“Education needs to return to shop opening hours. That would narrow the attack window for hackers.”

You were actually five years too young, but you were still hired as a tour guide in the United States at barely 19.

“That was because of my language skills: Dutch, English, French, German and Italian. I was ready to head out into the wider world, because secondary school was awful for a girl with ADHD and autism. I was expelled from school twice.

But even before taking your doctoral exam, you had already found a completely different job.

“That was with the Binnenlandse Veiligheidsdienst, the domestic security service and predecessor of the AIVD. At the time, it had placed a recruitment advert for the first time. I did all sorts of things there, including setting up an infrastructure and a way of working to gather intelligence via the internet. For the BVD, that was uncharted territory, and that has always appealed to me.

It was a completely different environment from working as a tour guide in the US. There were only around 560 people at the service at the time. And because of the confidentiality involved, I had little contact with the outside world. So you ended up playing hockey with colleagues. After 10 years, I was ready for something different, partly because I had become a mother by then. I was given the opportunity to represent the Netherlands’ security interests at the embassy in Paris, and I seized it with both hands.”

You encountered a lot of resistance there, I believe?

“Yes! The Netherlands was seen as a narco-state because we taxed cannabis sales. As a result, French police officers didn’t trust us. After a while, I discovered that the Prefect of the Paris Police was at the heart of the resistance. So I simply started trying to approach him. At first he kept me at arm’s length, but after a year we both attended the graduation ceremony of the police academy. We spotted each other from a distance. He came over to me, wagging his finger, and said in his nasal voice: ‘Ah, madame le narco-État!’

We got talking, and after that the relationship gradually improved. I organised working visits to the Netherlands and exchanges between colleagues, and from there we were also able to start working on terrorism, domestic violence, armed robberies and other issues. Years later, the French even made me a knight.”

You continued to work in security.

“After my posting in Paris, I spent several years at the top of the national police services. I then moved into the private sector, joining Deloitte, where I became part of the cybersecurity team. But what I enjoyed most was what came next: becoming CEO of Fox-IT. As an autistic person, I felt completely at home there among the nerds. We understood each other instinctively.

In my view, cybersecurity can’t do without autistic people. They spot anomalies immediately and put the facts on the table, whereas others often don’t dare to because of herd behaviour. Alongside these roles, I also sit on advisory boards for various organisations where security plays a part. As a result, I have come to understand the subject from every possible angle. And I now bring that experience to my work as an independent adviser.”

What does security mean to you?

“I didn’t feel safe as a child. That made me an expert in insecurity. I can sense it from a distance, and then I look at how I can create safety. I’ve become good at that, and it’s something I’ll be working on for the rest of my life.”

What are the biggest threats facing the SURF community?

“I see two, and both are being massively accelerated by AI. The first is hacking. Anthropic has just released Mythos. It allows vulnerabilities in systems to be found and exploited much, much faster. This kind of technology is now maturing and will inevitably seep through to the other side.

That is why I expect a huge wave of cybercrime to come crashing over us within the next 6 to 9 months. Automated hacking is becoming a truly enormous risk. We are absolutely not equipped to withstand it. That applies especially to organisations with large, ageing IT systems — in other words, the entire education sector.”

What can we do to reduce the risk?

“The first answer to automated hacking is automated patching. The moment a new update is released, it has to be installed immediately. There mustn’t be even ten minutes’ delay.

The second is strict segmentation. If a hacker gets into one of your systems, they must not be able to move any further. So you need to put up as many dividing walls as possible.

And that also means switching off things you’re not using. That is becoming very important now. We’re all used to everything being accessible all the time, but we really have to move away from that. Education needs to return to shop opening hours. That would narrow the attack window for hackers.”

What is the second threat?

“That is disinformation. Spread by criminals or by other bad actors. They may come from Russia, but also from the US. Make sure you can provide students with reliable information if your systems go down. Even if it’s just via a noticeboard in the entrance hall of the lecture building.”

Does cybersecurity actually exist?

“Many people see it as a technical problem, but at its core it is about dealing with risk. As human beings, we need to be aware of our existential vulnerability. If you know that a Chinese or an American actor may be watching, you have to make a conscious choice about whether or not to accept that. It is not a matter of rules, because rules are merely a check after the fact.

I still see many organisations where people do not really understand why it matters whether they do or do not do something. In fact, they do not realise why their work matters at all. That conversation needs to happen much more often, because that is when people start thinking for themselves about working securely. And they avoid unnecessary risks. That is the human layer of cybersecurity.”

Then there is the organisational layer. Are people in the right roles, are they not overworked, do they feel able to report problems? And as a final layer, organisations that are safe and healthy can also help make society safe.

SURF is the textbook example of this, because it is a collective. After all, the strength of our society lies in social cohesion and cooperation. We Dutch are better at that than anyone. SURF has shown that, as a collective, you can achieve scale in security solutions. And then, as a woman, I’m allowed to say: size matters! Because the wider you cast the net of your security monitoring, the faster you can share insights and threats with the entire community. SURF does that fantastically, especially through its European cooperation. That is how every sector should work.”