So between one of his last board meetings this year and preparing for the year-end speech, I interview Arwi van der Sluijs (NFIR’s general manager) to look back on the past year. Or as he himself calls it a “sort of gap year” from previous years. Nonetheless, it is a year in which NFIR has grown in number of employees and in terms of its services. I also look to the future with Arwi. A future in which cyber threats persist and in which practicing and testing information security processes becomes increasingly important, Arwi said. But before I do that, I will first look back to the special year 2022.
December 22, 2022
What was 2022 like for a year for NFIR?
Arwi does not have to think long about this answer. He has reflected on this several times throughout the year and thus resolutely states that 2022 was something of an interim year. ‘We have years behind of extreme growth in which sales kept doubling. Early in 2022, the tide turned. The war in Ukraine broke out and the immediate effect was that we really had significantly fewer incidents. This translated into lower sales with an organization that was ready. That took some getting used to. The year 2022 is thus a clear break in the trend. Not just for us, but for the entire cybersecurity industry.
This is unexpectedly a bummer. Does this medal also have a positive flip side?
That every medal has two sides, Arwi can happily agree. Indeed, for now, he can look back with great pride on a great year for NFIR. He explains this as follows: “When things are a little quieter in a certain area, you also have time to think about your structure, your organization. Then at the end of the year I also just have to note that we have remodeled the company. A management layer has come in between, the organization is growing substantially in number of employees and a lot of processes have been improved. I may conclude that in that sense there is growth that allows us to face the future and grow to 150 people.
Cite 2022 as an interim year, but the threat of a security incident remains for every organization. Can organizations actually prepare for a security incident?
‘Yes,’ Arwi replied firmly. ‘I think it’s a big flaw that that’s not happening right now. I like to compare it to what people from the safety region do or the fire department. These check companies for fire safety and they require you to do evacuation drills. So apparently it helps if you practice. The same goes for cyber incidents. That doesn’t mean you have to occasionally throw everything down or deliberately shut down a system. Step 1 is to make a plan, step 2 is to test the plans against a scenario. What do you do if you suddenly can’t mail or have ports open unwanted? My wish is always that we start to think it’s normal to test information security. That it is the most ordinary thing in the world. Because if things do go wrong once -and that cannot be ruled out- you will be optimally prepared.
You indicate that the organization has grown in the past year and that growth will continue in the coming years. Is the growth also reflected in the range of services offered by NFIR?
An Incident Response Retainer does not immediately capture the imagination. Can you briefly explain what the service entails?
Arwi certainly wants that. ‘Think of it as an insurance premium where companies pay an amount and then we guarantee that there is capacity the moment they are dealing with an incident and want to call in our CERT. So that’s a very clear development. We see that a certain need is growing and are happy to answer it with our services.
Also, have there been any developments within monitoring networks in 2022?
‘Yes, within the existing incident response and pen testing services, you see more and more requests to test Operational Engineering (hereafter OT) in addition to infrastructure.’ Arwi explains what is meant by OT testing. ‘This is about how vulnerable operational processes are. Whether that’s a crane in the port of Rotterdam or a weighing unit within a food packaging manufacturer. You can’t think of anything that crazy. OT has been a part of society for a very long time, and they increasingly want it tested. After all, these environments are increasingly connected to the Internet and that automatically brings risks. A sensible CISO then says “I want my OT tested, can you pen test that?” Yes, we can.
So an increase in Operational Engineering testing, can you give some practical examples of that?
A satisfied look appears on Arwi’s face. He continues his story. ‘I’m proud that after a year we can say we’ve tested wind farms, port facilities, canning plants. That’s just cool. Customers are increasingly asking us questions such as ”I initially thought of cybersecurity as securing my workplace, but can you also monitor my OT environment?” By monitors, I then mean the digital intrusion alarm on IT networks, but also point to the digital intrusion alarm on the OT network. That, too, must be in order. We have the knowledge and expertise for that, and I’m very proud of that.
You call that monitoring and digital burglar alarms. This reminds me of the Security Monitoring seminar organized in June. Why was this particular topic chosen?
Arwi takes a short break and begins his explanation. ‘Because we have taken Security Monitoring to a mature stage after several years. We had a clear vision for our Security Monitoring solution: deliver an affordable product that is also suitable for small and medium-sized businesses and is interpretable. A product you can actually use, without having the cybersecurity specialists in-house. That product now stands like a house and this year we were able to go full throttle there on the commercial side as well. We have long-standing customers in both the public and private sectors who use it and have helped us develop it. Our Security Monitoring branch is now so mature that we can offer it big time. We sealed that with an educational and successful seminar.
After a short break, I congratulate Arwi for referring to NFIR as one of the cream of Dutch cybersecurity. In fact, NFIR works with the major cybersecurity service providers in the Netherlands. I am curious to know what this collaboration looks like and why it came about. Arwi explains this as follows:
‘As cybersecurity service providers, we are each other’s competitors and have quite a bit of overlap. But we are all also deeply focused on one thing: we would prefer to just catch crooks. Then it also makes sense to step over your shadow and collaborate and share information. There is also an efficiency gain in that. We are all on the hunt for the same information. So if we can bring those in in a unified way and I’m offered that information by a colleague, I don’t have to do it or vice versa. That does require you to be very honest with each other and trust each other. In doing so, you should also expect everyone to make equal effort. This has taken off very well this year, courtesy of the industry association Cyberveilig Nederland, and Northwave and NFIR are at the forefront of that. I am proud that as a young club we are putting so much time and energy into this collaboration.
The end of the year is also always a great time to look ahead. Looking to the future, what new developments do you see in cybersecurity and for NFIR?
‘NFIR is far from being mature. I see that we can still grow substantially in the Netherlands, but also beyond. Although it is not our core policy to expand into Europe, we now provide services in several European countries. This will continue in the coming years. But we are busy enough in the Netherlands, so we have our hands full with that for now. Autonomously, I believe we can grow to 150 staff.
And more broadly, looking at cybersecurity in general? What development do you expect in the coming year?
I see Arwi looking back on his career in the cybersecurity world. Then he says with a clear tone “the frustration that organizations need to do something about cybersecurity awareness is growing every year. I’ve been in this industry since 2006 and from that point on, year after year, I’ve had to observe that our cybersecurity foundation in the Netherlands and elsewhere is not in order. Still, I remain positive and think that is improving. I have a lot of confidence and I look forward with great pleasure. Among other things, that has to do with NIS2 that will soon become active. This is the new European legislation that will hold executives accountable if things go wrong in their company in terms of cybersecurity. I think that’s a huge stick that will make executives start asking the right questions within their organizations “do we have things in order and how do I know we have things in order?'” Therefore, I expect more testing, testing and auditing. Moreover, I expect companies to spend relevantly more money on IT. It is very strange that the most critical business process, your IT, does not have an intrusion alarm. This will really have to change in the future, but I repeat: I remain positive. ‘
And on that positive note, we end this wrap up. Here’s to a beautiful and prosperous 2023.
This interview was conducted by Isra Acherrat, project coordinator for pen testing & security awareness at NFIR.