about the debates surrounding identity theft, or the alleged hacking of the Organisation for Prohibition of Chemical Weapons (OPCW) in The Hague this year.
But there are also a lot of ethical questions that come with new technology like Robotization. I believe that in the (near) future we will make big steps in answering questions of ethics, but I also see society becoming much more aware of cyber risks. For instance, small-scale attacks on each other will become much more visible.
I’m aware of the fact that there can be a mismatch between being aware and acting accordingly to a risk. Sometimes these just don’t align. However, I’ve also experienced positive examples. As part of AlertOnline month (each year in October) I have sent out a couple of phishing emails to employees and I was glad to see that they rang the ‘’alarm bells”, so to speak, instead of falling for the trap. Because of the growing awareness, I notice that even organisations are starting to restructure their policy to avoid economic damage and ethical issues. In the end, the organisation with the strongest safety culture has also the least cyberattacks.
How did finding a job after your study go?
After I graduated, I knew for sure that I wanted to work in this field (IT), so I started looking for organisations that would hire a recent graduate: on LinkedIn, job fairs, you name it. But mostly I just rang up businesses to see if they were hiring. It was very helpful that I had already done some internships because it strengthened my convictions in which type of work field I wanted to be employed. Eventually I found the traineeship at Strict and that’s where I’m at now.
The traineeship offers three types of directions: ethical hacking, privacy, and security consulting. My work basically falls in between the last two. Part of the traineeship at Strict Academy is a personal development program where we look at our personal perspectives. For instance, we talk about what drives us but also about challenges that might still stand in the way of what we hope to achieve. In group sessions we can share personal things with each other and provide feedback about one’s personal development without judgement. When I look at the future of the business, I believe that the combination of hard and soft skills, professional and personal development, prove to be really useful.
Do you have any tips for up-and-coming talent?
Yes, for sure! I would say, try to find out as soon as possible what your passion is. What gives you energy and satisfaction? And then, act accordingly. I was early on really passionate about technology and IT, so I attended lectures, read blogs, and followed the news. Because of this, I was aware of the developments in IT which made me feel really connected to that field.
And try to get in touch with organisations to gain more work experience. Don’t be scared to connect with organisations heads-on! Easiest way to reach them is to just ring them up or send them an email. Aside from being able to exchange work experience, I believe that a community with young professionals can really lower the threshold of connecting with the right people in an organisation.
But in the end, it is your own responsibility to find your passion and to continue learning, even after your formal education career has ended. Opportunities are there for you to take. But opportunities can also be created.