"What you don't have, can't be stolen"

On 25 and 26 June, Rotterdam's Zadkine will welcome visitors to the SURF Security & Privacy Conference. A great occasion, in the run-up to this annual event, to take a look at some current topics around cyber security in the mbo. We put five pressing questions to Richard de Koning (manager Information Security and Privacy Zadkine) and Martijn Bijleveld (programme manager Cyberveiligheid MBO Digitaal).

30 April 2025

1. What are currently the most important security topics within the mbo?

Richard de Koning staat voor een vliegtuig van Zadkine — Richard de Koning

Richard de Koning has been working at Rotterdam-based Zadkine for over 15 years. First as ICT Project Manager, but now as Manager Information Security and Privacy. Before this, he worked, also as a project leader, at the Ministry of Justice and Security.

Richard: "From my role at Zadkine, it's mainly about risk awareness. We work with a lot of sensitive information about students and employees. When you look at threats around that information, we quickly think of hackers. Yet the danger lies precisely in the behaviour of one's own colleagues. Leaving the laptop open when absent, assigning too many or the wrong rights, exporting lists with sensitive information; these are all examples of major risks from within the organisation itself. You can have the technical security in order on paper, but if you yourself leave the 'door' open or do not manage safe behaviour, things will continue to go wrong."

Martijn Bijleveld is cyber security programme manager at MBO Digitaal and information security and privacy advisor at the MBO Council. In 2024, Martijn won the SURF Security & Privacy Award for his extraordinary commitment to the Cyber Security MBO programme.

Martijn: "What we at MBO Digital are additionally concerned about is the technical resilience of MBO institutions. The working visits we organise from the programme show that the smaller schools in particular have a complicated task, because they have to meet the same requirements as the larger institutions. How do you solve that when manpower and the budgets for hiring are lacking? So we need to think of ways in which we can help those smaller institutions. For instance, we set up the CISO-as-a-Service programme: a full-time CISO who supports the institutions in preparing for security audits, supplemented by two young professionals who can work at the institution for one to two days a week at a reasonable rate. Another example of getting a better grip on that technical resilience is the procurement of more than 100 pen tests for the mbo schools. Each institution will be offered two free pen tests and supported in formulating a meaningful brief and scope of the test."

2. Suppose money or other limiting factors were not a factor, which problem do you tackle first?

Richard: "Data management. The amount of data we collect and often keep for too long is unimaginably large and diverse. I often call it the 'unlimited junk loft'. It's very difficult to keep that in check if you don't compulsorily regulate and clean up. Yes, there is technology that analyses, labels and protects data, such as Microsoft Purview. That is not where the problem lies, because the technology and licences to use it are often already there. Then you need digital archivists or librarians to actively deploy it. You cannot leave this kind of work to ICT teams or end-users alone."

Martijn: "I mainly come down to risk management. No matter how much money you have, you will always have to use budgets in a well-considered way. That's why you need to identify threats and look at where organisations are most at risk. Many institutions find it a complicated issue and don't tackle it until everything else is in order. I think you have to turn it around. Start with risk management as the basis for your investments in security measures. When it comes to risk management, we sometimes hear many small institutions sigh: 'How do we get it all sorted out?' The trick then is precisely not to do everything and to focus your scarce resources on those areas where you run the highest risks."

"I also recognise Richard's answer. It is good to be keen on data management. I recently wrote a blog about the huge mountain of data we unconsciously sit on. And about the risk this poses. It is not a question of if you get hacked, but when. So you need to clean up, because what you don't have, can't be stolen. Recently it was digital cleanup day, the annual digital spring cleanup. We turned that into the 'digital cleanup mbo', including a digital cleanup toolbox. A nice, playful way to raise awareness and get to work concretely on this tough subject."

3. Are cross-sector partnerships or solutions needed?

Richard: "Zadkine is a large mbo institution. We cover a broad playing field of disciplines; from hospitality to administration. That results in a huge variety of software, with a tricky dynamic of vulnerabilities. You can't plug all the holes. And keeping up with all the threats is a huge job. We are well assisted in this via various cross-sector initiatives . Also by SURF, incidentally. You monitor threat images and share them via reports."

Martijn: "The mbo schools have signed a covenant in the field of cyber security, in which they have agreed to cooperate extensively. This allows us to make more impact because we no longer need to raise commitment for each activity separately. Consultations also take place at the umbrella level, between the MBO Council, Association of Universities of Applied Sciences, Universities of the Netherlands, SURF and OCW. There we discuss the common approach on themes."

Zadkine student met bonbons — "Zadkine is a large mbo institution. We cover a wide playing field of disciplines; from hospitality to administration"

4. What role do public values play in your field?

Richard: "One of the big risks concerns the use of so-called shadow IT: the fact that students and staff use their own ICT solutions without the official ICT department knowing about it. If students and staff install their own tools and apps, the question is what happens to that data. Without security, you have no privacy, and vice versa. The number of AI applications and programmes is growing phenomenally. With that comes new legislation, the AI Act. In addition, you will have to make sure your employees are AI-literate. That won't be achieved by banning or ring-fencing it."

Martijn: "I agree with Richard that AI deserves a lot of attention. It is also entering schools fairly unnoticed now, as existing applications are equipped with smart new features. The ethical and legal side of AI is therefore very important. We organise information sessions from MBO Digital on the AI Act and the requirements of this new regulation. In doing so, we help schools determine which assessments they can - and sometimes must - carry out before commissioning such applications."

5. Do innovations around, for example, AI or Quantum technology represent an opportunity or a threat?

Richard: "Both. We need AI technology to secure our systems. We use a learning system that looks at behaviour on the network. If something happens that is not normal, you can immediately take action without an administrator, who is not available 24/7, having to take action manually. This technology certainly helps us. But of course, we know the 'dark side' too. Many encryption techniques are not quantum-proof. If data is intercepted by malicious people to be later cracked via quantum technology, then there is a big problem."

Martijn: "I don't completely oversee our quantum future, but I have images of it. It's going to make a huge impact on research and on the security of our data. That is quite exciting, especially because the first quantum computers will not run in the Netherlands. If, as Richard points out, criminals or certain state actors will soon hold the key to our data, this is terrifying. Therefore, from a defensive perspective, we cannot be left behind in this digital arms race. So as far as I am concerned, it is important that we prepare ourselves well for the quantum future to avoid having our turn soon."

Text: Edwin Ammerlaan

Join us at the SURF Security & Privacy Conference

At the SURF Security & Privacy Conference you will hear all about current security and privacy topics in education and research. The focus is on technical, policy and legal aspects. In addition, each year the SURF Security & Privacy Award is presented as a token of appreciation for contributing to keeping or making our sector safe, open, accessible, privacy-friendly and reliable. Curious about who will win the award this year? Come to Zadkine mbo in Rotterdam on 25 and 26 June.

On top of practice at Zadkine

For the first time, we are organising the Security & Privacy Conference together with an mbo this year. What makes it extra special is that students from different courses are coming to help and thus gain practical experience. Students from the banquet & cookery course will take care of the catering and security will be provided by students training to be security officers. Construction, dismantling and cloakroom? Hospitality College students do that. Walking around at Zadkine is unique: there is a hairdressing academy, wine & food halls, and aspiring stewardesses practice in a real plane. So at this year's Security & Privacy Conference, you'll be on top of the practice!